Analysis

  • max time kernel
    146s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    30/12/2024, 01:49

General

  • Target

    JaffaCakes118_7ce6010d506a4b007778b5216a862026ab96341cced3527f6238d16a6084514d.exe

  • Size

    1.3MB

  • MD5

    43d23305d3f6d8c4e50045d0cc0b5cea

  • SHA1

    9d3deb67bf8d0b4c5173c3b9c85970f8c1d72a8a

  • SHA256

    7ce6010d506a4b007778b5216a862026ab96341cced3527f6238d16a6084514d

  • SHA512

    341ccbc62fbd732eb62bc4347a8e20282734ee9165a4a7a1069079ffb40735d07a0d5bfe4f8aafb348b7c9fead78cbe5c7fb3f4543889fab494c24f7bc235dc8

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 30 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 9 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 11 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 30 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 22 IoCs
  • Suspicious use of AdjustPrivilegeToken 22 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7ce6010d506a4b007778b5216a862026ab96341cced3527f6238d16a6084514d.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7ce6010d506a4b007778b5216a862026ab96341cced3527f6238d16a6084514d.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2108
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2220
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2344
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2948
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2368
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\wininit.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2640
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Libraries\taskhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1480
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Idle.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1040
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1952
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\cmd.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:620
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sppsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2052
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1464
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Pictures\Sample Pictures\spoolsv.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1804
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\cmd.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2144
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\lsass.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2396
          • C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\cmd.exe
            "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\cmd.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:944
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0SbqORFfit.bat"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:1160
              • C:\Windows\system32\w32tm.exe
                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                7⤵
                  PID:1496
                • C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\cmd.exe
                  "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\cmd.exe"
                  7⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1932
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\h6oaLUsZTY.bat"
                    8⤵
                    • Suspicious use of WriteProcessMemory
                    PID:2448
                    • C:\Windows\system32\w32tm.exe
                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                      9⤵
                        PID:2812
                      • C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\cmd.exe
                        "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\cmd.exe"
                        9⤵
                        • Executes dropped EXE
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2988
                        • C:\Windows\System32\cmd.exe
                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4yEObGBIDe.bat"
                          10⤵
                            PID:2264
                            • C:\Windows\system32\w32tm.exe
                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                              11⤵
                                PID:2932
                              • C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\cmd.exe
                                "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\cmd.exe"
                                11⤵
                                • Executes dropped EXE
                                • Suspicious behavior: EnumeratesProcesses
                                • Suspicious use of AdjustPrivilegeToken
                                PID:2292
                                • C:\Windows\System32\cmd.exe
                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1Gu59oh2IN.bat"
                                  12⤵
                                    PID:1736
                                    • C:\Windows\system32\w32tm.exe
                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                      13⤵
                                        PID:3016
                                      • C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\cmd.exe
                                        "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\cmd.exe"
                                        13⤵
                                        • Executes dropped EXE
                                        • Suspicious behavior: EnumeratesProcesses
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:812
                                        • C:\Windows\System32\cmd.exe
                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FaowIOOII5.bat"
                                          14⤵
                                            PID:1828
                                            • C:\Windows\system32\w32tm.exe
                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                              15⤵
                                                PID:2904
                                              • C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\cmd.exe
                                                "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\cmd.exe"
                                                15⤵
                                                • Executes dropped EXE
                                                • Suspicious behavior: EnumeratesProcesses
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:2228
                                                • C:\Windows\System32\cmd.exe
                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DXR1U0Y5m3.bat"
                                                  16⤵
                                                    PID:2184
                                                    • C:\Windows\system32\w32tm.exe
                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                      17⤵
                                                        PID:2844
                                                      • C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\cmd.exe
                                                        "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\cmd.exe"
                                                        17⤵
                                                        • Executes dropped EXE
                                                        • Suspicious behavior: EnumeratesProcesses
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:976
                                                        • C:\Windows\System32\cmd.exe
                                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1JZ2DT5CuV.bat"
                                                          18⤵
                                                            PID:2256
                                                            • C:\Windows\system32\w32tm.exe
                                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                              19⤵
                                                                PID:2600
                                                              • C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\cmd.exe
                                                                "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\cmd.exe"
                                                                19⤵
                                                                • Executes dropped EXE
                                                                • Suspicious behavior: EnumeratesProcesses
                                                                • Suspicious use of AdjustPrivilegeToken
                                                                PID:1096
                                                                • C:\Windows\System32\cmd.exe
                                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BfyeXCadxk.bat"
                                                                  20⤵
                                                                    PID:2384
                                                                    • C:\Windows\system32\w32tm.exe
                                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                      21⤵
                                                                        PID:1248
                                                                      • C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\cmd.exe
                                                                        "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\cmd.exe"
                                                                        21⤵
                                                                        • Executes dropped EXE
                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                        PID:812
                                                                        • C:\Windows\System32\cmd.exe
                                                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\V68XQM6FdC.bat"
                                                                          22⤵
                                                                            PID:1888
                                                                            • C:\Windows\system32\w32tm.exe
                                                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                              23⤵
                                                                                PID:936
                                                                              • C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\cmd.exe
                                                                                "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\cmd.exe"
                                                                                23⤵
                                                                                • Executes dropped EXE
                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                PID:2660
                                                                                • C:\Windows\System32\cmd.exe
                                                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LIqDUaLb8G.bat"
                                                                                  24⤵
                                                                                    PID:756
                                                                                    • C:\Windows\system32\w32tm.exe
                                                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                      25⤵
                                                                                        PID:2856
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\wininit.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2812
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default User\wininit.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2620
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\wininit.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2596
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Libraries\taskhost.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2720
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Public\Libraries\taskhost.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:784
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Libraries\taskhost.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2700
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Idle.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2652
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2352
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:3060
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2840
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1472
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1892
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\cmd.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:3036
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1208
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2364
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\providercommon\sppsvc.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2568
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:304
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:296
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2020
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:788
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2288
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Pictures\Sample Pictures\spoolsv.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2836
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Public\Pictures\Sample Pictures\spoolsv.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1088
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Pictures\Sample Pictures\spoolsv.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2492
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\cmd.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1644
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\cmd.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2496
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\cmd.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1816
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Program Files\Uninstall Information\lsass.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2468
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\lsass.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:960
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Program Files\Uninstall Information\lsass.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2012

