Analysis

  • max time kernel
    147s
  • max time network
    143s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    21-12-2024 20:53

General

  • Target

    JaffaCakes118_0d34c2fa5327a14db9c77ce9a139ef7dbe82c309ff1678d7c4d13bb056ed06e9.exe

  • Size

    1.3MB

  • MD5

    31ae2d26435112bf88765dd771443162

  • SHA1

    eb44f52a795edb5d9988890cc991eea072f11b47

  • SHA256

    0d34c2fa5327a14db9c77ce9a139ef7dbe82c309ff1678d7c4d13bb056ed06e9

  • SHA512

    313b2412153dfaa3be951a0b63f8d8c0dc592e6528c4c8cb950ff1daaccd0e07f49bb2854ee4f0aecd023a64e435431e4e679b6cbdcabb173b47337d7d93f6c5

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 24 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 10 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 13 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs
  • Drops file in Program Files directory 5 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 24 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 22 IoCs
  • Suspicious use of AdjustPrivilegeToken 22 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0d34c2fa5327a14db9c77ce9a139ef7dbe82c309ff1678d7c4d13bb056ed06e9.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0d34c2fa5327a14db9c77ce9a139ef7dbe82c309ff1678d7c4d13bb056ed06e9.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1036
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2352
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2288
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2740
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3068
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Games\FreeCell\es-ES\audiodg.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1508
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Application Data\smss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1676
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Videos\Sample Videos\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1988
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ehome\en-US\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2180
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dllhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2976
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2784
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\System.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2772
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\lsass.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1856
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qL41j3BMDm.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1600
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              6⤵
                PID:1820
              • C:\providercommon\dllhost.exe
                "C:\providercommon\dllhost.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2460
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WRY5ahHPmz.bat"
                  7⤵
                  • Suspicious use of WriteProcessMemory
                  PID:1044
                  • C:\Windows\system32\w32tm.exe
                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                    8⤵
                      PID:2028
                    • C:\providercommon\dllhost.exe
                      "C:\providercommon\dllhost.exe"
                      8⤵
                      • Executes dropped EXE
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:1360
                      • C:\Windows\System32\cmd.exe
                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\00vfQAbtTV.bat"
                        9⤵
                        • Suspicious use of WriteProcessMemory
                        PID:2276
                        • C:\Windows\system32\w32tm.exe
                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                          10⤵
                            PID:1976
                          • C:\providercommon\dllhost.exe
                            "C:\providercommon\dllhost.exe"
                            10⤵
                            • Executes dropped EXE
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of AdjustPrivilegeToken
                            PID:1744
                            • C:\Windows\System32\cmd.exe
                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ys2Wc5gw2w.bat"
                              11⤵
                                PID:2548
                                • C:\Windows\system32\w32tm.exe
                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                  12⤵
                                    PID:2724
                                  • C:\providercommon\dllhost.exe
                                    "C:\providercommon\dllhost.exe"
                                    12⤵
                                    • Executes dropped EXE
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:2372
                                    • C:\Windows\System32\cmd.exe
                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\826UXRAQMN.bat"
                                      13⤵
                                        PID:844
                                        • C:\Windows\system32\w32tm.exe
                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                          14⤵
                                            PID:1972
                                          • C:\providercommon\dllhost.exe
                                            "C:\providercommon\dllhost.exe"
                                            14⤵
                                            • Executes dropped EXE
                                            • Suspicious behavior: EnumeratesProcesses
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:2460
                                            • C:\Windows\System32\cmd.exe
                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PGGCz4Ehy5.bat"
                                              15⤵
                                                PID:1712
                                                • C:\Windows\system32\w32tm.exe
                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                  16⤵
                                                    PID:2700
                                                  • C:\providercommon\dllhost.exe
                                                    "C:\providercommon\dllhost.exe"
                                                    16⤵
                                                    • Executes dropped EXE
                                                    • Suspicious behavior: EnumeratesProcesses
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    PID:3036
                                                    • C:\Windows\System32\cmd.exe
                                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Xnyek1SZun.bat"
                                                      17⤵
                                                        PID:3048
                                                        • C:\Windows\system32\w32tm.exe
                                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                          18⤵
                                                            PID:2016
                                                          • C:\providercommon\dllhost.exe
                                                            "C:\providercommon\dllhost.exe"
                                                            18⤵
                                                            • Executes dropped EXE
                                                            • Suspicious behavior: EnumeratesProcesses
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            PID:2740
                                                            • C:\Windows\System32\cmd.exe
                                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Mw1PlbJmoj.bat"
                                                              19⤵
                                                                PID:2732
                                                                • C:\Windows\system32\w32tm.exe
                                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                  20⤵
                                                                    PID:2372
                                                                  • C:\providercommon\dllhost.exe
                                                                    "C:\providercommon\dllhost.exe"
