Analysis

  • max time kernel
    145s
  • max time network
    141s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    30/12/2024, 02:36

General

  • Target

    JaffaCakes118_bc11328d5225e151f6113c4e5570cde9dc8974dcf6f6b51e2038773a1c1b2c63.exe

  • Size

    1.3MB

  • MD5

    42873086bb5b3b036fa76984e021817e

  • SHA1

    9bd550342b729b6330ba8682bea1b4965f163962

  • SHA256

    bc11328d5225e151f6113c4e5570cde9dc8974dcf6f6b51e2038773a1c1b2c63

  • SHA512

    9fdca1997eec329174dffb2c3a103346f039e302c4c526d02569faf828d26b88af7405b2c6628a2bf0f860acdd3447bb5fc620702bc22fd7f3d5d4bb1123a18f

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 27 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 9 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 12 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 27 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 22 IoCs
  • Suspicious use of AdjustPrivilegeToken 22 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bc11328d5225e151f6113c4e5570cde9dc8974dcf6f6b51e2038773a1c1b2c63.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bc11328d5225e151f6113c4e5570cde9dc8974dcf6f6b51e2038773a1c1b2c63.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2176
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2084
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1488
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1032
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1100
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\taskhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1448
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Application Data\cmd.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1096
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\sppsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2104
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2624
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\System.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1808
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\lsm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3004
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\audiodg.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:704
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ModemLogs\taskhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1988
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsass.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1556
          • C:\Windows\ModemLogs\taskhost.exe
            "C:\Windows\ModemLogs\taskhost.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:972
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6Po3x2tXZG.bat"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:2896
              • C:\Windows\system32\w32tm.exe
                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                7⤵
                  PID:2900
                • C:\Windows\ModemLogs\taskhost.exe
                  "C:\Windows\ModemLogs\taskhost.exe"
                  7⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:964
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zlkj4ltLQI.bat"
                    8⤵
                    • Suspicious use of WriteProcessMemory
                    PID:2344
                    • C:\Windows\system32\w32tm.exe
                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                      9⤵
                        PID:2660
                      • C:\Windows\ModemLogs\taskhost.exe
                        "C:\Windows\ModemLogs\taskhost.exe"
                        9⤵
                        • Executes dropped EXE
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:852
                        • C:\Windows\System32\cmd.exe
                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UQ4uSu8U9J.bat"
                          10⤵
                            PID:1712
                            • C:\Windows\system32\w32tm.exe
                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                              11⤵
                                PID:2736
                              • C:\Windows\ModemLogs\taskhost.exe
                                "C:\Windows\ModemLogs\taskhost.exe"
                                11⤵
                                • Executes dropped EXE
                                • Suspicious behavior: EnumeratesProcesses
                                • Suspicious use of AdjustPrivilegeToken
                                PID:2488
                                • C:\Windows\System32\cmd.exe
                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MsSi1KDKJG.bat"
                                  12⤵
                                    PID:2948
                                    • C:\Windows\system32\w32tm.exe
                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                      13⤵
                                        PID:1824
                                      • C:\Windows\ModemLogs\taskhost.exe
                                        "C:\Windows\ModemLogs\taskhost.exe"
                                        13⤵
                                        • Executes dropped EXE
                                        • Suspicious behavior: EnumeratesProcesses
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:2924
                                        • C:\Windows\System32\cmd.exe
                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lmMgPtgxf2.bat"
                                          14⤵
                                            PID:2436
                                            • C:\Windows\system32\w32tm.exe
                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                              15⤵
                                                PID:2456
                                              • C:\Windows\ModemLogs\taskhost.exe
                                                "C:\Windows\ModemLogs\taskhost.exe"
                                                15⤵
                                                • Executes dropped EXE
                                                • Suspicious behavior: EnumeratesProcesses
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:1636
                                                • C:\Windows\System32\cmd.exe
                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\N4rS0hE0df.bat"
                                                  16⤵
                                                    PID:1600
                                                    • C:\Windows\system32\w32tm.exe
                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                      17⤵
                                                        PID:2708
                                                      • C:\Windows\ModemLogs\taskhost.exe
                                                        "C:\Windows\ModemLogs\taskhost.exe"
                                                        17⤵
                                                        • Executes dropped EXE
                                                        • Suspicious behavior: EnumeratesProcesses
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:2104
                                                        • C:\Windows\System32\cmd.exe
                                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZZzsG8LzQB.bat"
                                                          18⤵
                                                            PID:2832
                                                            • C:\Windows\system32\w32tm.exe
                                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                              19⤵
                                                                PID:992
                                                              • C:\Windows\ModemLogs\taskhost.exe
                                                                "C:\Windows\ModemLogs\taskhost.exe"
                                                                19⤵
                                                                • Executes dropped EXE
                                                                • Suspicious behavior: EnumeratesProcesses
                                                                • Suspicious use of AdjustPrivilegeToken
                                                                PID:2948
                                                                • C:\Windows\System32\cmd.exe
                                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jClCs9nEU3.bat"
                                                                  20⤵
                                                                    PID:2828
                                                                    • C:\Windows\system32\w32tm.exe
                                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                      21⤵
                                                                        PID:2224
                                                                      • C:\Windows\ModemLogs\taskhost.exe
                                                                        "C:\Windows\ModemLogs\taskhost.exe"
                                                                        21⤵
                                                                        • Executes dropped EXE
                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                        PID:2276
                                                                        • C:\Windows\System32\cmd.exe
                                                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\T7KIMELUbd.bat"
                                                                          22⤵
                                                                            PID:3032
                                                                            • C:\Windows\system32\w32tm.exe
                                                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                              23⤵
                                                                                PID:1924
                                                                              • C:\Windows\ModemLogs\taskhost.exe
                                                                                "C:\Windows\ModemLogs\taskhost.exe"
                                                                                23⤵
                                                                                • Executes dropped EXE
                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                PID:2208
                                                                                • C:\Windows\System32\cmd.exe
                                                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GN1wkOWwnv.bat"
                                                                                  24⤵
                                                                                    PID:2292
                                                                                    • C:\Windows\system32\w32tm.exe
                                                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                      25⤵
                                                                                        PID:2028
                                                                                      • C:\Windows\ModemLogs\taskhost.exe
                                                                                        "C:\Windows\ModemLogs\taskhost.exe"
                                                                                        25⤵
                                                                                        • Executes dropped EXE
                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                        PID:2740
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\taskhost.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2804
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\taskhost.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1780
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\taskhost.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2712
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Application Data\cmd.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1920
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\Default\Application Data\cmd.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2700
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Application Data\cmd.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2760
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\sppsvc.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1916
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\sppsvc.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2196
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\sppsvc.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1836
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr\csrss.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2044
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr\csrss.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2440
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr\csrss.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1528
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\providercommon\System.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2676
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1164
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2128
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\lsm.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1740
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Default User\lsm.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2004
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\lsm.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2776
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\audiodg.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2184
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2996
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:3012
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Windows\ModemLogs\taskhost.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2224
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\ModemLogs\taskhost.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2252
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Windows\ModemLogs\taskhost.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2236
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\providercommon\lsass.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:584
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1268
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1012