                                      Network

                                            MITRE ATT&CK Enterprise v15

                                            Replay Monitor

                                            Loading Replay Monitor...

                                            Downloads

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              97ff059eb4ded36eaf632b271a770329

                                              SHA1

                                              5a2d48a68687d2dc476718b5ce02dceb9d260488

                                              SHA256

                                              7d3644f1408ff1c78da7623369e151eb571a6945cf3a35c2897d5d60266a8796

                                              SHA512

                                              a95da3dd77493227e6383391a068b302a7e45a56d45816e646b99dbb6a19596a961a81ecc3898383b0f3451cf27f945f91eda56389f427752bb68664b50271fb

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              f05a6f6deb72186c680cbfcc65c15185

                                              SHA1

                                              ccc3f6de6cfbf6d209ace9ec3b515bbcb2f047a9

                                              SHA256

                                              c0af998adca21776f562500c6bc6a3131635e60060540af2d963298556706c6b

                                              SHA512

                                              51ee0f09ff7e0147fc9ac063613c1b19dadf53160b4f5a64a9fd6285f05add9086ec8f5307cb61571b91d286b43e4d25f3362ff9d9713c60c49f2c3e8a5de2fd

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              c273115d72bf0089f80d9d993964fbc4

                                              SHA1

                                              333ef745439ebccf7887547f1f6e9d59f14fd009

                                              SHA256

                                              6aff9ae2b41a38088971ca1fa2b4b32876fb614bcbad452e2fa0312b1d742428

                                              SHA512

                                              50176546d121e3f8657f763537dbdb1b0ef2d8f99925013aa35439ceaa16b937938f0ea85236d66793105378554085dd1b7f442a73b1a3a163e4b7e42faebccb

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              4209fb3affec714f2d2cad89f1bcf87c

                                              SHA1

                                              bc565e1d55f7ea6078175190e48c9281709a1da7

                                              SHA256

                                              b7b20436447dafef6bf0592c3955481c30c3a14dcb183ce2e6f303bf3d9ace5a

                                              SHA512

                                              78591f501081ac4b4cc5d39bb21e7bb76ff550127b80a9283d098b9be6f8ce54fd2b4426773afe9310ee9b11758b21fcd766d60694add33a5c31fbd42e47713e

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              98593afb7a599237a9386ebb7490104d

