Analysis

  • max time kernel
    149s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    30/12/2024, 17:21

General

  • Target

    JaffaCakes118_1ebaa7ed4637c29a58054d76654806ceb134309a5e6f97c7cedaa5b8c18b266f.exe

  • Size

    1.3MB

  • MD5

    fedee8ea04a3f6492e257a602f572046

  • SHA1

    1f66231cefbabedfeec7087ecb028720d89dd5af

  • SHA256

    1ebaa7ed4637c29a58054d76654806ceb134309a5e6f97c7cedaa5b8c18b266f

  • SHA512

    8e376fad91e1762b52cac76c3a80ee11863d0786a05e7ccc67d25b8119dcb670f39c5d12e219675ed9236d410bdf55f270c45665388c20199aad7323c588aa64

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 30 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 10 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 12 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 30 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 25 IoCs
  • Suspicious use of AdjustPrivilegeToken 23 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1ebaa7ed4637c29a58054d76654806ceb134309a5e6f97c7cedaa5b8c18b266f.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1ebaa7ed4637c29a58054d76654806ceb134309a5e6f97c7cedaa5b8c18b266f.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1732
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1864
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2848
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1320
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3040
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\lsm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3048
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\audiodg.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2972
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\dllhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2148
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\OSPPSVC.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:628
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1236
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\sppsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1036
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:972
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Uninstall Information\lsass.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1380
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\audiodg.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2040
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\Idle.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1924
          • C:\Users\Admin\AppData\Local\lsm.exe
            "C:\Users\Admin\AppData\Local\lsm.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1152
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZfR0hqQ1j6.bat"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:1720
              • C:\Windows\system32\w32tm.exe
                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                7⤵
                  PID:3032
                • C:\Users\Admin\AppData\Local\lsm.exe
                  "C:\Users\Admin\AppData\Local\lsm.exe"
                  7⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2828
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9dbjknkRRi.bat"
                    8⤵
                    • Suspicious use of WriteProcessMemory
                    PID:1060
                    • C:\Windows\system32\w32tm.exe
                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                      9⤵
                        PID:1764
                      • C:\Users\Admin\AppData\Local\lsm.exe
                        "C:\Users\Admin\AppData\Local\lsm.exe"
                        9⤵
                        • Executes dropped EXE
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2544
                        • C:\Windows\System32\cmd.exe
                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\m1XclINWiF.bat"
                          10⤵
                            PID:1896
                            • C:\Windows\system32\w32tm.exe
                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                              11⤵
                                PID:1040
                              • C:\Users\Admin\AppData\Local\lsm.exe
                                "C:\Users\Admin\AppData\Local\lsm.exe"
                                11⤵
                                • Executes dropped EXE
                                • Suspicious behavior: EnumeratesProcesses
                                • Suspicious use of AdjustPrivilegeToken
                                PID:824
                                • C:\Windows\System32\cmd.exe
                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Y29a6RA8xz.bat"
                                  12⤵
                                    PID:2788
                                    • C:\Windows\system32\w32tm.exe
                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                      13⤵
                                        PID:1736
                                      • C:\Users\Admin\AppData\Local\lsm.exe
                                        "C:\Users\Admin\AppData\Local\lsm.exe"
                                        13⤵
                                        • Executes dropped EXE
                                        • Suspicious behavior: EnumeratesProcesses
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:2468
                                        • C:\Windows\System32\cmd.exe
                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Oupdpj3XpI.bat"
                                          14⤵
                                            PID:1528
                                            • C:\Windows\system32\w32tm.exe
                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                              15⤵
                                                PID:1224
                                              • C:\Users\Admin\AppData\Local\lsm.exe
                                                "C:\Users\Admin\AppData\Local\lsm.exe"
                                                15⤵
                                                • Executes dropped EXE
                                                • Suspicious behavior: EnumeratesProcesses
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:2492
                                                • C:\Windows\System32\cmd.exe
                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GN7B3lpeta.bat"
                                                  16⤵
                                                    PID:1064
                                                    • C:\Windows\system32\w32tm.exe
                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                      17⤵
                                                        PID:2524
                                                      • C:\Users\Admin\AppData\Local\lsm.exe
                                                        "C:\Users\Admin\AppData\Local\lsm.exe"
                                                        17⤵
                                                        • Executes dropped EXE
                                                        • Suspicious behavior: EnumeratesProcesses
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:1320
                                                        • C:\Windows\System32\cmd.exe
                                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Oupdpj3XpI.bat"
                                                          18⤵
                                                            PID:2088
                                                            • C:\Windows\system32\w32tm.exe
                                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                              19⤵
                                                                PID:2356
                                                              • C:\Users\Admin\AppData\Local\lsm.exe
                                                                "C:\Users\Admin\AppData\Local\lsm.exe"
                                                                19⤵
                                                                • Executes dropped EXE
                                                                • Suspicious behavior: EnumeratesProcesses
                                                                • Suspicious use of AdjustPrivilegeToken
                                                                PID:2732
                                                                • C:\Windows\System32\cmd.exe
                                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2wxi7FenmH.bat"
                                                                  20⤵
                                                                    PID:2844
                                                                    • C:\Windows\system32\w32tm.exe
                                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                      21⤵
                                                                        PID:2188
                                                                      • C:\Users\Admin\AppData\Local\lsm.exe
                                                                        "C:\Users\Admin\AppData\Local\lsm.exe"
                                                                        21⤵
                                                                        • Executes dropped EXE
                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                        PID:2368
                                                                        • C:\Windows\System32\cmd.exe
                                                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oYNvu0ZNBR.bat"
                                                                          22⤵
                                                                            PID:3000
                                                                            • C:\Windows\system32\w32tm.exe
                                                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                              23⤵
                                                                                PID:1036
                                                                              • C:\Users\Admin\AppData\Local\lsm.exe
                                                                                "C:\Users\Admin\AppData\Local\lsm.exe"
                                                                                23⤵
                                                                                • Executes dropped EXE
                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                PID:1476
                                                                                • C:\Windows\System32\cmd.exe
                                                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RE4R3BzSze.bat"
                                                                                  24⤵
                                                                                    PID:1772
                                                                                    • C:\Windows\system32\w32tm.exe
                                                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                      25⤵
                                                                                        PID:236
                                                                                      • C:\Users\Admin\AppData\Local\lsm.exe
                                                                                        "C:\Users\Admin\AppData\Local\lsm.exe"
                                                                                        25⤵
                                                                                        • Executes dropped EXE
                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                        PID:2488
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\AppData\Local\lsm.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2860
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\lsm.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2960
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\AppData\Local\lsm.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2740
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\audiodg.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2660
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2616
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2680
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\dllhost.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2892
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1292
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:272
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\providercommon\OSPPSVC.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1900
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\providercommon\OSPPSVC.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1884
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\providercommon\OSPPSVC.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:320
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1816
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:600
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2896
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Program Files\7-Zip\sppsvc.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1088
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\7-Zip\sppsvc.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1612
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Program Files\7-Zip\sppsvc.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1128
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:816
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1656
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1640
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Uninstall Information\lsass.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2936
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\lsass.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2940
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Uninstall Information\lsass.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1324
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\providercommon\audiodg.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2124
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\providercommon\audiodg.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2548
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\providercommon\audiodg.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2644
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\providercommon\Idle.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1844
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2784
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:448

