Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-12-2024 21:00

General

  • Target

    JaffaCakes118_6afe87e10202ebcb0832444fd37af764a888e1080311107587df22bdc31abbb3.exe

  • Size

    1.3MB

  • MD5

    10c386e880209d4025bdf3b29ce4a48d

  • SHA1

    02d8babcffff08f5cf6da5b771045384bdc8036d

  • SHA256

    6afe87e10202ebcb0832444fd37af764a888e1080311107587df22bdc31abbb3

  • SHA512

    03c63901e6f13f6e446a017de6d0faa9d4cfd77146c48f2d1c22affd50ab6a2765199cf9e02e532c24dfc827e6816d6ba91442c7e88f5b909273a911c822a3da

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 24 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 2 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Checks computer location settings 2 TTPs 15 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 14 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 14 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 13 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 24 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 49 IoCs
  • Suspicious use of AdjustPrivilegeToken 23 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6afe87e10202ebcb0832444fd37af764a888e1080311107587df22bdc31abbb3.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6afe87e10202ebcb0832444fd37af764a888e1080311107587df22bdc31abbb3.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2616
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3112
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:668
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:548
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2164
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsass.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:728
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Multimedia Platform\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4324
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4528
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\conhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1516
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\conhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:900
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\lsass.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4620
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\Idle.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1028
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4380
          • C:\providercommon\lsass.exe
            "C:\providercommon\lsass.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Modifies registry class
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:872
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:4572
              • C:\Windows\system32\w32tm.exe
                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                7⤵
                  PID:944
                • C:\providercommon\lsass.exe
                  "C:\providercommon\lsass.exe"
                  7⤵
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Modifies registry class
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:4740
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nGW3UwTeX7.bat"
                    8⤵
                    • Suspicious use of WriteProcessMemory
                    PID:2036
                    • C:\Windows\system32\w32tm.exe
                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                      9⤵
                        PID:3344
                      • C:\providercommon\lsass.exe
                        "C:\providercommon\lsass.exe"
                        9⤵
                        • Checks computer location settings
                        • Executes dropped EXE
                        • Modifies registry class
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:1136
                        • C:\Windows\System32\cmd.exe
                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gWC6ojzqIZ.bat"
                          10⤵
                          • Suspicious use of WriteProcessMemory
                          PID:4800
                          • C:\Windows\system32\w32tm.exe
                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                            11⤵
                              PID:2772
                            • C:\providercommon\lsass.exe
                              "C:\providercommon\lsass.exe"
                              11⤵
                              • Checks computer location settings
                              • Executes dropped EXE
                              • Modifies registry class
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              • Suspicious use of WriteProcessMemory
                              PID:2444
                              • C:\Windows\System32\cmd.exe
                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rHhDMS4c5i.bat"
                                12⤵
                                • Suspicious use of WriteProcessMemory
                                PID:372
                                • C:\Windows\system32\w32tm.exe
                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                  13⤵
                                    PID:4028
                                  • C:\providercommon\lsass.exe
                                    "C:\providercommon\lsass.exe"
                                    13⤵
                                    • Checks computer location settings
                                    • Executes dropped EXE
                                    • Modifies registry class
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of AdjustPrivilegeToken
                                    • Suspicious use of WriteProcessMemory
                                    PID:872
                                    • C:\Windows\System32\cmd.exe
                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SaOkt9ru2m.bat"
                                      14⤵
                                      • Suspicious use of WriteProcessMemory
                                      PID:1968
                                      • C:\Windows\system32\w32tm.exe
                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                        15⤵
                                          PID:3516
                                        • C:\providercommon\lsass.exe
                                          "C:\providercommon\lsass.exe"
                                          15⤵
                                          • Checks computer location settings
                                          • Executes dropped EXE
                                          • Modifies registry class
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          • Suspicious use of WriteProcessMemory
                                          PID:3680
                                          • C:\Windows\System32\cmd.exe
                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UWQnaEvoMY.bat"
                                            16⤵
                                            • Suspicious use of WriteProcessMemory
                                            PID:4472
                                            • C:\Windows\system32\w32tm.exe
                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                              17⤵
                                                PID:3528
                                              • C:\providercommon\lsass.exe
                                                "C:\providercommon\lsass.exe"
                                                17⤵
                                                • Checks computer location settings
                                                • Executes dropped EXE
                                                • Modifies registry class
                                                • Suspicious behavior: EnumeratesProcesses
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:3452
                                                • C:\Windows\System32\cmd.exe
                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EtrZeLjFvq.bat"
                                                  18⤵
                                                    PID:1180
                                                    • C:\Windows\system32\w32tm.exe
                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                      19⤵
                                                        PID:3392
                                                      • C:\providercommon\lsass.exe
                                                        "C:\providercommon\lsass.exe"
                                                        19⤵
                                                        • Checks computer location settings
                                                        • Executes dropped EXE
                                                        • Modifies registry class
                                                        • Suspicious behavior: EnumeratesProcesses
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:1892