                                              SHA1

                                              b95613314e57408aebab71d33a5c2b38790ab2aa

                                              SHA256

                                              de6cbd441d912dca63f667fd65d47252d2a6a3f0b6ce338eedbc44bcde386c7e

                                              SHA512

                                              39056ee8448e9374644095c7279913a2cf6ea0d93926a77bdb0ded5586e23ec18002d8189c7102dc2c17437a1c38685a3477ea8090f142088956830162fc14f0

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              f910206fb24bcb723e683540e5c109b0

                                              SHA1

                                              fbdaa16e53cec314d82204da8d01b5a9c8ad9ecc

                                              SHA256

                                              cac2f7910bc412bda2c7c95c9620416b10587ea5048746d1446d5fafe16ae69f

                                              SHA512

                                              6b4e6a51849df922da8fd827864ae0e5c546251500ff3a273abd3109c823cd16322207783f47c21b5add48ffe59e451f270e87b7cfe82a6fc7982e1d3f4020af

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              ffcfbdf882816b4faa7a8c2bb7c4e79e

                                              SHA1

                                              47cf94dde1c3cf5399454f93c644e55050cbfb24

                                              SHA256

                                              88e2c237954ad4a2bb557024c5fc52abf865d8701dc1a049b05afa6c4f1e1dff

                                              SHA512

                                              2c8ef9b662fb5f5ff12f49384470e11777d7da449deffe4596881ca0e724402b7c6815e4541d691605fba4299c3a8600e495ffc7c635bcd6baf7cd7b906f1019

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              9dbd0821ada731cd1708d74116f299bc

                                              SHA1

                                              750c03791be8d4281d519807bc60d6890069523d

                                              SHA256

                                              16de680518372f7ca0a90f1ef0f3b583f4b7436de4eff00602e125e1ed744f4e

                                              SHA512

                                              2386d8d73edb47508376a6a8a1d66e501fd0ef7bc4363d296f863e5501db6fb3ee92178dedcd110f2a55cc5c9014153a1b6ffa24d93b82ada06638bd178e1637

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              d433fb97289056d1ad67db29806367e5

                                              SHA1

                                              910341879b7709eac63e147d0037d3993e39ba0d

                                              SHA256

                                              6ac2b5a5715fe4e84a635317561196da5ad1b0bf1718d6fe4f82d172d3d3bb30

                                              SHA512

                                              e0033309c9e71b7ec67234f5ba0e5bc4f812dc8befb548abde0c6ce5bcd639a2541574325940d92994453b4a11df70f0a896586dd21f374b302735532d494543

                                            • C:\Users\Admin\AppData\Local\Temp\0SbqORFfit.bat

                                              Filesize

                                              221B

                                              MD5

                                              09d9e9cae7248de228c4684e0ff03c2d

                                              SHA1

                                              fcc1c6beb89031940d263648b98082dcd9869a20

                                              SHA256

                                              fbe01cc86d6fab6e43a3f0244786f162f9e8bca133224cc58e5c12de07831699

                                              SHA512

                                              b33a368fe5e88a3b9343a1f0ad2a945c8409a085fbf1a62dcde1d3824f701890262c7c14c7e34636cff2fa7f90fbc2c58cf6de28bd99f8ce220fd6a3245d66e0

                                            • C:\Users\Admin\AppData\Local\Temp\1Gu59oh2IN.bat

                                              Filesize

                                              221B

                                              MD5

                                              022e7e40abdc6c729677ecb65606c084

                                              SHA1

                                              be1794ede40ef4d449afbbbd605b08adfe1ebcd2

                                              SHA256

                                              b8292984197ac4abba4c55016471f00c140ec70ab1ea2270c4aeabdefc36fb39

                                              SHA512

                                              15b2ace70423332b1841b792e3fc744fb87c31f46a372872f64f731f4cf8193b9a0d47a99226b326149dc95c95286957ecbbb187ce6dbe5c4185c453a8ba076c

                                            • C:\Users\Admin\AppData\Local\Temp\1JZ2DT5CuV.bat

                                              Filesize

                                              221B

                                              MD5

                                              fe5b13ff1de5d52f83cdec2b029b7ea1

                                              SHA1

                                              1ccf8448daa97d6666dd560ae6cd09a487c6df7c

                                              SHA256

                                              ebba7ece8befba027931a7efcd91ea1cbcf72632d08b514933dfb1c2ec1b70d0

                                              SHA512

                                              d91910d385ee95de52d14f2e0daf1c4d453df7f4aa381d2e18f7ce8fabc9a0572de1adfc75056be734ca6b498ef4340649b03a52c3560d4139a93ab557350049

