Overview

overview

10

Static

static

10

JaffaCakes...81.exe

windows7-x64

10

JaffaCakes...81.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-12-2024 08:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_fd2daf520c7a7a7fc79407fc29a8ed70460544ca709e1896ab7202cbfca24181.exe

  • Size

    1.3MB

  • MD5

    0b679af47908d80512e1687f8cb4196a

  • SHA1

    40b51ee7924f1aa6938c2d4baad032c44763d738

  • SHA256

    fd2daf520c7a7a7fc79407fc29a8ed70460544ca709e1896ab7202cbfca24181

  • SHA512

    9cb612e2644203cbbedac3388b8880cc39e9e9e0770780ec3b48703f57d64f7ffb101379541fa63964f84c922f344736c0cad6a39fcf90da563b9fc18c82760a

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score
10/10
dcratdiscoveryexecutioninfostealerrat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 2 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 18 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 16 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 15 IoCs
  • Drops file in Program Files directory 7 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 16 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 43 IoCs
  • Suspicious use of AdjustPrivilegeToken 23 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_fd2daf520c7a7a7fc79407fc29a8ed70460544ca709e1896ab7202cbfca24181.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_fd2daf520c7a7a7fc79407fc29a8ed70460544ca709e1896ab7202cbfca24181.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3744
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1616
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1704
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1376
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4900
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4048
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dllhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4572
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\taskhostw.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4944
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\LiveKernelReports\conhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:228
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\Update\Install\{F123CA10-B28F-434D-9884-6C3679B73C43}\System.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4012
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\dwm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2868
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1oTY5n7bJl.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1280
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              6⤵
                PID:2144
              • C:\Program Files (x86)\Windows Portable Devices\csrss.exe
                "C:\Program Files (x86)\Windows Portable Devices\csrss.exe"
                6⤵
                • Checks computer location settings
                • Executes dropped EXE
                • Modifies registry class
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:220
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qO35UmqwIy.bat"
                  7⤵
                  • Suspicious use of WriteProcessMemory
                  PID:4452
                  • C:\Windows\system32\w32tm.exe
                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                    8⤵
                      PID:3176
                    • C:\Program Files (x86)\Windows Portable Devices\csrss.exe
                      "C:\Program Files (x86)\Windows Portable Devices\csrss.exe"
                      8⤵
                      • Checks computer location settings
                      • Executes dropped EXE
                      • Modifies registry class
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:232
                      • C:\Windows\System32\cmd.exe
                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dgWvFyiHB2.bat"
                        9⤵
                        • Suspicious use of WriteProcessMemory
                        PID:4684
                        • C:\Windows\system32\w32tm.exe
                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                          10⤵
                            PID:4296
                          • C:\Program Files (x86)\Windows Portable Devices\csrss.exe
                            "C:\Program Files (x86)\Windows Portable Devices\csrss.exe"
                            10⤵
                            • Checks computer location settings
                            • Executes dropped EXE
                            • Modifies registry class
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of AdjustPrivilegeToken
                            • Suspicious use of WriteProcessMemory
                            PID:2364
                            • C:\Windows\System32\cmd.exe
                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\45aGjaybPu.bat"
                              11⤵
                              • Suspicious use of WriteProcessMemory
                              PID:4456
                              • C:\Windows\system32\w32tm.exe
                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                12⤵
                                  PID:4112
                                • C:\Program Files (x86)\Windows Portable Devices\csrss.exe
                                  "C:\Program Files (x86)\Windows Portable Devices\csrss.exe"
                                  12⤵
                                  • Checks computer location settings
                                  • Executes dropped EXE
                                  • Modifies registry class
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious use of AdjustPrivilegeToken
                                  • Suspicious use of WriteProcessMemory
                                  PID:4316
                                  • C:\Windows\System32\cmd.exe
                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Oupdpj3XpI.bat"
                                    13⤵
                                    • Suspicious use of WriteProcessMemory
                                    PID:3692
                                    • C:\Windows\system32\w32tm.exe
                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                      14⤵
                                        PID:4952
                                      • C:\Program Files (x86)\Windows Portable Devices\csrss.exe
                                        "C:\Program Files (x86)\Windows Portable Devices\csrss.exe"
                                        14⤵
                                        • Checks computer location settings
                                        • Executes dropped EXE
                                        • Modifies registry class
                                        • Suspicious behavior: EnumeratesProcesses
                                        • Suspicious use of AdjustPrivilegeToken
                                        • Suspicious use of WriteProcessMemory
                                        PID:4088
                                        • C:\Windows\System32\cmd.exe
                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YpSpsobUXT.bat"
                                          15⤵
                                          • Suspicious use of WriteProcessMemory
                                          PID:3276
                                          • C:\Windows\system32\w32tm.exe
                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                            16⤵
                                              PID:5060
                                            • C:\Program Files (x86)\Windows Portable Devices\csrss.exe
                                              "C:\Program Files (x86)\Windows Portable Devices\csrss.exe"
                                              16⤵
                                              • Checks computer location settings
                                              • Executes dropped EXE
                                              • Modifies registry class
                                              • Suspicious behavior: EnumeratesProcesses