                                                        • C:\Windows\System32\cmd.exe
                                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tDjG3X7WPV.bat"
                                                          20⤵
                                                            PID:2840
                                                            • C:\Windows\system32\w32tm.exe
                                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                              21⤵
                                                                PID:3028
                                                              • C:\providercommon\lsass.exe
                                                                "C:\providercommon\lsass.exe"
                                                                21⤵
                                                                • Checks computer location settings
                                                                • Executes dropped EXE
                                                                • Modifies registry class
                                                                • Suspicious behavior: EnumeratesProcesses
                                                                • Suspicious use of AdjustPrivilegeToken
                                                                PID:4660
                                                                • C:\Windows\System32\cmd.exe
                                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nGW3UwTeX7.bat"
                                                                  22⤵
                                                                    PID:4536
                                                                    • C:\Windows\system32\w32tm.exe
                                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                      23⤵
                                                                        PID:5052
                                                                      • C:\providercommon\lsass.exe
                                                                        "C:\providercommon\lsass.exe"
                                                                        23⤵
                                                                        • Checks computer location settings
                                                                        • Executes dropped EXE
                                                                        • Modifies registry class
                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                        PID:4696
                                                                        • C:\Windows\System32\cmd.exe
                                                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RjWoOVK6wo.bat"
                                                                          24⤵
                                                                            PID:3048
                                                                            • C:\Windows\system32\w32tm.exe
                                                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                              25⤵
                                                                                PID:3148
                                                                              • C:\providercommon\lsass.exe
                                                                                "C:\providercommon\lsass.exe"
                                                                                25⤵
                                                                                • Checks computer location settings
                                                                                • Executes dropped EXE
                                                                                • Modifies registry class
                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                PID:4140
                                                                                • C:\Windows\System32\cmd.exe
                                                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Zi7wkUpBKE.bat"
                                                                                  26⤵
                                                                                    PID:2672
                                                                                    • C:\Windows\system32\w32tm.exe
                                                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                      27⤵
                                                                                        PID:3672
                                                                                      • C:\providercommon\lsass.exe
                                                                                        "C:\providercommon\lsass.exe"
                                                                                        27⤵
                                                                                        • Checks computer location settings
                                                                                        • Executes dropped EXE
                                                                                        • Modifies registry class
                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                        PID:940
                                                                                        • C:\Windows\System32\cmd.exe
                                                                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CxpWyGgMb4.bat"
                                                                                          28⤵
                                                                                            PID:2360
                                                                                            • C:\Windows\system32\w32tm.exe
                                                                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                              29⤵
                                                                                                PID:4460
                                                                                              • C:\providercommon\lsass.exe
                                                                                                "C:\providercommon\lsass.exe"
                                                                                                29⤵
                                                                                                • Executes dropped EXE
                                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                PID:4556
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\providercommon\lsass.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:4472
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2240
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1328
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\csrss.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2992
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\csrss.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:3268
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\csrss.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1392
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Mozilla Firefox\csrss.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2464
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\csrss.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2772
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Mozilla Firefox\csrss.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:4424
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\providercommon\conhost.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:3608
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:3680
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:3100
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\providercommon\conhost.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:4312
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1668
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:384
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:4968
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:584
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:4900
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\Idle.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1952
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1748
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:4252
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2300
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2728
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:4572

