Analysis

  • max time kernel
    149s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    30/12/2024, 02:42

General

  • Target

    JaffaCakes118_536aa3c8c0df98bd6a34fa919a92e838ff6823d1ef631af26b46da4b3685f081.exe

  • Size

    1.3MB

  • MD5

    a464e647ff6b07cc2267b54f37d4383d

  • SHA1

    6e8f4613024fe40a4b2744ecf9e6a463453bde17

  • SHA256

    536aa3c8c0df98bd6a34fa919a92e838ff6823d1ef631af26b46da4b3685f081

  • SHA512

    776214dfea3a52a213c4a82d13fd1c3141c0132554df30c54024e7a9b9e41eb8d5e1edda4b89dba16b5f1a8587c6648f37a5129430aed4281b7aba04bed726c0

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 33 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 9 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 11 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
  • Drops file in Program Files directory 8 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 33 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 29 IoCs
  • Suspicious use of AdjustPrivilegeToken 23 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_536aa3c8c0df98bd6a34fa919a92e838ff6823d1ef631af26b46da4b3685f081.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_536aa3c8c0df98bd6a34fa919a92e838ff6823d1ef631af26b46da4b3685f081.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2524
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2244
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1500
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2996
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2724
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Idle.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:880
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Music\Sample Music\dllhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:596
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\fr-FR\lsass.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1052
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2640
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\DVD Maker\en-US\services.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1284
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Journal\sppsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1648
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2060
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\lsm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1536
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\twain_32\spoolsv.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1936
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\security\lsass.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1172
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\smss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2516
          • C:\Users\Public\Music\Sample Music\dllhost.exe
            "C:\Users\Public\Music\Sample Music\dllhost.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1028
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IrGY9odMle.bat"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:636
              • C:\Windows\system32\w32tm.exe
                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                7⤵
                  PID:1500
                • C:\Users\Public\Music\Sample Music\dllhost.exe
                  "C:\Users\Public\Music\Sample Music\dllhost.exe"
                  7⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1476
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nGW3UwTeX7.bat"
                    8⤵
                    • Suspicious use of WriteProcessMemory
                    PID:2184
                    • C:\Windows\system32\w32tm.exe
                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                      9⤵
                        PID:932
                      • C:\Users\Public\Music\Sample Music\dllhost.exe
                        "C:\Users\Public\Music\Sample Music\dllhost.exe"
                        9⤵
                        • Executes dropped EXE
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1812
                        • C:\Windows\System32\cmd.exe
                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GN7B3lpeta.bat"
                          10⤵
                            PID:1032
                            • C:\Windows\system32\w32tm.exe
                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                              11⤵
                                PID:2192
                              • C:\Users\Public\Music\Sample Music\dllhost.exe
                                "C:\Users\Public\Music\Sample Music\dllhost.exe"
                                11⤵
                                • Executes dropped EXE
                                • Suspicious behavior: EnumeratesProcesses
                                • Suspicious use of AdjustPrivilegeToken
                                PID:2208
                                • C:\Windows\System32\cmd.exe
                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dCyIaH4v8D.bat"
                                  12⤵
                                    PID:2000
                                    • C:\Windows\system32\w32tm.exe
                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                      13⤵
                                        PID:1028
                                      • C:\Users\Public\Music\Sample Music\dllhost.exe
                                        "C:\Users\Public\Music\Sample Music\dllhost.exe"
                                        13⤵
                                        • Executes dropped EXE
                                        • Suspicious behavior: EnumeratesProcesses
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:1272
                                        • C:\Windows\System32\cmd.exe
                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sSDDfDN1Wn.bat"
                                          14⤵
                                            PID:320
                                            • C:\Windows\system32\w32tm.exe
                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                              15⤵
                                                PID:592
                                              • C:\Users\Public\Music\Sample Music\dllhost.exe
                                                "C:\Users\Public\Music\Sample Music\dllhost.exe"
                                                15⤵
                                                • Executes dropped EXE
                                                • Suspicious behavior: EnumeratesProcesses
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:1652
                                                • C:\Windows\System32\cmd.exe
                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tebxeZNirC.bat"
                                                  16⤵
                                                    PID:1612
                                                    • C:\Windows\system32\w32tm.exe
                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                      17⤵
                                                        PID:1648
                                                      • C:\Users\Public\Music\Sample Music\dllhost.exe
                                                        "C:\Users\Public\Music\Sample Music\dllhost.exe"
                                                        17⤵
                                                        • Executes dropped EXE
                                                        • Suspicious behavior: EnumeratesProcesses
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:3040
                                                        • C:\Windows\System32\cmd.exe
                                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4oJokgKWVw.bat"
                                                          18⤵
                                                            PID:2460
                                                            • C:\Windows\system32\w32tm.exe
                                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                              19⤵
                                                                PID:1472
                                                              • C:\Users\Public\Music\Sample Music\dllhost.exe
                                                                "C:\Users\Public\Music\Sample Music\dllhost.exe"
                                                                19⤵
                                                                • Executes dropped EXE
                                                                • Suspicious behavior: EnumeratesProcesses
                                                                • Suspicious use of AdjustPrivilegeToken
                                                                PID:1972
                                                                • C:\Windows\System32\cmd.exe
                                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vlZZCFJNsh.bat"
                                                                  20⤵
                                                                    PID:1756
                                                                    • C:\Windows\system32\w32tm.exe
                                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                      21⤵
                                                                        PID:2420
                                                                      • C:\Users\Public\Music\Sample Music\dllhost.exe
                                                                        "C:\Users\Public\Music\Sample Music\dllhost.exe"
                                                                        21⤵
                                                                        • Executes dropped EXE
                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                        PID:1044
                                                                        • C:\Windows\System32\cmd.exe
                                                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xEoBbgPmrR.bat"
                                                                          22⤵
                                                                            PID:2884
                                                                            • C:\Windows\system32\w32tm.exe
                                                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                              23⤵
                                                                                PID:2372
                                                                              • C:\Users\Public\Music\Sample Music\dllhost.exe
                                                                                "C:\Users\Public\Music\Sample Music\dllhost.exe"
                                                                                23⤵
                                                                                • Executes dropped EXE
                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                PID:2056
                                                                                • C:\Windows\System32\cmd.exe
                                                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\U04fYIssV3.bat"
                                                                                  24⤵
                                                                                    PID:2764
                                                                                    • C:\Windows\system32\w32tm.exe
                                                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                      25⤵
                                                                                        PID:940
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Idle.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2844
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2056
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2820
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Music\Sample Music\dllhost.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:832
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Public\Music\Sample Music\dllhost.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1996
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Music\Sample Music\dllhost.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2868
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files\Internet Explorer\fr-FR\lsass.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1920
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\fr-FR\lsass.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:932
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Program Files\Internet Explorer\fr-FR\lsass.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2352
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\providercommon\csrss.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1392
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1928
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1276
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Program Files\DVD Maker\en-US\services.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:3004
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\en-US\services.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2860
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files\DVD Maker\en-US\services.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2368
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Journal\sppsvc.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:3024
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\sppsvc.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2084
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Journal\sppsvc.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:696
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:580
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2036
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2184
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\lsm.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2428
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\lsm.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2400
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\lsm.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2404
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Windows\twain_32\spoolsv.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2236
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\twain_32\spoolsv.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2632
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Windows\twain_32\spoolsv.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1876
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Windows\security\lsass.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2188
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\security\lsass.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:840
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Windows\security\lsass.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2444
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\smss.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2064
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\smss.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2204
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\smss.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1496