                                              • Suspicious use of AdjustPrivilegeToken
                                              • Suspicious use of WriteProcessMemory
                                              PID:2896
                                              • C:\Windows\System32\cmd.exe
                                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VhvmsyECnd.bat"
                                                17⤵
                                                • Suspicious use of WriteProcessMemory
                                                PID:3040
                                                • C:\Windows\system32\w32tm.exe
                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                  18⤵
                                                    PID:1296
                                                  • C:\Program Files (x86)\Windows Portable Devices\csrss.exe
                                                    "C:\Program Files (x86)\Windows Portable Devices\csrss.exe"
                                                    18⤵
                                                    • Checks computer location settings
                                                    • Executes dropped EXE
                                                    • Modifies registry class
                                                    • Suspicious behavior: EnumeratesProcesses
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    PID:3760
                                                    • C:\Windows\System32\cmd.exe
                                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3EiKDvRnKw.bat"
                                                      19⤵
                                                        PID:224
                                                        • C:\Windows\system32\w32tm.exe
                                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                          20⤵
                                                            PID:5040
                                                          • C:\Program Files (x86)\Windows Portable Devices\csrss.exe
                                                            "C:\Program Files (x86)\Windows Portable Devices\csrss.exe"
                                                            20⤵
                                                            • Checks computer location settings
                                                            • Executes dropped EXE
                                                            • Modifies registry class
                                                            • Suspicious behavior: EnumeratesProcesses
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            PID:4612
                                                            • C:\Windows\System32\cmd.exe
                                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\B4BP5ZSgoJ.bat"
                                                              21⤵
                                                                PID:4080
                                                                • C:\Windows\system32\w32tm.exe
                                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                  22⤵
                                                                    PID:1008
                                                                  • C:\Program Files (x86)\Windows Portable Devices\csrss.exe
                                                                    "C:\Program Files (x86)\Windows Portable Devices\csrss.exe"
                                                                    22⤵
                                                                    • Checks computer location settings
                                                                    • Executes dropped EXE
                                                                    • Modifies registry class
                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                    PID:2128
                                                                    • C:\Windows\System32\cmd.exe
                                                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sJ59Arupck.bat"
                                                                      23⤵
                                                                        PID:4836
                                                                        • C:\Windows\system32\w32tm.exe
                                                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                          24⤵
                                                                            PID:1868
                                                                          • C:\Program Files (x86)\Windows Portable Devices\csrss.exe
                                                                            "C:\Program Files (x86)\Windows Portable Devices\csrss.exe"
                                                                            24⤵
                                                                            • Checks computer location settings
                                                                            • Executes dropped EXE
                                                                            • Modifies registry class
                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                            PID:3572
                                                                            • C:\Windows\System32\cmd.exe
                                                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mNrvcGFykN.bat"
                                                                              25⤵
                                                                                PID:4840
                                                                                • C:\Windows\system32\w32tm.exe
                                                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                  26⤵
                                                                                    PID:5108
                                                                                  • C:\Program Files (x86)\Windows Portable Devices\csrss.exe
                                                                                    "C:\Program Files (x86)\Windows Portable Devices\csrss.exe"
                                                                                    26⤵
                                                                                    • Checks computer location settings
                                                                                    • Executes dropped EXE
                                                                                    • Modifies registry class
                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                    PID:4708
                                                                                    • C:\Windows\System32\cmd.exe
                                                                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5AjNu1Vgdj.bat"
                                                                                      27⤵
                                                                                        PID:4616
                                                                                        • C:\Windows\system32\w32tm.exe
                                                                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                          28⤵
                                                                                            PID:1876
                                                                                          • C:\Program Files (x86)\Windows Portable Devices\csrss.exe
                                                                                            "C:\Program Files (x86)\Windows Portable Devices\csrss.exe"