                                      Network

                                      MITRE ATT&CK Enterprise v15

                                      Replay Monitor

                                      Loading Replay Monitor...

                                      Downloads

                                      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\lsass.exe.log

                                        Filesize

                                        1KB

                                        MD5

                                        baf55b95da4a601229647f25dad12878

                                        SHA1

                                        abc16954ebfd213733c4493fc1910164d825cac8

                                        SHA256

                                        ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

                                        SHA512

                                        24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

                                      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                                        Filesize

                                        2KB

                                        MD5

                                        d85ba6ff808d9e5444a4b369f5bc2730

                                        SHA1

                                        31aa9d96590fff6981b315e0b391b575e4c0804a

                                        SHA256

                                        84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                                        SHA512

                                        8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                        Filesize

                                        944B

                                        MD5

                                        d28a889fd956d5cb3accfbaf1143eb6f

                                        SHA1

                                        157ba54b365341f8ff06707d996b3635da8446f7

                                        SHA256

                                        21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

                                        SHA512

                                        0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                        Filesize

                                        944B

                                        MD5

                                        2e907f77659a6601fcc408274894da2e

                                        SHA1

                                        9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

                                        SHA256

                                        385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

                                        SHA512

                                        34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

                                      • C:\Users\Admin\AppData\Local\Temp\CxpWyGgMb4.bat

                                        Filesize

                                        192B

                                        MD5

                                        45abc89d2042037250f411dd3e0af20c

                                        SHA1

                                        a6e026d987ce0a7fc1419e0bc359880ae8ce120f

                                        SHA256

                                        58e144aa01731d662e527888ec3e69eb7972f6d36442de816ae0b617871b1164

                                        SHA512

                                        16bcb569928e1d4417780fadff20ea180ce7b0999d856898a1055de2d188b04c9f3030e6b2f8dbe232a41748f3952ab9486527ccef62909e6afae4e1956eff57

                                      • C:\Users\Admin\AppData\Local\Temp\EtrZeLjFvq.bat

                                        Filesize

                                        192B

                                        MD5

                                        51a256cc1c08245ce47ce0973ad3adf1

                                        SHA1

                                        15067d3a0696272bd6f21cbfbf71978d4bc864e2

                                        SHA256

                                        d6e15c84fea337fcceb17e024635badc211717069f3d19485cd02c241c16e919

                                        SHA512

                                        1ab55ab07a1ad83e63a890b68ae071a2d8629e21c019a269b6f33665a3d7ecedf2f865d93a2f0b45007342ebff3fdd4fa365fb3ec3c45a456a0c96fa0a5422f9

                                      • C:\Users\Admin\AppData\Local\Temp\RjWoOVK6wo.bat

                                        Filesize

                                        192B

                                        MD5

                                        49d4dc762057640dfcb0e04ba1e29a64

                                        SHA1

                                        d28c377473aa276bc8f24c58132855352557f488

                                        SHA256

                                        4b4d1fcd02207bcd490678c6864ced9fbe75911bac0051cad0d852fe5bb8d85b

                                        SHA512

                                        26323cbc6b2eb3f4cafadf99fd2a1a18273b6e38f3f07762219488acf370828bd169d584b199bda88e0134795cc1f9fb0fe09fe7bc62a14471d1e854297657b5