                                      Network

                                            MITRE ATT&CK Enterprise v15

                                            Replay Monitor

                                            Loading Replay Monitor...

                                            Downloads

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              9a35703fdabc03504126429938da3188

                                              SHA1

                                              f532352df720da031805da461e893793fad72006

                                              SHA256

                                              9596efc4808d30a540d0000d47a4ad2bfee9d02d53f0e3062ea2900310930931

                                              SHA512

                                              755e1ae13945b94864b19f7dcd542e4150fba758c3cc8ee678ad3553c799ccc8bb4187b710dbc053d14b111725a28cc0e3f74dafe2171925f8fa3b192487b08d

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              b30f15c94f3caeeeb26c3bcda95e02ea

                                              SHA1

                                              75bd004df899a1ba20e9e7b19df2933ec6e3400f

                                              SHA256

                                              0ef204543f3d6b766ff2bfc62c803cdaa49a1522ffbe93d3d934004d98809d4a

                                              SHA512

                                              0633b31eb544ddb5dec9e75bced9ca482b6b2653cebc2fddea5ef76b9881a48324b0b3832f02dd2b576317faa5c249e54c33b155d33426d31e50a1bdce6f5348

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              b7d35734de4d50bb8bd383196b6c0ef6

                                              SHA1

                                              fb4521871b584bde5be2464909279931fa10538b

                                              SHA256

                                              bb7ffff81a51f3beb8c5000f9ea7e150275482141ed5298115b1d4cbe47eefda

                                              SHA512

                                              dfa3786de69311bfafbf9f7d09911a7e39b47906ce51dbc9cddceb472b0bba6b2daa983137515ddd37c26bee8ca4fc20b0540433769569846d079902709166e2

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              c6343f1888b9693d581222ee4e828781