                                                                    20⤵
                                                                    • Executes dropped EXE
                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                    PID:1424
                                                                    • C:\Windows\System32\cmd.exe
                                                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GQn77QEoUi.bat"
                                                                      21⤵
                                                                        PID:352
                                                                        • C:\Windows\system32\w32tm.exe
                                                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                          22⤵
                                                                            PID:2960
                                                                          • C:\providercommon\dllhost.exe
                                                                            "C:\providercommon\dllhost.exe"
                                                                            22⤵
                                                                            • Executes dropped EXE
                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                            PID:1288
                                                                            • C:\Windows\System32\cmd.exe
                                                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GQn77QEoUi.bat"
                                                                              23⤵
                                                                                PID:3068
                                                                                • C:\Windows\system32\w32tm.exe
                                                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                  24⤵
                                                                                    PID:1696
                                                                                  • C:\providercommon\dllhost.exe
                                                                                    "C:\providercommon\dllhost.exe"
                                                                                    24⤵
                                                                                    • Executes dropped EXE
                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                    PID:1856
                                                                                    • C:\Windows\System32\cmd.exe
                                                                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MKE9IzBoeI.bat"
                                                                                      25⤵
                                                                                        PID:1784
                                                                                        • C:\Windows\system32\w32tm.exe
                                                                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                          26⤵
                                                                                            PID:1640
                                                                                          • C:\providercommon\dllhost.exe
                                                                                            "C:\providercommon\dllhost.exe"
                                                                                            26⤵
                                                                                            • Executes dropped EXE
                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                            PID:2696
                                                                                            • C:\Windows\System32\cmd.exe
                                                                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\axBdnWD1Gl.bat"
                                                                                              27⤵
                                                                                                PID:2676
                                                                                                • C:\Windows\system32\w32tm.exe
                                                                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                                  28⤵
                                                                                                    PID:2760
                                                                                                  • C:\providercommon\dllhost.exe
                                                                                                    "C:\providercommon\dllhost.exe"
                                                                                                    28⤵
                                                                                                    • Executes dropped EXE
                                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                    PID:2076
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Games\FreeCell\es-ES\audiodg.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2780
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\FreeCell\es-ES\audiodg.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2624
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Program Files\Microsoft Games\FreeCell\es-ES\audiodg.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2708
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Application Data\smss.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2612
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Admin\Application Data\smss.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2648
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Application Data\smss.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2248
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Videos\Sample Videos\DllCommonsvc.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2296
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Users\Public\Videos\Sample Videos\DllCommonsvc.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1936
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Videos\Sample Videos\DllCommonsvc.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:844
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Windows\ehome\en-US\csrss.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2812
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\ehome\en-US\csrss.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1816
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Windows\ehome\en-US\csrss.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1264
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\providercommon\dllhost.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:520
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1688
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1996
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2500
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2584
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1616
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\System.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1300
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\System.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1932
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\System.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1592
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Users\Default\lsass.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2940
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Default\lsass.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2884
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Users\Default\lsass.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2164

                                            Network

                                            MITRE ATT&CK Enterprise v15

                                            Replay Monitor

                                            Loading Replay Monitor...

