Analysis

  • max time kernel
    148s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-12-2024 21:20

General

  • Target

    JaffaCakes118_eda1fbfb5980293e042c9086976e1f9669e9a9efbdd06ff0e89ab1354120c560.exe

  • Size

    1.3MB

  • MD5

    732feb348deab0790fffe8c519942e99

  • SHA1

    608f37e9e72eef830a498e159d03c383056190ec

  • SHA256

    eda1fbfb5980293e042c9086976e1f9669e9a9efbdd06ff0e89ab1354120c560

  • SHA512

    8c888f1f43430ec5616a3dc299aa1408f6942f32a4715d56ba3542a69656616a5d6224e9522f0fdeb55afbb56e54b1b1f23f17cca299918bc686a8a9fed13263

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 2 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Checks computer location settings 2 TTPs 17 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 15 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 15 IoCs
  • Drops file in Program Files directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 15 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 37 IoCs
  • Suspicious use of AdjustPrivilegeToken 22 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_eda1fbfb5980293e042c9086976e1f9669e9a9efbdd06ff0e89ab1354120c560.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_eda1fbfb5980293e042c9086976e1f9669e9a9efbdd06ff0e89ab1354120c560.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4068
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1640
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:332
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3976
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:684
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RuntimeBroker.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:424
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\Idle.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3916
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1820
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\lsass.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4352
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\upfc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2940
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Downloads\fontdrvhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2832
          • C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RuntimeBroker.exe
            "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RuntimeBroker.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Modifies registry class
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4056
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qwHeC7tSxv.bat"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:4536
              • C:\Windows\system32\w32tm.exe
                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                7⤵
                  PID:1440
                • C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RuntimeBroker.exe
                  "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RuntimeBroker.exe"
                  7⤵
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Modifies registry class
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1420
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\h6oaLUsZTY.bat"
                    8⤵
                    • Suspicious use of WriteProcessMemory
                    PID:4288
                    • C:\Windows\system32\w32tm.exe
                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                      9⤵
                        PID:3448
                      • C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RuntimeBroker.exe
                        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RuntimeBroker.exe"
                        9⤵
                        • Checks computer location settings
                        • Executes dropped EXE
                        • Modifies registry class
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:1516
                        • C:\Windows\System32\cmd.exe
                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NHYDEKme3A.bat"
                          10⤵
                          • Suspicious use of WriteProcessMemory
                          PID:4352
                          • C:\Windows\system32\w32tm.exe
                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                            11⤵
                              PID:3956
                            • C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RuntimeBroker.exe
                              "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RuntimeBroker.exe"
                              11⤵
                              • Checks computer location settings
                              • Executes dropped EXE
                              • Modifies registry class
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              • Suspicious use of WriteProcessMemory
                              PID:4400
                              • C:\Windows\System32\cmd.exe
                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ktiZWDSHsI.bat"
                                12⤵
                                • Suspicious use of WriteProcessMemory
                                PID:1916
                                • C:\Windows\system32\w32tm.exe
                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                  13⤵
                                    PID:2380
                                  • C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RuntimeBroker.exe
                                    "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RuntimeBroker.exe"
                                    13⤵
                                    • Checks computer location settings
                                    • Executes dropped EXE
                                    • Modifies registry class
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of AdjustPrivilegeToken
                                    • Suspicious use of WriteProcessMemory
                                    PID:2560
                                    • C:\Windows\System32\cmd.exe
                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RFyBjogktz.bat"
                                      14⤵
                                      • Suspicious use of WriteProcessMemory
                                      PID:1996
                                      • C:\Windows\system32\w32tm.exe
                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                        15⤵
                                          PID:3404
                                        • C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RuntimeBroker.exe
                                          "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RuntimeBroker.exe"
                                          15⤵
                                          • Checks computer location settings
                                          • Executes dropped EXE
                                          • Modifies registry class
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          • Suspicious use of WriteProcessMemory
                                          PID:2928
                                          • C:\Windows\System32\cmd.exe
                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DXR1U0Y5m3.bat"
                                            16⤵
                                            • Suspicious use of WriteProcessMemory
                                            PID:4308
                                            • C:\Windows\system32\w32tm.exe
                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                              17⤵
                                                PID:4232
                                              • C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RuntimeBroker.exe
                                                "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RuntimeBroker.exe"
                                                17⤵
                                                • Checks computer location settings
                                                • Executes dropped EXE
                                                • Modifies registry class
                                                • Suspicious behavior: EnumeratesProcesses
                                                • Suspicious use of AdjustPrivilegeToken
                                                • Suspicious use of WriteProcessMemory
                                                PID:3416
                                                • C:\Windows\System32\cmd.exe
                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\veDg5wW3gS.bat"
                                                  18⤵
                                                  • Suspicious use of WriteProcessMemory
                                                  PID:2636
                                                  • C:\Windows\system32\w32tm.exe
                                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                    19⤵
                                                      PID:5000
                                                    • C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RuntimeBroker.exe
                                                      "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RuntimeBroker.exe"
                                                      19⤵
                                                      • Checks computer location settings
                                                      • Executes dropped EXE
                                                      • Modifies registry class
                                                      • Suspicious behavior: EnumeratesProcesses
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:2764
                                                      • C:\Windows\System32\cmd.exe
                                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fq9TqI16of.bat"
                                                        20⤵
                                                          PID:1516
                                                          • C:\Windows\system32\w32tm.exe
                                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                            21⤵
                                                              PID:2208
                                                            • C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RuntimeBroker.exe
                                                              "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RuntimeBroker.exe"
                                                              21⤵
                                                              • Checks computer location settings
                                                              • Executes dropped EXE