                                              SHA1

                                              a48d11d3232232ccb42f4ea76ce335fd98d26b3d

                                              SHA256

                                              ac1a2aaa757144ad51b1c9033e36a38b64fb0d715d749cfaa8c11d0a01537bb9

                                              SHA512

                                              28bacd823b805a5fb30137eff8150e33aa4edcf6f5d6ab54a2c2ead02ab4c716bbdd1f9417f4cff06a526212611b271afcc2339b70b0f006f3a9d2c81bfa9d67

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              e79b2f605ba8ab98b235a45427e12e83

                                              SHA1

                                              47c9a828b8871e16f62dc8d95e4bbadc8fddf1e2

                                              SHA256

                                              5a45a6a226d5761f662bbbc187ef313b544e5dc09ae1af77a9b77be98f871e0d

                                              SHA512

                                              c13c15391df2ea7771f6374890dae18e657be2bf1e334eb12c672a99713676e83cb663852c0c3d0b453555594c967deec032808ea78089c0d9a9e51ef3833d31

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              5f289672837f7738799da3c304e47695

                                              SHA1

                                              b7a24703b5abb49decd723e62d5967fa03b982d1

                                              SHA256

                                              1b86a9a7a0ddbdac5809d940f9c710655c7a74b9e895daab6c35c3ba5948904d

                                              SHA512

                                              15415fbeb1e4c7cbe6d8cc1f10066fb97c195a07ff1004c2d7a69f3abdfb3cc1adffecea5f8053df8ba89085c641545c8ab62d49a9384510cbc4d445c8e5f65c

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              80dc00516e2420c3f5c865b39d82fa23

                                              SHA1

                                              853355af67e1cd02247a1e7e77a3942811449968

                                              SHA256

                                              3a10730ef23694c4ac0e312f8d20f290431d9ef5855d5231d629e6b9348474b9

                                              SHA512

                                              00a072b464ccef655ff76f292f5dfa7940fbe3154a465a7a48ac734b2cabff33e8516cc98f77762f12326c93c9f6fd40e09ac1d43f18e42deccf0441d27e9737

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              8b75bde568c1b0e5af04706c88ca97bc

                                              SHA1

                                              d34e48dbdae062d5e9c7ca6d91a3ce4048ea6316

                                              SHA256

                                              53ef7902437bf4ad53a57e8721a32f658d5ea8e1ca496240dce5a37418d6cfd8

                                              SHA512

                                              c64527eb6b540877c89e94df0a519cb46830b7c4909d7309418674bf2f38cbfacfb3de77bbad61e80c7ab825fa34e5c50581d80ec1aabeffed439b7253013b9f

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              d867af224f6b7ed4a6983f1a078cb4f3

                                              SHA1

                                              f44f6fd5e5bd59466a230dd88bbad75af459fea6

                                              SHA256

                                              8515cd8123e16087890f9441ebdfdc16f6f5b411da47a13a37d5216faaaec5df

                                              SHA512

                                              46ab9884d6d979a1354c2eecc0846a20a4b142defd8f3f56f31060c8aed5e9c2cc8b544bc778192a435734d01b9629599324f6bf78d699c7335d2d1cc4386220

                                            • C:\Users\Admin\AppData\Local\Temp\6Po3x2tXZG.bat

                                              Filesize

                                              198B

                                              MD5

                                              abcb963097d1b4c5dde62be7b499c402

                                              SHA1

                                              efd6294ed83801c2078fe70e54a2b70bd5140d3c

                                              SHA256

                                              cd44422e624d7d20b9863cad8869f2c38a3f9e8e92c4003e4e86406f943c3208

                                              SHA512

                                              f8b80590a41bbb44209ebb565d9b031b7d06d1e84bbccae71a20308a1bdad37dc5b178633b90d94d7d5146f3566025abb19780b057eae699db3372df037c3b54

                                            • C:\Users\Admin\AppData\Local\Temp\Cab9D2.tmp

                                              Filesize

                                              70KB

                                              MD5

                                              49aebf8cbd62d92ac215b2923fb1b9f5

                                              SHA1

                                              1723be06719828dda65ad804298d0431f6aff976

                                              SHA256

                                              b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                              SHA512

                                              bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                            • C:\Users\Admin\AppData\Local\Temp\GN1wkOWwnv.bat