                                      Network

                                            MITRE ATT&CK Enterprise v15

                                            Replay Monitor

                                            Loading Replay Monitor...

                                            Downloads

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              ea6965799abb34000a34d4b9523b2783

                                              SHA1

                                              67e5b9e6018995560db822762586416a89441646

                                              SHA256

                                              6a5ce694cb3d7439d35b362f76aff812f440dbc18b40794a4158173e4d5b098d

                                              SHA512

                                              de0a9dd8b57bea945ac0cb7787795d0a1c5702fc4d6c1bfd3a4ef158b880e1e90f099da3c451e9b2a69863ac55fa80bd1da86e6a5b85b6c77f9c00aa9162932f

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              409f2a75b491264bc8c473ebd77b8e1c

                                              SHA1

                                              eca24db8d9b9bc9990bd2930de66f76f999af7b9

                                              SHA256

                                              6f9d69ccae69c749f49cfd42a2a4d8eee5fd71d5e4137180e3f2b9b0b929cfbb

                                              SHA512

                                              b6259a04abeb01bca4db48bde6887b6800d4f30958e2f0cc64c54b52090b3d2e0589f26b78bfd44bd1d8dffe24c0993f806f64d5de58ed7b704903b892e4784f

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              c046937c4fe96639e636600c1e1b1c17

                                              SHA1

                                              1d98b2a83531e65fab5e12ab77425f6898e585db

                                              SHA256

                                              12c8e21889c2f71014a51ee678a95343f7964772008107d98831f137c40766b1

                                              SHA512

                                              776a9b982d3c786c19d105d326a4d861b4126e1a94b010424c6b2e8e72316d87a25a0ba0c7f8c6883dd4bc3bc22837c4392257ccb518caddf9b056032d5621f5