                                                              • Modifies registry class
                                                              • Suspicious behavior: EnumeratesProcesses
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              PID:2396
                                                              • C:\Windows\System32\cmd.exe
                                                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\veDg5wW3gS.bat"
                                                                22⤵
                                                                  PID:1496
                                                                  • C:\Windows\system32\w32tm.exe
                                                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                    23⤵
                                                                      PID:1632
                                                                    • C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RuntimeBroker.exe
                                                                      "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RuntimeBroker.exe"
                                                                      23⤵
                                                                      • Checks computer location settings
                                                                      • Executes dropped EXE
                                                                      • Modifies registry class
                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                      PID:5020
                                                                      • C:\Windows\System32\cmd.exe
                                                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cu7QADyCUt.bat"
                                                                        24⤵
                                                                          PID:4176
                                                                          • C:\Windows\system32\w32tm.exe
                                                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                            25⤵
                                                                              PID:3296
                                                                            • C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RuntimeBroker.exe
                                                                              "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RuntimeBroker.exe"
                                                                              25⤵
                                                                              • Checks computer location settings
                                                                              • Executes dropped EXE
                                                                              • Modifies registry class
                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                              PID:1996
                                                                              • C:\Windows\System32\cmd.exe
                                                                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QO5FEA9wo1.bat"
                                                                                26⤵
                                                                                  PID:2868
                                                                                  • C:\Windows\system32\w32tm.exe
                                                                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                    27⤵
                                                                                      PID:3984
                                                                                    • C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RuntimeBroker.exe
                                                                                      "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RuntimeBroker.exe"
                                                                                      27⤵
                                                                                      • Checks computer location settings
                                                                                      • Executes dropped EXE
                                                                                      • Modifies registry class
                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                      PID:4340
                                                                                      • C:\Windows\System32\cmd.exe
                                                                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\h6oaLUsZTY.bat"
                                                                                        28⤵
                                                                                          PID:3736
                                                                                          • C:\Windows\system32\w32tm.exe
                                                                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                            29⤵
                                                                                              PID:1964
                                                                                            • C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RuntimeBroker.exe
                                                                                              "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RuntimeBroker.exe"
                                                                                              29⤵
                                                                                              • Checks computer location settings
                                                                                              • Executes dropped EXE
                                                                                              • Modifies registry class
                                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                              PID:2708
                                                                                              • C:\Windows\System32\cmd.exe
                                                                                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0quqFCQQe7.bat"
                                                                                                30⤵
                                                                                                  PID:5060
                                                                                                  • C:\Windows\system32\w32tm.exe
                                                                                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                                    31⤵
                                                                                                      PID:1616
                                                                                                    • C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RuntimeBroker.exe
                                                                                                      "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RuntimeBroker.exe"
                                                                                                      31⤵
                                                                                                      • Checks computer location settings
                                                                                                      • Executes dropped EXE
                                                                                                      • Modifies registry class
                                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                      PID:4820
                                                                                                      • C:\Windows\System32\cmd.exe
                                                                                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8Usvo58uhQ.bat"
                                                                                                        32⤵
                                                                                                          PID:2660
                                                                                                          • C:\Windows\system32\w32tm.exe
                                                                                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                                            33⤵
                                                                                                              PID:2344
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RuntimeBroker.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1440
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RuntimeBroker.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:628
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RuntimeBroker.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2440
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\providercommon\Idle.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:3116
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:4480
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:3112
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Portable Devices\csrss.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:4108
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:3408
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2936
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2476
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:4176
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:700
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 5 /tr "'C:\providercommon\upfc.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1996
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\providercommon\upfc.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:4524
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 6 /tr "'C:\providercommon\upfc.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2580
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Downloads\fontdrvhost.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2448
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Public\Downloads\fontdrvhost.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:4164
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Downloads\fontdrvhost.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2032