                                            Downloads

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              195345953405fc726b06fe24b6282595

                                              SHA1

                                              3ccb6b4a18b26783db5ad4abff506a26e276ef7d

                                              SHA256

                                              760ad9fbd5cdda099062013b302b3fc8b70636d420eada61ea805877e6ad5805

                                              SHA512

                                              9f0c4046869dbc0204813b54ae3adcc51bbbf9db16c241a33edba0b0b2e6161757767d67bfb0f1261629ca76c4d0d5d3de342e4f250ba5d53a5275c6acba52d9

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              4efd22dba38ef3f1c7e73db627fe1ae7

                                              SHA1

                                              9b0406bfad41ece2d9ee8a9247251647a2bf7adf

                                              SHA256

                                              b15670d67698498ad3b5c42e22ee6691c6046567a18b8ba27f753217aad7f71d

                                              SHA512

                                              9b821ad0660ecb4a478530a8dfcd32eb2debc1dfad38d08a774355e0c84a529dea49d0e3694a90bf79125da27e5ec75593045a79407b1c0893802bf220323d7f

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              c12812a55d077980860008ef4e2f1409

                                              SHA1

                                              a9f5c35be1359b2f40c0d93d91eb4f8a0200065c

                                              SHA256

                                              03d6c6dd485ecdbfb10ee5854e2af1cb4544b923e984ea3e928c7ea107e54acd

                                              SHA512

                                              a8402f9ceefcc7d3add5c4487248f0e56926780935fa80d6f9416f354e3a65df5e19b6fc17da657f7b50c5f57836bcb4e12b30b386bddedfbcc10371a8f2acd3

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              d30068333b06890ec21b2f8323517a0d

                                              SHA1

                                              a0b872527183ee3fe731b37eddb4b38ee7179c51

                                              SHA256

                                              8fd069de6da8566ec8079ee3b6b5beef5e5f222788aa331d111a874b72bf9cfb

                                              SHA512

                                              6d9defad5a5ad2c529c8a6f93dd246221866f041c386cb0a60d021475795c6be454d47fb1117021aa880936e17b173b0534bf001ca259533670fa8f0e285500e

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              043ac162481ab5cda2f96ad0adfe5634

                                              SHA1

                                              bc34eeb15df0998707fd7f02fee85d06b0ed9349

                                              SHA256

                                              824f784fb2d7ccdd4c1ab95eb8a8444ac870f4af70dd5c1ecbc6a1466fc8d641

                                              SHA512

                                              4b5e275d19d6c5ef7cce4f2c4b76f23bfbf801cc072b13acf88f6f802e5a11bf1a50119c6a5e5c1bab7a62159714142f1b391859369046d825f25fe555a7fab0

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              5a94eef44030c4276a28ccc439e0ed86

                                              SHA1

                                              8c4715e62e7d556a4dde0d9f191e4eea3eda1bf0

                                              SHA256

                                              e4c10c07424344138fc2d69c88c51215d939380064424fcc6a49cdf13b644e40

                                              SHA512

                                              ffda343f0676d133d98b348cdd1164fac61ee5e4f30c050803c8d92873dac5a1ce639020025a9f720aa3c9befcad68f2ae2741c7bce9c0ca47f1558a6b792535

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              e232b999c6e70ef849f1cd995e628f4d

                                              SHA1

                                              f86162c87282b1a04fb42923cc541105cb095032

                                              SHA256

                                              be1275cde45f4c36aef4a97b634503e8fd71efe3a2054dcefae480b8f229faa6

                                              SHA512

                                              ebf428d23d91bb2e9b76ebb8a947b46e038214781411a7bd860374f715daa3f16109b55ecb7f0fa240099a354920d928f9f3d1a6bc74887d4611e31c281e87ec

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              2fed26cf54c8cbd9ee67d7bff553cf09

                                              SHA1

                                              ff6568250a3deffeba3e3ac4c3954f70f47075b3

                                              SHA256

                                              c9b309895a0217cbd1742d828355f7ced36ca89f4d137d93cce4e40130f36759

                                              SHA512

                                              f17dc9613a133720e0b719ef1fbddeb5409f54a71e9709247ad17f672bd2c7af5053b43fbdd2ef0e1781800e425a6996d26e2b5f92451ed56507e84e4df499ca

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              ad7f54c388c7ec78beee96624076428f