                                                                                            28⤵
                                                                                            • Checks computer location settings
                                                                                            • Executes dropped EXE
                                                                                            • Modifies registry class
                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                            PID:1140
                                                                                            • C:\Windows\System32\cmd.exe
                                                                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8xeM6k5O3T.bat"
                                                                                              29⤵
                                                                                                PID:4944
                                                                                                • C:\Windows\system32\w32tm.exe
                                                                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                                  30⤵
                                                                                                    PID:4892
                                                                                                  • C:\Program Files (x86)\Windows Portable Devices\csrss.exe
                                                                                                    "C:\Program Files (x86)\Windows Portable Devices\csrss.exe"
                                                                                                    30⤵
                                                                                                    • Checks computer location settings
                                                                                                    • Executes dropped EXE
                                                                                                    • Modifies registry class
                                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                    PID:3604
                                                                                                    • C:\Windows\System32\cmd.exe
                                                                                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iPSx7mMsuZ.bat"
                                                                                                      31⤵
                                                                                                        PID:5092
                                                                                                        • C:\Windows\system32\w32tm.exe
                                                                                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                                          32⤵
                                                                                                            PID:1724
                                                                                                          • C:\Program Files (x86)\Windows Portable Devices\csrss.exe
                                                                                                            "C:\Program Files (x86)\Windows Portable Devices\csrss.exe"
                                                                                                            32⤵
                                                                                                            • Checks computer location settings
                                                                                                            • Executes dropped EXE
                                                                                                            • Modifies registry class
                                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                            PID:4520
                                                                                                            • C:\Windows\System32\cmd.exe
                                                                                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iPSx7mMsuZ.bat"
                                                                                                              33⤵
                                                                                                                PID:1956
                                                                                                                • C:\Windows\system32\w32tm.exe
                                                                                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                                                  34⤵
                                                                                                                    PID:2908
                                                                                                                  • C:\Program Files (x86)\Windows Portable Devices\csrss.exe
                                                                                                                    "C:\Program Files (x86)\Windows Portable Devices\csrss.exe"
                                                                                                                    34⤵
                                                                                                                    • Checks computer location settings
                                                                                                                    • Executes dropped EXE
                                                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                                    PID:2740
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'" /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:1912
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:1312
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:5032
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\providercommon\dllhost.exe'" /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:3716
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:1480
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:4180
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 13 /tr "'C:\Program Files\Google\taskhostw.exe'" /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:3444
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files\Google\taskhostw.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:4568
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 11 /tr "'C:\Program Files\Google\taskhostw.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:3428
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Windows\LiveKernelReports\conhost.exe'" /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:4248
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\LiveKernelReports\conhost.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:4948
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Windows\LiveKernelReports\conhost.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:3240
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Google\Update\Install\{F123CA10-B28F-434D-9884-6C3679B73C43}\System.exe'" /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:4768
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\Install\{F123CA10-B28F-434D-9884-6C3679B73C43}\System.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:4784
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Google\Update\Install\{F123CA10-B28F-434D-9884-6C3679B73C43}\System.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:1740
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\dwm.exe'" /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:3884
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:1956
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:932