                                            Network

                                            MITRE ATT&CK Enterprise v15

                                            Replay Monitor

                                            Loading Replay Monitor...

                                            Downloads

                                            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RuntimeBroker.exe.log

                                              Filesize

                                              1KB

                                              MD5

                                              baf55b95da4a601229647f25dad12878

                                              SHA1

                                              abc16954ebfd213733c4493fc1910164d825cac8

                                              SHA256

                                              ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

                                              SHA512

                                              24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

                                            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                                              Filesize

                                              2KB

                                              MD5

                                              d85ba6ff808d9e5444a4b369f5bc2730

                                              SHA1

                                              31aa9d96590fff6981b315e0b391b575e4c0804a

                                              SHA256

                                              84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                                              SHA512

                                              8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                              Filesize

                                              944B

                                              MD5

                                              6d42b6da621e8df5674e26b799c8e2aa

                                              SHA1

                                              ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

                                              SHA256

                                              5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

                                              SHA512

                                              53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                              Filesize

                                              944B

                                              MD5

                                              d28a889fd956d5cb3accfbaf1143eb6f

                                              SHA1

                                              157ba54b365341f8ff06707d996b3635da8446f7

                                              SHA256

                                              21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

                                              SHA512

                                              0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

                                            • C:\Users\Admin\AppData\Local\Temp\0quqFCQQe7.bat

                                              Filesize

                                              250B

                                              MD5

                                              bc5ca021ea72349bca7347f7d9df77f2

                                              SHA1

                                              915648ca64a087fa7fbc0950340788dd04d005cd

                                              SHA256

                                              21bb139bb01ba4dfbacc87ad57d2d86da3021edc8799f3f9080ec3dca3de106b

                                              SHA512

                                              223d2b2c1d8b4b9d3080faaa5da2f82eb336d51e144d25763302d7ca479c19c287b7b8daf4a159ee307ae80f861c3f7420e66d5963ad6502c596c8570e9263ff

                                            • C:\Users\Admin\AppData\Local\Temp\8Usvo58uhQ.bat

                                              Filesize

                                              250B

                                              MD5

                                              78ed30e68bd8de54fd992127d5327ae3

                                              SHA1

                                              40fb4ddfa6a83cfc31d89430849ebd175fb9bb02

                                              SHA256

                                              4acb56dd526fefe3c3dd316690b0a503c2f0db597345e469a8e019df8c660cb0

                                              SHA512

                                              163d4ec343f89741c740b253fd0ba901874802953d90ad858e6aa4fbc9fcef335c7f16271292f5557b20f3ec9f1961b9033dab9d01416f603db98c03a772ea7b

                                            • C:\Users\Admin\AppData\Local\Temp\DXR1U0Y5m3.bat

                                              Filesize

                                              250B

                                              MD5

                                              36e1e0ded778d493b7208234f8c204b4

                                              SHA1

                                              89e5f31df68dbc0a0891613ee15afc4faf3c49ba

                                              SHA256

                                              574bf6b6b2347cb2ed61e4eb078a32b6cab4d33b81ac9b856b8d0dabd8ac1cf6

                                              SHA512

                                              f7b32f050246a09b65b75ccc91e76141b3339026983e47280fdc85a14c4231408cf33ae1b644d74a56c5e5151ecce0f69c95ecb56c76cbc7687ecb9ff098cc8a