                                              SHA1

                                              d8c52626bb4d1a2e5ef8da603f3fafc6bc2e370d

                                              SHA256

                                              29eaf0d3fc2145fefa2c39041bffa8bb9520da2f99bd6bc9d07c49e201a2627d

                                              SHA512

                                              850f9008c211e044233c80623af40a8b2c5904a7c2c3964a1377a7e90fef24e0fc2a6bedb1fb4df02576eb350b6766d3545d1bda8d07fa36fbaa8f354b348020

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              bdc6515164098c6d6dddd3567f8078b6

                                              SHA1

                                              f617c2787cb652a09595b98937eba5721f512ef0

                                              SHA256

                                              92908a90b1ab846bb5aadd99103583dd0943dbdda920c8cb1449b62a5942de6d

                                              SHA512

                                              bd63b1f1102f5059146589a02e9aa33be6505c0e6c04e6152701a7235652486a84e2a716770b68ed27377af34e913b93c5e193bb1b5d66d2c02ec150cc4a347e

                                            • C:\Users\Admin\AppData\Local\Temp\00vfQAbtTV.bat

                                              Filesize

                                              194B

                                              MD5

                                              376b459e91ca3b0de531f9e8231139bf

                                              SHA1

                                              4ea313aec4676617a2dbe0b2e89deecb4d1b650d

                                              SHA256

                                              5aad90b2000ce640df3586a0888444b0ecdac3a689f6475e412fc1d0865f3e1a

                                              SHA512

                                              41be02bb3e89e7fc25f13080a99bb5377592adb29ac7266554195902b0c92ee5839d7cdd374094cd0832e8ee59abe19ab623a4847b5c376e954da20abe875e55

                                            • C:\Users\Admin\AppData\Local\Temp\826UXRAQMN.bat

                                              Filesize

                                              194B

                                              MD5

                                              f84c02285e3aef998011e325f16eb40c

                                              SHA1

                                              160585b5e25d5cede38d45e831342dffa09fbaf4

                                              SHA256

                                              944af591a5c55367ae57bf7a4405f6eba47f848b68c4ddbd4e0c669445bffc89

                                              SHA512

                                              8d424e0d0b1a55b900c96dc559eaa21b6b8f56d7e032778aa06f17422aa10608c48ad62f520ed36a57a50f9b9696a6ec49dc43407ce272b1999af2659c999e66

                                            • C:\Users\Admin\AppData\Local\Temp\CabE0FE.tmp

                                              Filesize

                                              70KB

                                              MD5

                                              49aebf8cbd62d92ac215b2923fb1b9f5

                                              SHA1

                                              1723be06719828dda65ad804298d0431f6aff976

                                              SHA256

                                              b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                              SHA512

                                              bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                            • C:\Users\Admin\AppData\Local\Temp\GQn77QEoUi.bat

                                              Filesize

                                              194B

                                              MD5

                                              d86f569324f96873f17725e174f43910

                                              SHA1

                                              cd643fa27f83ea7bbd7e7f359d3f6d18a7eac443

                                              SHA256

                                              405fe4e760a55512c76382e023e1c57e5b8ecc99c0739a29757f9790abfa13bc

                                              SHA512

                                              cca9f0c0de9416882a994d85c0ca2399d62d3a8ce3b16f18a8b536659ab4959626aacfa06b4ea0f409a2e2644f319c97dae9fead9d1d65235ece5aa60a74d6f3

                                            • C:\Users\Admin\AppData\Local\Temp\MKE9IzBoeI.bat

                                              Filesize

                                              194B

                                              MD5

                                              b76f7c1d08be80b2feeccb44d41fc14b

                                              SHA1

                                              536783698d11983650a226cee2c03f640cd6a727

                                              SHA256

                                              5cbf48b5e6909b5763b3a1e78f45b4d2e94784efd1a5b19c7be149fd0aab2d87

                                              SHA512

                                              dfc81d91a26781dfd07c18e1a2c0f023879b30f0ca334837cb3bb5751c0f10758199ab7ab83e2c0ef889838041bdd51ae25bf4e8ca9009dd4065b4281082f8fc