                                                Network

                                                MITRE ATT&CK Enterprise v15

                                                Replay Monitor

                                                Loading Replay Monitor...

                                                Downloads

                                                • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\csrss.exe.log
                                                  Filesize

                                                  1KB

                                                  MD5

                                                  baf55b95da4a601229647f25dad12878

                                                  SHA1

                                                  abc16954ebfd213733c4493fc1910164d825cac8

                                                  SHA256

                                                  ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

                                                  SHA512

                                                  24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

                                                  Download Submit

                                                • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                                                  Filesize

                                                  2KB

                                                  MD5

                                                  d85ba6ff808d9e5444a4b369f5bc2730

                                                  SHA1

                                                  31aa9d96590fff6981b315e0b391b575e4c0804a

                                                  SHA256

                                                  84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                                                  SHA512

                                                  8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                                                  Download Submit

                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                  Filesize

                                                  944B

                                                  MD5

                                                  d28a889fd956d5cb3accfbaf1143eb6f

                                                  SHA1

                                                  157ba54b365341f8ff06707d996b3635da8446f7

                                                  SHA256

                                                  21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

                                                  SHA512

                                                  0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

                                                  Download Submit

                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                  Filesize

                                                  944B

                                                  MD5

                                                  cadef9abd087803c630df65264a6c81c

                                                  SHA1

                                                  babbf3636c347c8727c35f3eef2ee643dbcc4bd2

                                                  SHA256

                                                  cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

                                                  SHA512

                                                  7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

                                                  Download Submit

                                                • C:\Users\Admin\AppData\Local\Temp\1oTY5n7bJl.bat
                                                  Filesize

                                                  222B

                                                  MD5

                                                  3e64004163d1b626c4e676ab4b1b87cd

                                                  SHA1

                                                  381803dc16a77bcdf587c586a64a98c91c7f5a67

                                                  SHA256

                                                  a52c090e29d067bd3e64ae931a3e662501881f76ac90e8180842e3c10790e7ad

                                                  SHA512

                                                  6974d1b7854093de30b138db21a90947257ea930c915eec470c13d5478685f50d8a77a205cf550e691379781cb3998aa17c83c49b96dfa5f3bf78e9ad916bece

                                                  Download Submit

                                                • C:\Users\Admin\AppData\Local\Temp\3EiKDvRnKw.bat
                                                  Filesize

                                                  222B

                                                  MD5

                                                  3b1c59177ade20674ed164d11db588a8

                                                  SHA1

                                                  43ec3b14e729143bd06d2de4c13697291528552d

                                                  SHA256

                                                  4103914063f7a576c1f0b5c3d18e6eb112f2e65820a064496e54c37635c27044

                                                  SHA512

                                                  52d7fc9e1ab5708910b2b729e8a187cb72fbaad015065e8119567c54dbf2d8b1d224b58d6158fed9aa44ae7fb79ec3b06bb0d1866a2bf74a7cb72812674b9c51

                                                  Download Submit

                                                • C:\Users\Admin\AppData\Local\Temp\45aGjaybPu.bat
                                                  Filesize

                                                  222B

                                                  MD5

                                                  b33d8041ed1b0fd990fc2892cdf63bd2

                                                  SHA1

                                                  237ff80507b53f2d31873abfc165f6e53f603ee1

                                                  SHA256

                                                  e3e6abba53595da912d04351703afec82ea0b0a4d72a9b44162dce38b7a74ab1

                                                  SHA512

                                                  932788e2d33f3e7a13776870dbd89941ae1b0d7ac3c4bc0e54df3c244d7643494980ce296b8a85f918fafeeba8980cc2b9d4b47d0e8395aeef45c47d9cd3741b