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              4222ac2c9bf826a00b01c781362db7a3

                                              SHA1

                                              2fef6e2fb21c9f3567fe9c6598a8e30a245cfcb2

                                              SHA256

                                              ffd491fedd80a38322aafdf22d90038f07059f83849818ff7f8454a50498d1bb

                                              SHA512

                                              157d4ff10a9541983f9e4e288283a6359c05c0a46c7cb70b6a76cae0265d1865fc74b9f67f02d6ace2f9956a5de9a26ca2c6bd744b0c9b85d5afdd86f650e141

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              8bacb66c1649b72ecbe33353d82f04bd

                                              SHA1

                                              59ee32b494e62834ed6d1df57f62ef2493178625

                                              SHA256

                                              0e85954e8c156f481a3f5c911ad377c749ef7149c35b9fd21e89d07de35ac412

                                              SHA512

                                              adaf39269d3f4d7e004c59d4d69fac873355d17665ca086e78bf5f06d59c1b5bd530b0736cc4936644f1d7f46a84ba3712583dc63ab5cbfae190511db49ca612

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              b9af6fa8aeaacf7f63c3593cd875fb53

                                              SHA1

                                              f61261a258e98e7c2f758df9b55d415c994e029b

                                              SHA256

                                              bbb0e74bd5db789a032c4d79329d31dd0bb65bc4504aad043a05d4b1a46bcba7

                                              SHA512

                                              214ad42ad808d34c93e15a82b829cfd42039a1634f8d1b0a869eadf9fad5461b49295c3550ccfbcdcfac9ff1a04b07bc4006e3c2dd89ea4fb1984d82893d66c2

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              7e3baf005cc368205a1b2a0ad25045b0

                                              SHA1

                                              7e4f2f54e023a3e826cc0300ecb9de5c4c01d962

                                              SHA256

                                              40cfd44f277e221844e19baaa598bc2556f9cf4ec4b693d91bcd3b4d9514f481

                                              SHA512

                                              4ed67559c9bee5783ceeafc201ac45c0ae429518c6183a1550e82177c2b38b772cd9e2bedcb5673e05a4d55d477c1f553af21562bad64e8aefc1bb6c9d6e9202

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              bf12c7530f21bf8c6627b0f53ebfd167

                                              SHA1

                                              1ec7ae104ef894da0810fe3da4912d130db52154

                                              SHA256

                                              29b9364c3f1dcf25a6b2405e7ac8e33342cd58a994272b8880e7c8f866cb6f27

                                              SHA512

                                              88d9e0ea56bcc23928ae51094cf64a3df5fb43e8cc4fc3cc88c1118d9d88498af805f11b01c967cd85d7fc928f9f7add60a27c1d214e315e63250db33db449c0

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              c24c354d8d95ffdfd43848fe5d41cd3e

                                              SHA1

                                              d178c3830f713035ea631eb491bf7c8fde48fedb

                                              SHA256

                                              2a6d0373a6d4c8cf18afd7baa483503c2fe7caea639ad2b92d166d7f39be7fa5

                                              SHA512

                                              1cddf78674cbd385a98c146d6385518e64d9351eb66bf21e90a01efe17c292013e70d8b8a3aa00146f975eb651f9ef51a93e95941a022510c8170d74bc7df112

                                            • C:\Users\Admin\AppData\Local\Temp\4oJokgKWVw.bat

                                              Filesize

                                              211B

                                              MD5

                                              5cc99c9e9247123666b6a0d7cc440cff

                                              SHA1

                                              230b5d0fe5cd93eb75f3791468650321d038b297

                                              SHA256

                                              3f6098e0fcfd233ddcd803c26ff62e1d011a889592b4b543d39ea4287baaad9e

                                              SHA512

                                              bf2d365f49b7d08c714af3023402b0d494becd4401116b169edc3529d912b980ab8787334f824892cd51c519b60ae72e92d5514b5d500f5b5555c45133dcf690

                                            • C:\Users\Admin\AppData\Local\Temp\CabFD45.tmp

                                              Filesize

                                              70KB

                                              MD5

                                              49aebf8cbd62d92ac215b2923fb1b9f5

                                              SHA1

                                              1723be06719828dda65ad804298d0431f6aff976

                                              SHA256

                                              b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                              SHA512

                                              bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                            • C:\Users\Admin\AppData\Local\Temp\GN7B3lpeta.bat