                                            • C:\Users\Admin\AppData\Local\Temp\Mw1PlbJmoj.bat

                                              Filesize

                                              194B

                                              MD5

                                              6463b577891b9fbc29b9fe241de80c07

                                              SHA1

                                              4ca25c9198eb18b6c1167267eb7c4239ac21b5a3

                                              SHA256

                                              596011b8d717c1da8994b3aaf1c6958a47ebaa7ada00f437c46c4d1ccef61bdd

                                              SHA512

                                              6281fac2afa73eebd81002b9a6817bb7bef1b253e37403a32336a5aa426d5921b29e82007628c131234cfad00b1929fcdac94c7db9204a1ae480795b4c327f57

                                            • C:\Users\Admin\AppData\Local\Temp\PGGCz4Ehy5.bat

                                              Filesize

                                              194B

                                              MD5

                                              cb8b2a2a5e9ce20a4d50a9d1c2f3b675

                                              SHA1

                                              398e68f4c49896b2f0b5a1914530c63ae17694dc

                                              SHA256

                                              e84dcd011597c71cba1d3a9b2eb23cb9504f55e6d832cc0bc8b2c8dd38436a2b

                                              SHA512

                                              51f80abdaf17224429a72b92a72af9b8235600765d14f716cb739bd805cd2ae87ff4a30037b35d0ce0cb2c701e4ab1e9f97f15a31c35269a0700007a6657cd20

                                            • C:\Users\Admin\AppData\Local\Temp\TarE111.tmp

                                              Filesize

                                              181KB

                                              MD5

                                              4ea6026cf93ec6338144661bf1202cd1

                                              SHA1

                                              a1dec9044f750ad887935a01430bf49322fbdcb7

                                              SHA256

                                              8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                              SHA512

                                              6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                            • C:\Users\Admin\AppData\Local\Temp\WRY5ahHPmz.bat

                                              Filesize

                                              194B

                                              MD5

                                              186213beaeddae9d6e3c189ad1cfb2ad

                                              SHA1

                                              0b21a414cafbbb3eb2ad829806ae50aa4ca2fbe5

                                              SHA256

                                              617e10469b5e5bb9922cdf527b98c08884958a95d1cd8c48e6388f69965025d3

                                              SHA512

                                              903d542cdd8e286637146ca9d05716ac68607e8359d3152b8ad19ba795d6a546d022a64717115a52c684042c35c1d971e811165ecc28f6ca420f4e7fb8073262

                                            • C:\Users\Admin\AppData\Local\Temp\Xnyek1SZun.bat

                                              Filesize

                                              194B

                                              MD5

                                              fc1733ecb69f49509e7b91cccee90828

                                              SHA1

                                              b669674ba5023417f11d80c317c6708f70e8e33d

                                              SHA256

                                              369deb10cb7e1079b39357efc67337d2eaefe259565604ecb895b4c36b247fa5

                                              SHA512

                                              965704fe60891c9f75bc4254ee79bb9f2232dbfd05b2fb6b1b0b64d31aad417ef2c6e5c3a7455d5c8639266b0eb2c6fc3a1c5bdaebdcacae77f2d66275d32ee8

                                            • C:\Users\Admin\AppData\Local\Temp\Ys2Wc5gw2w.bat

                                              Filesize

                                              194B

                                              MD5

                                              e03c6a3ebc18212c74f6b1b3156791db

                                              SHA1

                                              957306c55143e6d90f0696878d26ee3deaad857a

                                              SHA256

                                              e35bdd98f0891e27d2f92479c585c78a7fd94a01a85067b1ebe3543a0b95b25b

                                              SHA512

                                              2cea7e5c75ec1d27baa933f06af89e72ebdf4cc1676d741fcd187aa8c88f4649f370e7c91567b9595eb2cbb3849fefe4dc0beda65e04d86536423c540dff2e16

                                            • C:\Users\Admin\AppData\Local\Temp\axBdnWD1Gl.bat

                                              Filesize

                                              194B

                                              MD5

                                              c47f8f71c37a6fefa96912c82c2b89e3

                                              SHA1

                                              bad28a6dd085afc4af496110146254fe2b94d1f6

                                              SHA256

                                              b5b9627a19f0d36ac7804da03f644a15093043a5aafe41118f32f80189ad43e5

                                              SHA512

                                              b7939e40c6c8b5c0afe53698b1e1eefadadef36717626c21b338c27c448f01d3f82b887ff88113ae76dc14463034d823c3c60ff7288a1da4e22b93fc55aef503