                                      • C:\Users\Admin\AppData\Local\Temp\SaOkt9ru2m.bat

                                        Filesize

                                        192B

                                        MD5

                                        f5f2302b3b9a4939933ac18af6dc01f2

                                        SHA1

                                        71fa235603048fc66ec06c8545bee7afac7d5376

                                        SHA256

                                        b1f676ab43b822853aaf9150a15268ada95eead88a8b463ea787cae6aef448b3

                                        SHA512

                                        daf0ce2c1e5ffb1449d1cb640f1bf5de1b82c3247dd9cfea5df7e7035702bf25597cdac99c78aeebb8fba1987911a9f821ddaf60606439d688a8cddb42df3206

                                      • C:\Users\Admin\AppData\Local\Temp\UWQnaEvoMY.bat

                                        Filesize

                                        192B

                                        MD5

                                        22f286c6f761dd0b6a57f871c2d90ed3

                                        SHA1

                                        6a5e513e0190402cd4c018dbeb0b14c914774656

                                        SHA256

                                        f477d040544a721208c514a1693b993b876d437ac3d047664f73ecea04212458

                                        SHA512

                                        d7e97d5baff087a03aff2d85faa0bbf0099aa431e4ae3451f2f397e8f5cbbf6d7ace874377643f9fb8a20d7ed6578495d59dbd042106c5a1b939ad9dd8178a1a

                                      • C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat

                                        Filesize

                                        192B

                                        MD5

                                        92f97ae8d732194d84e08fc0f3d0e16a

                                        SHA1

                                        dbed965b6a5e23d71bc1e12f22cc3a39c636f5f0

                                        SHA256

                                        7f245728e4fc399f193e1998fef0bcfa1c84901e8db0f117999e4d4d697fbef2

                                        SHA512

                                        447c9cc22a360aaa29f9a872b362b2ceba136390218650eea4306529e0023ac2b759102923647dfe32845fd8ea247502d3b313e982d7be8f813beae9a1817c1a

                                      • C:\Users\Admin\AppData\Local\Temp\Zi7wkUpBKE.bat

                                        Filesize

                                        192B

                                        MD5

                                        b3e91db14ab3eacd70ceb33482073b6e

                                        SHA1

                                        9fdff0a45716ed6835fefde104ca3295a05eea4a

                                        SHA256

                                        ca388a6491f9d151608194a1531f06e2d58eeb371ad2b31651bdfeae6b993eb4

                                        SHA512

                                        d5fd2cce3cda552f032c5fe511ce449e170acc8fec00958f9dd835388d04a42a9e2e23e4f9f1f79fd9bf3d997bb65588b92a0c48661ba9e94829bdd7e9b83b76

                                      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fju41czc.mh0.ps1

                                        Filesize

                                        60B

                                        MD5

                                        d17fe0a3f47be24a6453e9ef58c94641

                                        SHA1

                                        6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                        SHA256

                                        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                        SHA512

                                        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                      • C:\Users\Admin\AppData\Local\Temp\gWC6ojzqIZ.bat

                                        Filesize

                                        192B

                                        MD5

                                        e482ec13dbca9b92187af53256eba9a4

                                        SHA1

                                        47c1314c45c07afb3b4a10370410c5e12e655e11

                                        SHA256

                                        9182171ffeb7abb36b93709c4e168171b1093181158ceb72ce1abaa2cfeab929

                                        SHA512

                                        f1411b2c88776307ab08cb7535425446ccd2603771a0a2a03600efd4f907609042438571c73adc3b40a997d9f616480d005fac3aac3e722edeea23ac53112e4f

                                      • C:\Users\Admin\AppData\Local\Temp\nGW3UwTeX7.bat

                                        Filesize

                                        192B

                                        MD5

                                        2f4a2a554e5f442963575842b8ff14d3

                                        SHA1

                                        21c04a496cd8d32fc3a25c63170da77939561f9c

                                        SHA256

                                        ebcd74062fb4a9aebda7027663df3d1d0e733438b81a73607a5592dec18e8e32

                                        SHA512

                                        c9d99979ec81b5644c0b7eab9380d1b7297b1447b451a57a9901abfc2c9433c78192bbd1aaddb568edeab345fe731e267e7b73b51f3d081b394e7e18e2e56e07