                                              Filesize

                                              198B

                                              MD5

                                              b31a26050e2b3ec7119e274d49de0e6d

                                              SHA1

                                              1a009a7165fbd6a14d838b680fa1f36078fe7a8d

                                              SHA256

                                              abdcb664bff33039605072c94cbc16d97e610c6fcd69483be0a9212b34e9eefe

                                              SHA512

                                              262b5ba992a939ad31252abe5592fb07f1d8349cd3cb4c3802a2be6658e4f25bbd3ca6fc13e344204ce3657cfcdc657fd49a8ed70026ff0f6a9289c7ec34b115

                                            • C:\Users\Admin\AppData\Local\Temp\MsSi1KDKJG.bat

                                              Filesize

                                              198B

                                              MD5

                                              e85cc3b0cdf76705b3bc2126bd0c83e2

                                              SHA1

                                              fee2a2238b5e5ec0601ec8276274ffe5b1e978df

                                              SHA256

                                              4e2d2ec43f97c3bfeaf149d58802ad19d4976b72ef6bbafdcfbee9549632acf6

                                              SHA512

                                              18dfdbf6487d781007d224a7082645c98cc3ec6e7f7df6d9f6654837062944c051e9f913ac8f61cc78bd048f892b316eec8da1f53f68b94916c437113cf91add

                                            • C:\Users\Admin\AppData\Local\Temp\N4rS0hE0df.bat

                                              Filesize

                                              198B

                                              MD5

                                              7d58d5850741dc0e95c87ef222414c8f

                                              SHA1

                                              76398026616a37a84c3902d29e55546fa056f894

                                              SHA256

                                              9adab3287485e6d684998d2fa562ebfdff5051b4f66149bd3f2f5abb68144189

                                              SHA512

                                              17d6a3b931bb485446d8ebfa42003897fa9b5cda271918dfd2a08749272583f41082291c31616a0d9a5c3768aba32d1b20ae26453893d1d6e417ce02ec8a7ef0

                                            • C:\Users\Admin\AppData\Local\Temp\T7KIMELUbd.bat

                                              Filesize

                                              198B

                                              MD5

                                              a6c1fcc6f55baa023093cd47d4909ca3

                                              SHA1

                                              1dea9f6a64e5d271661e188cbc45042023ebdee5

                                              SHA256

                                              e274380daf0698f6fd0081676392f30eeb1a034f165d55c0b91490b2625879e9

                                              SHA512

                                              978c4f6fedd8cf65554626b5d1409fbbe57454c6a3a810372bb5cb8b4826d225b77707059afc4906c55bd126ba2f31bf68c238f2eaf5a6b5c0bcde37f998d59c

                                            • C:\Users\Admin\AppData\Local\Temp\Tar9F5.tmp

                                              Filesize

                                              181KB

                                              MD5

                                              4ea6026cf93ec6338144661bf1202cd1

                                              SHA1

                                              a1dec9044f750ad887935a01430bf49322fbdcb7

                                              SHA256

                                              8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                              SHA512

                                              6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                            • C:\Users\Admin\AppData\Local\Temp\UQ4uSu8U9J.bat

                                              Filesize

                                              198B

                                              MD5

                                              d3a645cc8642c495976724d5a6e82306

                                              SHA1

                                              69e3de2c21e71de77298012660be4aab25c2686a

                                              SHA256

                                              159849cac1483254b828cc591d114ac512b8edfb6a45e3e1905427a7f5240daa

                                              SHA512

                                              8077a1d96bb85dee6895b20aa8386e685720d82d4e8a5f7582c4db1e9d58b38af929da7f2525e894c1b1770a51e0c849196d132c0d2be1b2d214ba4bed3048fe

                                            • C:\Users\Admin\AppData\Local\Temp\ZZzsG8LzQB.bat

                                              Filesize

                                              198B

                                              MD5

                                              92c1cfbccf77d3e0ce367afa2dcab06c

                                              SHA1

                                              3d905656ca003ac16c1dc8ce1a427d54237cd866

                                              SHA256

                                              b1fe7975d5fca4017fcff0a36a84d48f18db7531027d8c7292599ee028874ea8

                                              SHA512

                                              69c06f58ffee274457e61178350498ae9fbb58bb96fa4e7e7733983ce5be929936633449b59765aecd031be1ef1cd89997a7bcd3c56153ec45a6c5a50363a9ff

                                            • C:\Users\Admin\AppData\Local\Temp\jClCs9nEU3.bat

                                              Filesize

                                              198B

                                              MD5

                                              0c1f69043f83049bf59e42e8b64245e3

                                              SHA1

                                              36f8441b1b65e240ef88fed7fd2fc627dba33217

                                              SHA256

                                              3043c7ac14341a6bc469f7a6146ff6e4f8b3b0166b98926135a7d6f2b6ecd70a

                                              SHA512

                                              f9d9424383938a0b0ffb153431f2a1eef681a5832b8dbc6464fb291ab4b6194f67d224f42d866836d474ec30850e4e43b5dca849a3c70efe127c29791ec03561