                                            • C:\Users\Admin\AppData\Local\Temp\qL41j3BMDm.bat

                                              Filesize

                                              194B

                                              MD5

                                              840a89bbf4e69e7e2e1803b9f7f90a6c

                                              SHA1

                                              ca5a2fa6195dd934e3182a864218ef9811b6fcd7

                                              SHA256

                                              aacf12b1eb76ac112a5081e31405296d5c4189f0ea755f8f57bfdbec4568ab20

                                              SHA512

                                              6e77a5b975dac79416468bdb9206cace45dbd3d43058018aeac76f3f62b3f12894c128d815be7c1b9b2b0a663f69161c5d0d146fbefe54564816901a7eb2379d

                                            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                              Filesize

                                              7KB

                                              MD5

                                              1c58cabbeff258bfc4b03b7128ac461a

                                              SHA1

                                              aa8d8b5dbab19291cb269a2a81765a814e4f3b9d

                                              SHA256

                                              4ba7eb48e909fb8dc8e575061f594177f29015717584722f0c7e05b7f2a3d873

                                              SHA512

                                              01250bcc8f4db297de8b802f77c85a3348bfbd87d5953b6c00f404bf6d41974b7d8afb9cffb9308f4c26c42aeded4b3b1de550cb342e8a8536de97d80b038cae

                                            • C:\providercommon\1zu9dW.bat

                                              Filesize

                                              36B

                                              MD5

                                              6783c3ee07c7d151ceac57f1f9c8bed7

                                              SHA1

                                              17468f98f95bf504cc1f83c49e49a78526b3ea03

                                              SHA256

                                              8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                              SHA512

                                              c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                            • C:\providercommon\DllCommonsvc.exe

                                              Filesize

                                              1.0MB

                                              MD5

                                              bd31e94b4143c4ce49c17d3af46bcad0

                                              SHA1

                                              f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                              SHA256

                                              b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                              SHA512

                                              f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                            • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                              Filesize

                                              197B

                                              MD5

                                              8088241160261560a02c84025d107592

                                              SHA1

                                              083121f7027557570994c9fc211df61730455bb5

                                              SHA256

                                              2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                              SHA512

                                              20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                            • memory/1288-567-0x0000000000080000-0x0000000000190000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/1360-147-0x0000000000150000-0x0000000000162000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/1424-507-0x0000000000140000-0x0000000000250000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/1744-207-0x0000000000250000-0x0000000000262000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/1856-627-0x00000000010A0000-0x00000000011B0000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/1988-68-0x0000000001D80000-0x0000000001D88000-memory.dmp

                                              Filesize

                                              32KB

                                            • memory/1988-53-0x000000001B5B0000-0x000000001B892000-memory.dmp

                                              Filesize

                                              2.9MB

                                            • memory/2076-747-0x00000000012B0000-0x00000000013C0000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/2372-267-0x0000000000270000-0x0000000000380000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/2460-87-0x0000000000D40000-0x0000000000E50000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/2460-327-0x00000000000B0000-0x00000000001C0000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/2460-88-0x0000000000A60000-0x0000000000A72000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/2696-687-0x0000000000340000-0x0000000000352000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/2740-15-0x00000000003F0000-0x00000000003FC000-memory.dmp

                                              Filesize

                                              48KB

                                            • memory/2740-16-0x00000000003E0000-0x00000000003EC000-memory.dmp

                                              Filesize

                                              48KB

                                            • memory/2740-14-0x00000000003C0000-0x00000000003D2000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/2740-17-0x0000000000400000-0x000000000040C000-memory.dmp

                                              Filesize

                                              48KB

                                            • memory/2740-13-0x0000000001000000-0x0000000001110000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/2740-447-0x0000000000260000-0x0000000000272000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/3036-387-0x0000000000D60000-0x0000000000E70000-memory.dmp

                                              Filesize

                                              1.1MB