                                                  Download Submit

                                                • C:\Users\Admin\AppData\Local\Temp\5AjNu1Vgdj.bat
                                                  Filesize

                                                  222B

                                                  MD5

                                                  766f4f05c6c0e404a9d8e8dc950d822c

                                                  SHA1

                                                  e65367fd91510ef4a87e4059568260cd02ac4b6a

                                                  SHA256

                                                  b73539871879de12bdc2bec06028fac718a70a794d52ce950aad19407fc087b5

                                                  SHA512

                                                  9ab4f18693b59169b8dffc825f9c30193c8bc6ae6293a5bf1ce216c38796d762824e86e82e8a830e5f1263d310637ba58eb6eda20bfad41d01291ff4c10410f0

                                                  Download Submit

                                                • C:\Users\Admin\AppData\Local\Temp\8xeM6k5O3T.bat
                                                  Filesize

                                                  222B

                                                  MD5

                                                  08c4cc2e9f575473c5f9476f445c1548

                                                  SHA1

                                                  8c62fb43dafb6a0516eb490df05914e3775a37dd

                                                  SHA256

                                                  10940947265a8bc3e350369af4437622c35a6a6f3fb19ddd4b545c0393ca94a3

                                                  SHA512

                                                  85eb31f195e9ff3df0a3833291ba5ea3db0c64ddcc8d4a22f2c588bd5b13ce38edb2655adb4c458156d265931382768a40143838ee3e881eef10e6473e17ec25

                                                  Download Submit

                                                • C:\Users\Admin\AppData\Local\Temp\B4BP5ZSgoJ.bat
                                                  Filesize

                                                  222B

                                                  MD5

                                                  a405174bf20088acba90ecdc005bd42b

                                                  SHA1

                                                  a748d1d47febc27a83f4af7be7b5cb2f2c1f5851

                                                  SHA256

                                                  55723cdcdcff0bd216efaa6019ac56eb60ffe9a8bc06b31875e8ff74cff7d78a

                                                  SHA512

                                                  a3ee160b5420c1e334969fc230e43d0b31e16257f5eeb070b5f6e93d2b01701e4f041eebb05a0261b5d2271bf9539c4affcc20a774ffb79209461909b3eb0ed3

                                                  Download Submit

                                                • C:\Users\Admin\AppData\Local\Temp\Oupdpj3XpI.bat
                                                  Filesize

                                                  222B

                                                  MD5

                                                  afb86fa528b1926cd5b45d0295251ab2

                                                  SHA1

                                                  c73e4134643eb765930776907b9a52d3681a365e

                                                  SHA256

                                                  3a63656a9db6589c481137c77b397d2344a168176e2b889408234fb9ec001ec9

                                                  SHA512

                                                  d2014b303ec7302ec554b346c610096ada766bf673ad0608ec90cd13708f200e1a3de5826e1999f4d34ace957fc6b49991f2c26d690acb9680dd28a4c7651c5f

                                                  Download Submit

                                                • C:\Users\Admin\AppData\Local\Temp\VhvmsyECnd.bat
                                                  Filesize

                                                  222B

                                                  MD5

                                                  73780ed392c22d1f1cdb3655346ccfb7

                                                  SHA1

                                                  8118c77409683fe370a65f3f9f12f5f7bb39fba4

                                                  SHA256

                                                  0cbcba7b0c0da266b5ba4fa13f6cde21acb90b9b2a4d3c203f873b56fccadb40

                                                  SHA512

                                                  e50cd2c4adb84e980bc9843c641b3eee9b9aa1f72497f56d24393783fa780d371813dea3b3464c7cc7b58eb8af66c3f9b90bb6fe01e776359715a9d904940d89

                                                  Download Submit

                                                • C:\Users\Admin\AppData\Local\Temp\YpSpsobUXT.bat
                                                  Filesize