                                      Network

                                            MITRE ATT&CK Enterprise v15

                                            Replay Monitor

                                            Loading Replay Monitor...

                                            Downloads

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              ecb24cc40d7550a6252b171c84f16bb0

                                              SHA1

                                              e7d13e7f681155cf77454f833fe28a3befe338cc

                                              SHA256

                                              a0971c61cdd7f53e1799e4d5c5f683e17da4eae2e900902df995c475cb8d69d8

                                              SHA512

                                              3c126479b31084a07018cc542bb75acb588867ec7f3664800b643d6a715d16bee47fb3ed465f0ab4c5be39d830e7518d60c1d34e9e886b7e14b2ea1b802802cc

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              b30dbae8890194aef2ef45ba267ca7b9

                                              SHA1

                                              114fb10ea2e3ca72b411cece6a03dee520b42f29

                                              SHA256

                                              b20d81d3f4f4da5865d5a965f018aa5acdee4a2ffbf6efd5da6ced4ef719b7b7

                                              SHA512

                                              e4422b286299b38eb2dca02b353b56c74d2cd2befc7b8e3a09511be05655e02f49fc4aa047fcee36e4badd3c93971e44903b8924ea24438534ac723e464b54ad

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              de8b249dc274942549da5f7d2d3ad1da

                                              SHA1

                                              33328852cb405433608c9d2fb9c34c1958a00f2c

                                              SHA256

                                              8019f86c00ccf3648be35e7821ce9dcef473885c4973f54484df1561f81aaac3

                                              SHA512

                                              e2f679e4da69c76a05bd45719cd157d13aa95841381b02e1bbf5bc6373ba92f459824dcdb4186294abc0889179675bd95d4c7cdea70e480abc55abc0832e8126

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              98415e74b2f4d0303094c498a008ba13

                                              SHA1

                                              77a6d5c61460408330179bb6d78b6daf52e2eb17

                                              SHA256

                                              852b59d23d77421831c0db4dcec9560c09f8a03a6db7786663d2e555848cdbd5

                                              SHA512

                                              dfbc99ef9a0a949f1a206a34ff0938b42223b0a1234c5d4c5bf213a62055b7377030cbf0dcce8290358415af7aa6970d585c165fe9d92f05540b6eb43ce89271