                                            • C:\Users\Admin\AppData\Local\Temp\4yEObGBIDe.bat

                                              Filesize

                                              221B

                                              MD5

                                              a48a7965cc9dd4d733a1bfea1551bb42

                                              SHA1

                                              79727b0c5b779efe5df9375014b2f20b9586f27d

                                              SHA256

                                              74de6281a5b76c5d95a255d2302dbb940f06ffff10a3fd4994db8411e9040ee2

                                              SHA512

                                              fa3933e017bf8bd3cb3e8b0cd6fe83d7b5c0e1ef07848d48120fe6678716a15845002ea159e33ebcfa0e93a3a799d939765ce97c29eec22fcd8d16d4a7fbe95b

                                            • C:\Users\Admin\AppData\Local\Temp\BfyeXCadxk.bat

                                              Filesize

                                              221B

                                              MD5

                                              b185d025fb917c1b2cf847828cce8a7e

                                              SHA1

                                              740a3705d8d2bcd7586e439528607f55c7b1cd88

                                              SHA256

                                              f219f5b5eabcbc2b07cdfb52f38fc45477f5ac10fbb54c6ea33bc9da5ecf99f3

                                              SHA512

                                              b10d9cd90cad5d18e2cd240a5b571ca17b599df64a4f71353f8d5a062023ca181234611ce326528d7e6406d64c19c5f7e235018ac7ac7ad164f012ea10857252

                                            • C:\Users\Admin\AppData\Local\Temp\Cab12F6.tmp

                                              Filesize

                                              70KB

                                              MD5

                                              49aebf8cbd62d92ac215b2923fb1b9f5

                                              SHA1

                                              1723be06719828dda65ad804298d0431f6aff976

                                              SHA256

                                              b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                              SHA512

                                              bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                            • C:\Users\Admin\AppData\Local\Temp\DXR1U0Y5m3.bat

                                              Filesize

                                              221B

                                              MD5

                                              d17c942dc71f2e32c8dd8248ed96134c

                                              SHA1

                                              6c6528f7de98f1a85bd1cc0ec10b3c22286f9626

                                              SHA256

                                              83614431a77f01ed6300a5817721b13d60192fc16f588f5a4323a6cf62e3d791

                                              SHA512

                                              492ccda55b16aa3b2d7d9381d6c777c5e411a1ff96f011618ca74df9ae7b3db181b296524ff1c9d4218455f50d0c51a809e97263016de2a4be0a535af4a81566

                                            • C:\Users\Admin\AppData\Local\Temp\FaowIOOII5.bat

                                              Filesize

                                              221B

                                              MD5

                                              df87b6123e755d2d1a228a5861c4f7a2

                                              SHA1

                                              e13d790beded3cb470417521e0ba4fc274b4dc61

                                              SHA256

                                              9d3aa392c891f30464982ac3e64b7ce26ef6c0692558c9d48372f608607c7c94

                                              SHA512

                                              a314df823a34138267ef449c665b6244d1b01cf76e69ef410cea22a4cf18beafba919be666fdb4618b96ca3a148dd00940fc75c617bd2b5ed81839a3cec83e2d

                                            • C:\Users\Admin\AppData\Local\Temp\LIqDUaLb8G.bat

                                              Filesize

                                              221B

                                              MD5

                                              0315a1ee033654502e2881ae16566f41

                                              SHA1

                                              9242263df1b51d13fcee34d9ac26d9478fc6910a

                                              SHA256

                                              78af4dbf4c0dd94bbc3a336c1ebe5a22fa050eff88eba36b1de82a22dd98dad5

                                              SHA512

                                              5d0fc9f5a21df186b5ac83a6118aea3c1ddf85a407e5411efa2261ef5c3b7eed4ad2b338cb9ad75d26d2ecdc33d40496e3e5316c348939c1ae16e83e373fc6df

                                            • C:\Users\Admin\AppData\Local\Temp\Tar1328.tmp

                                              Filesize

                                              181KB

                                              MD5

                                              4ea6026cf93ec6338144661bf1202cd1

                                              SHA1

                                              a1dec9044f750ad887935a01430bf49322fbdcb7

                                              SHA256

                                              8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                              SHA512