                                            • C:\Users\Admin\AppData\Local\Temp\NHYDEKme3A.bat

                                              Filesize

                                              250B

                                              MD5

                                              f06c4d49e9cfae159d7d70893616dbec

                                              SHA1

                                              4e33faf6060df681d3fbce2c1486b8d8613bd91b

                                              SHA256

                                              20e4a1f11472e213e2b07efad16e4de4e53e2767444366b61f571f858a71d6a2

                                              SHA512

                                              f946bec6f2b6d81cc20d28395a0e0d216335528c9666d194213b3fd080fc3e7ccc41841213f61a36c6bec090e7d748ed25eb44f007a5235b6f4c5432662eacb2

                                            • C:\Users\Admin\AppData\Local\Temp\QO5FEA9wo1.bat

                                              Filesize

                                              250B

                                              MD5

                                              188ba705bf54cf511eefc87eab24a60b

                                              SHA1

                                              ef74811595d3945f08418234b9205e447c1d8da1

                                              SHA256

                                              ed643a6f836f65477675c0907447af54244dbb1aad264d6613c3fb38b291a1e2

                                              SHA512

                                              e54ec9e7f7beae4c7d30c561846332c55b3857cf31ad7db6d65e375058c1062742c4793630f0f8394e9d5f1e37e33028f26c83239ab8e89a8e7558b228379c6e

                                            • C:\Users\Admin\AppData\Local\Temp\RFyBjogktz.bat

                                              Filesize

                                              250B

                                              MD5

                                              107d7b4b2b9068053266ffef892ee669

                                              SHA1

                                              aec994c1d4da6c9f17a19d11cdb5d7d9f785938e

                                              SHA256

                                              cd308ce60c07857f4b0e786eb511997528b4adedc56d563865e2c8121987ed24

                                              SHA512

                                              dee037d544c79662718019cfd7965a2128687733fef4eb67e858e91a245cf12826b6669c8b2d39623a028ec137ebdbbbf81e1ce14a87d80563a6a6c8805e9a04

                                            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_plznqzix.ag2.ps1

                                              Filesize

                                              60B

                                              MD5

                                              d17fe0a3f47be24a6453e9ef58c94641

                                              SHA1

                                              6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                              SHA256

                                              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                              SHA512

                                              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                            • C:\Users\Admin\AppData\Local\Temp\cu7QADyCUt.bat

                                              Filesize

                                              250B

                                              MD5

                                              961ee3a6b9b8378d0cac15e327a4c190

                                              SHA1

                                              31bd7c8c4e7b587f411c8d220513ef1e4e6791c4

                                              SHA256

                                              c140121417c1b4f8a19d3a052c827efcf528b8e66f99bdfd7557aa163a0882aa

                                              SHA512

                                              74567125a146797a4cf69b2dd3c8f2a8f9c7bf2d57210f648c2d103ecaf32c49384f6a43e8021b7665663bcaaae354cc44434e4a514bea772d5dfa857ac9e374

                                            • C:\Users\Admin\AppData\Local\Temp\fq9TqI16of.bat

                                              Filesize

                                              250B

                                              MD5

                                              c2588a3c41921148b1d3558b90886f34

                                              SHA1

                                              0a7766b6181bf793d6eefcd986f945f88dd9f4e7

                                              SHA256

                                              59d42e8fc9a64092c576303a7ed036498357e2b71931842a9479e02ba517f0d2

                                              SHA512

                                              0e09a917fbd8f0145a3e412c67b6c07c183ba6ffe9cbaf62fb5b90b01852f67aa9af92b381a944091bb1847444d3e7503c4a6bd7015585db981a70af79f2367f

                                            • C:\Users\Admin\AppData\Local\Temp\h6oaLUsZTY.bat

                                              Filesize

                                              250B

                                              MD5

                                              2f5821070946ff636e9855ed53f22f16

                                              SHA1

                                              50e2ab9e41377bdfb54430a5809c68ec6d7ed12c

                                              SHA256

                                              8e994594a118146c783d1fc85dcc12af74c28705a6ec6896551a99885c837840

                                              SHA512

                                              efae4a5c2adbd3d5f9b89db60b61f04c11e27e87d760c4b3c514b64ab22fa96d55bec8b51c2f8c83d5df4e3f2d9201f04f0a460b3796620f20b47376fdc954c6