                                              Filesize

                                              211B

                                              MD5

                                              7214131fbfb822dfbda7cc8d41d6aed9

                                              SHA1

                                              6938c7f2fd4990575c01c6478c67297810ad3a27

                                              SHA256

                                              04302c6d96ed02a0b5226f755cd289934fa28f9b76e2dcb8692854d68bb8495c

                                              SHA512

                                              4096c430539d1805613142cf1c2acf74bf77d4fc5f22b086eb1fa7c4b53129823c58880eaaf98ce958c921beaec42baa1bee833fb926ba836225c74c08ce3f91

                                            • C:\Users\Admin\AppData\Local\Temp\IrGY9odMle.bat

                                              Filesize

                                              211B

                                              MD5

                                              dd987216225b491df1d4597766311dd0

                                              SHA1

                                              c3a3323c17a0f083a8877a3647c0600f8af7d383

                                              SHA256

                                              25208d735394b37551f9922f97f5f9c99ab471b2cbf1c3494664936895162022

                                              SHA512

                                              183506edba7bcee3b570a44726ec49a8a47b93685dc24735228be3ccdb57e14182ca8cc32e699da55891760d94c3370b76ce7f1e013c77179f927ea75076c788

                                            • C:\Users\Admin\AppData\Local\Temp\TarFD96.tmp

                                              Filesize

                                              181KB

                                              MD5

                                              4ea6026cf93ec6338144661bf1202cd1

                                              SHA1

                                              a1dec9044f750ad887935a01430bf49322fbdcb7

                                              SHA256

                                              8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                              SHA512

                                              6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                            • C:\Users\Admin\AppData\Local\Temp\U04fYIssV3.bat

                                              Filesize

                                              211B

                                              MD5

                                              716235c1a05d5e1d3947d25ffa8b2697

                                              SHA1

                                              0e45a7da46c4cf97839b3e23d13d6383406058af

                                              SHA256

                                              4f30c51adae6f88509f553bf94aff1b0248da96b2f6009f7b35d91ce8460b073

                                              SHA512

                                              47938cf17987e5ab944f494155187294dbc149aadff333b16b109026ab88ba0d461c138bd5e73cb6b7a57d72b0522063edaf8fe9684c6f57797f50ff86377df9

                                            • C:\Users\Admin\AppData\Local\Temp\dCyIaH4v8D.bat

                                              Filesize

                                              211B

                                              MD5

                                              37d7fa14381d166d11b7f7dde4a1375c

                                              SHA1

                                              1bcdb5477efa59346f1cb9a1b15e2034fc5289af

                                              SHA256

                                              8fdfb722836443cf51e04f64f58bc0cc61e5fa7ab0d518659e22a5b21d95f509

                                              SHA512

                                              c8a152d9968a1f4bd438da46ff359fa85b4866fa787f2e1e1f9f4a382ba5180562d4d25fe8568d802eb417de16e967300c2fcec35ba4fd0d0cb3e798971c12a5

                                            • C:\Users\Admin\AppData\Local\Temp\nGW3UwTeX7.bat

                                              Filesize

                                              211B

                                              MD5

                                              03c4dce97ee0aad4437b892aee96089a

                                              SHA1

                                              c26f1b45dbe5b287a937b5f4435f561254338d2c

                                              SHA256

                                              b365e953d0361ac4eb73d559b996041888c17b9fc80ec4573ee9830efce85dd1

                                              SHA512

                                              1b3e539d4d855b60378cb21bd89c504e8994197b416f0e33c184bd9d6417346e89e24658f9a0577873dba33906d1a34ac5ca4945de5f989f8c70a7fb9fe907e3

                                            • C:\Users\Admin\AppData\Local\Temp\sSDDfDN1Wn.bat

                                              Filesize

                                              211B

                                              MD5

                                              ae8197b756f308f00544c13f3c96ed09

                                              SHA1

                                              3ef4968b2b8b9980dcc743f6067452e74acc09ed

                                              SHA256

                                              dfdbc41f4096c52ab7a8e175387b3b8ba6342257f8bcd52aa6184c7f09d579ab

                                              SHA512

                                              dc3290043075d7907f94a7c43960902d286da96814b94ef3f15c875996e801231a5abea7d0f63edbc34406139d6f085de294c3310a04de927caf7cbc9ad3aa6e

                                            • C:\Users\Admin\AppData\Local\Temp\tebxeZNirC.bat

                                              Filesize

                                              211B

                                              MD5

                                              44b225b4a3c68fe25e51c32aea26ab46

                                              SHA1

                                              bc2ab4ed69d4e68f02145630908ceebfb3f30748

                                              SHA256

                                              9d122379db0c379bd796ec9f09cc844a6057b48ad2a08126af7d97c6c0d7ede8

                                              SHA512

                                              d59eccdea22314c1cc1abd40afbab302a752f46f673b51350b8ca74291e191a62eef144ed863bbcd0ea56889c2ab6a7621b056bbc5e3e25829174e40644dcf26