                                      • C:\Users\Admin\AppData\Local\Temp\rHhDMS4c5i.bat

                                        Filesize

                                        192B

                                        MD5

                                        2b49a1fb0c9e9f197668c856a89a06da

                                        SHA1

                                        7ce7e1ee80be9920902301158aa94391fca11c4d

                                        SHA256

                                        b17c1bc15ffb495af88389a33051ff77624730edf4f76ebe28a75e685b84d915

                                        SHA512

                                        30d9e5a02ca24528e41f37f9ea44daa9a10dda9bf0d256f1f654d4ec54383dd5707b93dc2e37df4d1d7858daa8e00ec57adad36c1082473c545af2e9c047199b

                                      • C:\Users\Admin\AppData\Local\Temp\tDjG3X7WPV.bat

                                        Filesize

                                        192B

                                        MD5

                                        45d0d97df7543cac9d042a069b893964

                                        SHA1

                                        e9b8e3ad42ad8767df63876f7501a81d2fdfbc71

                                        SHA256

                                        61faedaca1cf224d5d80f3c6d65dee8c9ac0019d3f3534b7cae67164fc5426e0

                                        SHA512

                                        43bdf556bc2d484b0706d48cec8a7f9b1d27f1db77036af9540a1b7678248a5344fcae3f0c75c7c1965edd8f89309bc3c7ca40c60adf05233efe9c7a76948944

                                      • C:\providercommon\1zu9dW.bat

                                        Filesize

                                        36B

                                        MD5

                                        6783c3ee07c7d151ceac57f1f9c8bed7

                                        SHA1

                                        17468f98f95bf504cc1f83c49e49a78526b3ea03

                                        SHA256

                                        8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                        SHA512

                                        c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                      • C:\providercommon\DllCommonsvc.exe

                                        Filesize

                                        1.0MB

                                        MD5

                                        bd31e94b4143c4ce49c17d3af46bcad0

                                        SHA1

                                        f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                        SHA256

                                        b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                        SHA512

                                        f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                      • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                        Filesize

                                        197B

                                        MD5

                                        8088241160261560a02c84025d107592

                                        SHA1

                                        083121f7027557570994c9fc211df61730455bb5

                                        SHA256

                                        2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                        SHA512

                                        20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                      • memory/548-17-0x0000000002B90000-0x0000000002B9C000-memory.dmp

                                        Filesize

                                        48KB

                                      • memory/548-13-0x0000000000940000-0x0000000000A50000-memory.dmp

                                        Filesize

                                        1.1MB

                                      • memory/548-12-0x00007FF9952A3000-0x00007FF9952A5000-memory.dmp

                                        Filesize

                                        8KB

                                      • memory/548-14-0x0000000002B60000-0x0000000002B72000-memory.dmp

                                        Filesize

                                        72KB

                                      • memory/548-15-0x0000000002BA0000-0x0000000002BAC000-memory.dmp

                                        Filesize

                                        48KB

                                      • memory/548-16-0x0000000002B70000-0x0000000002B7C000-memory.dmp

                                        Filesize

                                        48KB

                                      • memory/728-59-0x0000023AB2CF0000-0x0000023AB2D12000-memory.dmp

                                        Filesize

                                        136KB

                                      • memory/940-213-0x000000001ADF0000-0x000000001AE02000-memory.dmp

                                        Filesize

                                        72KB

                                      • memory/4140-206-0x00000000013F0000-0x0000000001402000-memory.dmp

                                        Filesize

                                        72KB

                                      • memory/4556-220-0x000000001AFF0000-0x000000001B002000-memory.dmp

                                        Filesize

                                        72KB