                                            • C:\Users\Admin\AppData\Local\Temp\ktiZWDSHsI.bat

                                              Filesize

                                              250B

                                              MD5

                                              639d41d0ffa90b31e0f629f5f8ee29e9

                                              SHA1

                                              b2d86f2f688e9b8950bce3f6c3ec3e7a7eb4a63f

                                              SHA256

                                              10dc1dcacd3f754f7b058a0d50dea236c399b32f81453c9044ebf89adab4a861

                                              SHA512

                                              5b6a6e7913c893eb4548b3e454df66eecfd57a8f853ee9a85de6ef881ecab4b2e3ac66bc0e25db491396ce508b96cf38760bac5bff86b93b37c749065f81136e

                                            • C:\Users\Admin\AppData\Local\Temp\qwHeC7tSxv.bat

                                              Filesize

                                              250B

                                              MD5

                                              cb6f6782b2df1a85fe1f898bb585dcd8

                                              SHA1

                                              2345943cc4b94b74fa0077c9cbc6d898d2558554

                                              SHA256

                                              f0a994da57a7c0d7f29acab158d1f99f77c28d9a13ee365d81afda523223ff5e

                                              SHA512

                                              a6f0f6c88365ea31c828cb43d92a821417b3b4135ecf378fbcf51235cba72f6a7132434db806983f3a20ea7038bbef4f90359971e49fde84776490aaf7087ce5

                                            • C:\Users\Admin\AppData\Local\Temp\veDg5wW3gS.bat

                                              Filesize

                                              250B

                                              MD5

                                              b59e68de6e20e5d554e3da90ba3d48f5

                                              SHA1

                                              10881fabbc0da2c12a070a602826a9deba9e28db

                                              SHA256

                                              f88535734f2099ff3bd49d31f7c8fe1166a63935d5e7df0ccd4c59ec96eb3274

                                              SHA512

                                              baecfe017f8d3010d33e01d02d1b51272cefa3f06023cafd39dbeea147ee41f49d6c7afadeb11db0bbe57fe5d6071403d5d98724788265779315d27432f46035

                                            • C:\providercommon\1zu9dW.bat

                                              Filesize

                                              36B

                                              MD5

                                              6783c3ee07c7d151ceac57f1f9c8bed7

                                              SHA1

                                              17468f98f95bf504cc1f83c49e49a78526b3ea03

                                              SHA256

                                              8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                              SHA512

                                              c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                            • C:\providercommon\DllCommonsvc.exe

                                              Filesize

                                              1.0MB

                                              MD5

                                              bd31e94b4143c4ce49c17d3af46bcad0

                                              SHA1

                                              f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                              SHA256

                                              b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                              SHA512

                                              f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                            • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                              Filesize

                                              197B

                                              MD5

                                              8088241160261560a02c84025d107592

                                              SHA1

                                              083121f7027557570994c9fc211df61730455bb5

                                              SHA256

                                              2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                              SHA512

                                              20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                            • memory/2708-196-0x000000001AFF0000-0x000000001B002000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/2764-164-0x000000001BBF0000-0x000000001BC02000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/3976-17-0x0000000002A20000-0x0000000002A2C000-memory.dmp

                                              Filesize

                                              48KB

                                            • memory/3976-12-0x00007FFE577E3000-0x00007FFE577E5000-memory.dmp

                                              Filesize

                                              8KB

                                            • memory/3976-13-0x00000000005B0000-0x00000000006C0000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/3976-14-0x0000000002880000-0x0000000002892000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/3976-15-0x0000000002890000-0x000000000289C000-memory.dmp

                                              Filesize

                                              48KB

                                            • memory/3976-16-0x0000000002A10000-0x0000000002A1C000-memory.dmp

                                              Filesize

                                              48KB

                                            • memory/4352-55-0x000002841E340000-0x000002841E362000-memory.dmp

                                              Filesize

                                              136KB

                                            • memory/5020-177-0x000000001BDF0000-0x000000001BE02000-memory.dmp

                                              Filesize

                                              72KB