                                            • C:\Users\Admin\AppData\Local\Temp\vlZZCFJNsh.bat

                                              Filesize

                                              211B

                                              MD5

                                              0468a135dfbd56f8f22e2dcebf5ab285

                                              SHA1

                                              93849bf87b8efc891a4c4a9474420965db4952a1

                                              SHA256

                                              16cb2b02bd11b55f0bb66b9d1cfd937958d32f31f532afb7d4cf50200b12a014

                                              SHA512

                                              6bd6de2eb4bb592c18a56ca5b2c0d1ba487677b5995d4ddc7d4a72aaf5e4abcaf2c65b6866a61a05a5b87f028ea9cf346e89e6e1b8304b26183b2597bc2ef84a

                                            • C:\Users\Admin\AppData\Local\Temp\xEoBbgPmrR.bat

                                              Filesize

                                              211B

                                              MD5

                                              e67f2897e683f7fc25b1ad9a100dcc36

                                              SHA1

                                              b53c9884a2663ce5e680618e0a6b144b3d2c8f01

                                              SHA256

                                              84510aacab1b40ffacef8439559e4d4c0ae1d5dc7d85685c78b2e185d3fde1eb

                                              SHA512

                                              cd6ee5c70ffe6ee271df0be2b03e8a918636682b87be852cdea447a1066aeddefea0934e42d9a9071da9218e210719579c07de73ee791e92975adc26457daf99

                                            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                              Filesize

                                              7KB

                                              MD5

                                              7c2ab678381076a17db2104e5173df10

                                              SHA1

                                              e7a867c9cde4c6c190da96edca7a760b2038186b

                                              SHA256

                                              5a3a242d7a0d6171e93609b3287fb86407feee2f76ca75f072a6b61b8f5e3391

                                              SHA512

                                              6b904ba3414521c912662450aa78616deef157bd2975573c5b67297808c8e5ac863fddc8eb71b7976be2fa15f1b507170a7ab1d8cc9d9c8b039fe3736e66c6b3

                                            • C:\providercommon\1zu9dW.bat

                                              Filesize

                                              36B

                                              MD5

                                              6783c3ee07c7d151ceac57f1f9c8bed7

                                              SHA1

                                              17468f98f95bf504cc1f83c49e49a78526b3ea03

                                              SHA256

                                              8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                              SHA512

                                              c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                            • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                              Filesize

                                              197B

                                              MD5

                                              8088241160261560a02c84025d107592

                                              SHA1

                                              083121f7027557570994c9fc211df61730455bb5

                                              SHA256

                                              2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                              SHA512

                                              20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                            • \providercommon\DllCommonsvc.exe

                                              Filesize

                                              1.0MB

                                              MD5

                                              bd31e94b4143c4ce49c17d3af46bcad0

                                              SHA1

                                              f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                              SHA256

                                              b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                              SHA512

                                              f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                            • memory/1028-46-0x0000000000CF0000-0x0000000000E00000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/1028-108-0x00000000001C0000-0x00000000001D2000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/1044-586-0x00000000002B0000-0x00000000003C0000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/1536-67-0x00000000024E0000-0x00000000024E8000-memory.dmp

                                              Filesize

                                              32KB

                                            • memory/1536-66-0x000000001B300000-0x000000001B5E2000-memory.dmp

                                              Filesize

                                              2.9MB

                                            • memory/1652-405-0x0000000000430000-0x0000000000442000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/1812-226-0x0000000001180000-0x0000000001290000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/1972-526-0x0000000000FF0000-0x0000000001100000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/2056-646-0x0000000000B70000-0x0000000000C80000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/2208-286-0x0000000001300000-0x0000000001410000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/2996-17-0x0000000000480000-0x000000000048C000-memory.dmp

                                              Filesize

                                              48KB

                                            • memory/2996-16-0x0000000000470000-0x000000000047C000-memory.dmp

                                              Filesize

                                              48KB

                                            • memory/2996-15-0x0000000000460000-0x000000000046C000-memory.dmp

                                              Filesize

                                              48KB

                                            • memory/2996-14-0x0000000000450000-0x0000000000462000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/2996-13-0x0000000000A80000-0x0000000000B90000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/3040-465-0x0000000000290000-0x00000000003A0000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/3040-466-0x0000000000280000-0x0000000000292000-memory.dmp

                                              Filesize

                                              72KB