                                            • C:\Users\Admin\AppData\Local\Temp\lmMgPtgxf2.bat

                                              Filesize

                                              198B

                                              MD5

                                              41235eee95e02dd86e0f427599864cf9

                                              SHA1

                                              959d9478aed3bfc41da1687cf47af6d56035d449

                                              SHA256

                                              a1a943a631b016e8654aa2aece40e720f044dc96209af74f2b8afb72111e0fb5

                                              SHA512

                                              a4ce33b7820d7c8838879fc8ecb585c9cc48a45a5e2d5ac658e763dcb60f3017cb855a2a7218392c5dac9c3ee8d5530116ddc44ef2197a52694b8e1b2776d834

                                            • C:\Users\Admin\AppData\Local\Temp\zlkj4ltLQI.bat

                                              Filesize

                                              198B

                                              MD5

                                              c9696dbe4cd63c75fc5cc16683c00d57

                                              SHA1

                                              9375ae1aa091153325c4557d7e6da52ef271e07d

                                              SHA256

                                              abffac2e21ebc286951846b039e4735551cab07d1680d3dd860b67ae1df2218a

                                              SHA512

                                              981f6fc6c7839ed5d40ba47fece6c253d1340c6a4f208dd206e5a955858f7330ae281967c77f0f32a742786fec11abe4a9ed7380b7005e8ed56dc7c260aaf2f6

                                            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                              Filesize

                                              7KB

                                              MD5

                                              da3685c5509c6e141c94452b158581a8

                                              SHA1

                                              714896fd199a5c38ceb110bc2255d3872de2cbde

                                              SHA256

                                              0be2335c8b30dce2def6d7267a87aae59ed8ff773c57578858973f91d4aae500

                                              SHA512

                                              92926c7a20077fcf597fd7d5bcc0f75bc799095a0e9b4318fd8515edda92d69ca83ef41dbd05641056528d1b72e90d484849086ccee168e0d0936ebe076545b4

                                            • C:\providercommon\1zu9dW.bat

                                              Filesize

                                              36B

                                              MD5

                                              6783c3ee07c7d151ceac57f1f9c8bed7

                                              SHA1

                                              17468f98f95bf504cc1f83c49e49a78526b3ea03

                                              SHA256

                                              8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                              SHA512

                                              c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                            • C:\providercommon\DllCommonsvc.exe

                                              Filesize

                                              1.0MB

                                              MD5

                                              bd31e94b4143c4ce49c17d3af46bcad0

                                              SHA1

                                              f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                              SHA256

                                              b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                              SHA512

                                              f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                            • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                              Filesize

                                              197B

                                              MD5

                                              8088241160261560a02c84025d107592

                                              SHA1

                                              083121f7027557570994c9fc211df61730455bb5

                                              SHA256

                                              2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                              SHA512

                                              20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                            • memory/852-207-0x00000000000F0000-0x0000000000200000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/964-147-0x0000000000240000-0x0000000000252000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/964-146-0x00000000009D0000-0x0000000000AE0000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/972-42-0x00000000003E0000-0x00000000004F0000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/1032-13-0x0000000000870000-0x0000000000980000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/1032-16-0x0000000000560000-0x000000000056C000-memory.dmp

                                              Filesize

                                              48KB

                                            • memory/1032-15-0x0000000000440000-0x000000000044C000-memory.dmp

                                              Filesize

                                              48KB

                                            • memory/1032-14-0x0000000000430000-0x0000000000442000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/1032-17-0x0000000000570000-0x000000000057C000-memory.dmp

                                              Filesize

                                              48KB

                                            • memory/1096-53-0x0000000002210000-0x0000000002218000-memory.dmp

                                              Filesize

                                              32KB

                                            • memory/1100-52-0x000000001B5F0000-0x000000001B8D2000-memory.dmp

                                              Filesize

                                              2.9MB

                                            • memory/1636-386-0x0000000000430000-0x0000000000442000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/2208-624-0x00000000000D0000-0x00000000001E0000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/2488-267-0x00000000011B0000-0x00000000012C0000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/2740-684-0x0000000000A70000-0x0000000000B80000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/2948-505-0x0000000001310000-0x0000000001420000-memory.dmp

                                              Filesize

                                              1.1MB