                                              6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                            • C:\Users\Admin\AppData\Local\Temp\V68XQM6FdC.bat

                                              Filesize

                                              221B

                                              MD5

                                              8830951d8887ca9120339da91577fdc8

                                              SHA1

                                              efad33157124e1c7e2e5ebf9e633f08233141259

                                              SHA256

                                              68e5eccf25d5e4fa246eac71a552573c1219942c89c38ffa5801241a60ca544d

                                              SHA512

                                              574036385df84d9df73257507657e4a0d4645c44c2c7d294c13b8a89ced6b82ae6babbc7dd302d4fa4e5d9481cd837ba4d67277659e620fc396bc2e8bf1b6744

                                            • C:\Users\Admin\AppData\Local\Temp\h6oaLUsZTY.bat

                                              Filesize

                                              221B

                                              MD5

                                              e711a8a90b8dfb6f12c931e255f7afdd

                                              SHA1

                                              2f8757499ebf009611032eaef5ce0f9f60d9e9f7

                                              SHA256

                                              e624e4cf0290a1ea047499c4daccbbab550f70dbf11e904448f11f1d0dbb8f67

                                              SHA512

                                              9c14412b5b64e37ebfb9be3dc37fab5685fe628c0a640e01c8c2ad4e6534030f77ec38feab5b3fbdeb8700af49d77a52efbed92ac94cb07d38011e5a72266767

                                            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                              Filesize

                                              7KB

                                              MD5

                                              65e000808955048bf82d021e1d53a6d9

                                              SHA1

                                              db0f33db8440fc66b2aafe877efe6767d0dc4655

                                              SHA256

                                              1359e60d64d70d31db8e128b2e1427840c9ae26a2ca316a552e9a4b79cee6b0a

                                              SHA512

                                              aad2bb872a531ed6ca31f0ff31b65ab7ce0a34fb26e80dc18672687033cc32296fcbe82e84d26cf29e53851573877e23deb4273d0ef5d17f53a6926d14b757ac

                                            • C:\providercommon\1zu9dW.bat

                                              Filesize

                                              36B

                                              MD5

                                              6783c3ee07c7d151ceac57f1f9c8bed7

                                              SHA1

                                              17468f98f95bf504cc1f83c49e49a78526b3ea03

                                              SHA256

                                              8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                              SHA512

                                              c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                            • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                              Filesize

                                              197B

                                              MD5

                                              8088241160261560a02c84025d107592

                                              SHA1

                                              083121f7027557570994c9fc211df61730455bb5

                                              SHA256

                                              2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                              SHA512

                                              20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                            • \providercommon\DllCommonsvc.exe

                                              Filesize

                                              1.0MB

                                              MD5

                                              bd31e94b4143c4ce49c17d3af46bcad0

                                              SHA1

                                              f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                              SHA256

                                              b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                              SHA512

                                              f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                            • memory/812-579-0x0000000000240000-0x0000000000252000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/812-340-0x00000000004C0000-0x00000000004D2000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/812-578-0x0000000000250000-0x0000000000360000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/944-44-0x0000000000FA0000-0x00000000010B0000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/944-54-0x0000000000430000-0x0000000000442000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/1096-518-0x00000000010A0000-0x00000000011B0000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/1932-160-0x0000000001380000-0x0000000001490000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/1952-100-0x000000001B2B0000-0x000000001B592000-memory.dmp

                                              Filesize

                                              2.9MB

                                            • memory/2052-101-0x00000000023A0000-0x00000000023A8000-memory.dmp

                                              Filesize

                                              32KB

                                            • memory/2292-280-0x0000000000F80000-0x0000000001090000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/2660-639-0x0000000000A80000-0x0000000000B90000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/2948-13-0x0000000000360000-0x0000000000470000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/2948-14-0x00000000002C0000-0x00000000002D2000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/2948-16-0x0000000000350000-0x000000000035C000-memory.dmp

                                              Filesize

                                              48KB

                                            • memory/2948-15-0x00000000005C0000-0x00000000005CC000-memory.dmp

                                              Filesize

                                              48KB

                                            • memory/2948-17-0x00000000005B0000-0x00000000005BC000-memory.dmp

                                              Filesize

                                              48KB

                                            • memory/2988-220-0x0000000000340000-0x0000000000450000-memory.dmp

                                              Filesize

                                              1.1MB