                                                  222B

                                                  MD5

                                                  92e522573b4b23664a1e7377ca1feb6b

                                                  SHA1

                                                  cdab6c4a360fbd6d117f208f011a37b21ef1f154

                                                  SHA256

                                                  91ad95e2264efcf1904da98c29c24f0c36a2e168b85078c11c691bc6add112dd

                                                  SHA512

                                                  c43187e569d99e7fb972b46e3cef3fad54258eb1b63b744f5eeb3fce0c0d8e1873d6bfe4e6bf7eba31736e8d58717e63a1fbe7c063dc46e12d5dfbf0c5ab8fa3

                                                  Download Submit

                                                • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_x5jnadcg.ofy.ps1
                                                  Filesize

                                                  60B

                                                  MD5

                                                  d17fe0a3f47be24a6453e9ef58c94641

                                                  SHA1

                                                  6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                  SHA256

                                                  96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                  SHA512

                                                  5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                  Download Submit

                                                • C:\Users\Admin\AppData\Local\Temp\dgWvFyiHB2.bat
                                                  Filesize

                                                  222B

                                                  MD5

                                                  05385c27b4eb5f9251b479c9157ff25b

                                                  SHA1

                                                  cb2a273e56450355f6226bad11a15175fd18f696

                                                  SHA256

                                                  6a89ec08a213c8aa1e34b1a421a082419591b6358f9ba2531a1324e01ad1b3e1

                                                  SHA512

                                                  e41835d7f3d788b34f1ed70eb13dba40cff2bd4d4418551bdc706f2216471d3ec41dd81b5ad7b606c72468ff982019d3f80fc8df49acb73b1ea9167d392a74b9

                                                  Download Submit

                                                • C:\Users\Admin\AppData\Local\Temp\iPSx7mMsuZ.bat
                                                  Filesize

                                                  222B

                                                  MD5

                                                  2de7cafae73e694b29fa172c8d8b22c7

                                                  SHA1

                                                  b67c43d172a1d7b0ad649a9c002d387fc18bfc2c

                                                  SHA256

                                                  e5772e7523274916758a077485dfa673220ec62097b5402d6da5628c33f7df8f

                                                  SHA512

                                                  9c2fc67d43e2dc9e8b993eab9b24cde9ef9a9dd481059570091e2ce611f318dad7490f4fd540191d1979417f82d8faec04a1035cfbef41a2b18799687e53ac28

                                                  Download Submit

                                                • C:\Users\Admin\AppData\Local\Temp\mNrvcGFykN.bat
                                                  Filesize

                                                  222B

                                                  MD5

                                                  4bb919f1dab10016a54d18d455cf1f9c

                                                  SHA1

                                                  d413d9a8a244f72beb160206336d185f70e78d8d

                                                  SHA256

                                                  002100e314b636baef58485493bb64c16845739c3022fed6d34f92dca81e10ea

                                                  SHA512

                                                  a9aad6e3304c98ad1799a66f7ab516d29a83dd4b4c56bb9c89cf53702be28c265a1490cfe6e0f45684bdfa58ddbcc34eed90085c7923ce108aabf773a8b6d357

                                                  Download Submit

                                                • C:\Users\Admin\AppData\Local\Temp\qO35UmqwIy.bat
                                                  Filesize

                                                  222B

                                                  MD5

                                                  0128eeebf3ac288b83ae9d82da326fe7

                                                  SHA1

                                                  c17a898ec2cc740b6a4b08e29ec1d76e2db00037

                                                  SHA256

                                                  bc5cd7060ecaecd0ab86e0c159e1d24a3ccebf0f6f83b6d72eaa909666f3d77e

                                                  SHA512

                                                  306976e4b3487a662aeae3aea4e24b0299cd5f35ecf827e407e84a91d233f2be8a7feb8b0b3cb1c4a213f646dbc13153261437f161a682168c4e8144dc11ad81

                                                  Download Submit

                                                • C:\Users\Admin\AppData\Local\Temp\sJ59Arupck.bat
                                                  Filesize

                                                  222B

                                                  MD5

                                                  54f435f006507bc01ce78344d8a9f3df

                                                  SHA1

                                                  dc98bba61393c6b814e901e00b3c9bfd8f25ba89

                                                  SHA256

                                                  a0af553f280269e0bd9202bc4b6d76a57918108fdb63f553c7c561b05981e386

                                                  SHA512

                                                  8434c72ff6287b9a5fa530db3a28a23a8b2cb328f7bb0ee8689160909c388deb8b454121bec32b37a50ea34b6be86231992d17dd52cd8b98ad6a6985c42159d6

                                                  Download Submit

                                                • C:\providercommon\1zu9dW.bat
                                                  Filesize

                                                  36B

                                                  MD5

                                                  6783c3ee07c7d151ceac57f1f9c8bed7

                                                  SHA1

                                                  17468f98f95bf504cc1f83c49e49a78526b3ea03

                                                  SHA256

                                                  8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                                  SHA512

                                                  c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                                  Download Submit

                                                • C:\providercommon\DllCommonsvc.exe
                                                  Filesize

                                                  1.0MB

                                                  MD5

                                                  bd31e94b4143c4ce49c17d3af46bcad0

                                                  SHA1

                                                  f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                                  SHA256

                                                  b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                                  SHA512

                                                  f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                                  Download Submit

                                                • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe
                                                  Filesize

                                                  197B

                                                  MD5

                                                  8088241160261560a02c84025d107592

                                                  SHA1

                                                  083121f7027557570994c9fc211df61730455bb5

                                                  SHA256

                                                  2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                                  SHA512

                                                  20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                                  Download Submit

                                                • memory/220-123-0x000000001D840000-0x000000001D9AA000-memory.dmp

                                                  Filesize

                                                  1.4MB

                                                  Download

                                                • memory/1376-17-0x000000001B360000-0x000000001B36C000-memory.dmp

                                                  Filesize

                                                  48KB

                                                  Download

                                                • memory/1376-14-0x000000001B330000-0x000000001B342000-memory.dmp

                                                  Filesize

                                                  72KB

                                                  Download

                                                • memory/1376-13-0x0000000000780000-0x0000000000890000-memory.dmp

                                                  Filesize

                                                  1.1MB

                                                  Download

                                                • memory/1376-15-0x000000001B340000-0x000000001B34C000-memory.dmp

                                                  Filesize

                                                  48KB

                                                  Download

                                                • memory/1376-12-0x00007FFD6E7F3000-0x00007FFD6E7F5000-memory.dmp

                                                  Filesize

                                                  8KB

                                                  Download

                                                • memory/1376-16-0x000000001B350000-0x000000001B35C000-memory.dmp

                                                  Filesize

                                                  48KB

                                                  Download

                                                • memory/2128-179-0x000000001C940000-0x000000001C9E1000-memory.dmp

                                                  Filesize

                                                  644KB

                                                  Download

                                                • memory/2364-138-0x000000001DE80000-0x000000001E029000-memory.dmp

                                                  Filesize

                                                  1.7MB

                                                  Download

                                                • memory/2896-159-0x000000001D140000-0x000000001D2E9000-memory.dmp

                                                  Filesize

                                                  1.7MB

                                                  Download

                                                • memory/3760-165-0x000000001D790000-0x000000001D939000-memory.dmp

                                                  Filesize

                                                  1.7MB

                                                  Download

                                                • memory/4012-42-0x0000027531D00000-0x0000027531D22000-memory.dmp

                                                  Filesize

                                                  136KB

                                                  Download

                                                • memory/4088-151-0x000000001D080000-0x000000001D229000-memory.dmp

                                                  Filesize

                                                  1.7MB

                                                  Download

                                                • memory/4316-144-0x000000001DAA0000-0x000000001DC49000-memory.dmp

                                                  Filesize

                                                  1.7MB

                                                  Download

                                                • memory/4612-172-0x000000001D840000-0x000000001D8E1000-memory.dmp

                                                  Filesize

                                                  644KB

                                                  Download