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              1b8fb973e5a025c4e6cba4312c510dc6

                                              SHA1

                                              21b0c5bfd0f10ca68d9366ee451eb119bada8ab8

                                              SHA256

                                              77343d772c56155859588c03c2c87e3e09c423cb7542f508f507d82eb94a9281

                                              SHA512

                                              583b659bde5d660fbff9b5dd1ca6e2e908e252cda79ca4f904e3caeebc88e7d2bfc9b3897bbc3c7bc1afd4ee2311efb9b3f7d9fa5ec37b2528a0f6df932a8318

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              4eef62609a4bae74dde7558a2db17ce3

                                              SHA1

                                              4a0c61ff8c2f0a51658d5ae01fe0c93d7a2f53fe

                                              SHA256

                                              f356147ae88f7eafe9b41fb745fc86f05b1064b0d39bd7d2a9aaba91e027c75c

                                              SHA512

                                              3deb69ba8dd5f1f957d81fa1152219f54146f6457a5323b8d660aaee8ae2dac0e6c3b197d9cd6e72c04f82e4ff0861e3b036b23a33602f67e0c709cbaf2739fe

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              7085f5dcd4658a1b7a5a782cc8bcc222

                                              SHA1

                                              942d5f4dc515e9e650780ab1c675d7b0dac55bc0

                                              SHA256

                                              f4f8e8dee5b9daf679a19904eede0786389d8f9b18bc5cb2308298153947d156

                                              SHA512

                                              ea84698cf38e5a0d7d7b8a3df97ad14db864a1b8cec98abebcac66cb34053b99c7c2d612bf2ade97a00eeb23dd420689d5f2f18912bfad5a179ddc57e98341b4

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              d4561ed7b8e5e7687acc2697ab014692

                                              SHA1

                                              5fea9da8a9141559321291b1be04a29116db5f04

                                              SHA256

                                              7c9d5575547139c2df9a2610d9261c9eb569d48cce009866292dea3984be7339

                                              SHA512

                                              708567bef90167d699aa7643460e180be314f354ee734d2ec79eb2e84a7093b10533fe9d63082b4a5e5252aeade05599ac037c0684497bb8e745dc17a7019413

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              fbe3ff1c8b67c79896849718acf659b6

                                              SHA1

                                              c1ea603554291dd9be35e65a418a62e7abe93dbf

                                              SHA256

                                              fcf626ee579483486be678ce8a3901611349113d95a29cf6156fc087bc864170

                                              SHA512

                                              1f74080406b6cc6e2813d37fba03c918fffc60d6cc705ebd919dcdcf6a9b0a1e5970f723c2b172b0517ad1f5e61e0d4f7cd6cba5c2d1648831efe0bbc746900a

                                            • C:\Users\Admin\AppData\Local\Temp\2wxi7FenmH.bat

                                              Filesize

                                              201B

                                              MD5

                                              46e2747fede4b340b33800fe7268e661

                                              SHA1

                                              0eecc9dd207572f4cdfcd0e5f4cdbb869e556030

                                              SHA256

                                              eb1d58c843d634b0c041aa8f424effc9823ba75cc0d4c1ca3b328e0243f55a89

                                              SHA512

                                              4fb786d915e714c2b15bc3f388c115d64def91856a0e419f7a16bf7b06171a4d4112bf3c205a37f671c1b383def943005502b27006762d8e9996105d145af964

                                            • C:\Users\Admin\AppData\Local\Temp\9dbjknkRRi.bat

                                              Filesize

                                              201B

                                              MD5

                                              a7a41826154afe59f4e060478583803c

                                              SHA1

                                              61752c4940062cb1802b9d47655ade460d182e54

                                              SHA256

                                              86d50738ca25ce1c19ab99d9dd979f65788a50eb15d36689ede4760aa77d5e2f

                                              SHA512

                                              47ac1c65503cb471ed8ab8101cf2e012b7452ef10ab02d0490f692903534bf94d992a5aac35b0adec7a8b9a512777b3d9b48ebe1347c5a7efc3bb6c6592a76df

                                            • C:\Users\Admin\AppData\Local\Temp\CabF163.tmp

                                              Filesize

                                              70KB

                                              MD5

                                              49aebf8cbd62d92ac215b2923fb1b9f5

                                              SHA1

                                              1723be06719828dda65ad804298d0431f6aff976

                                              SHA256

                                              b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                              SHA512

                                              bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                            • C:\Users\Admin\AppData\Local\Temp\GN7B3lpeta.bat

                                              Filesize

                                              201B

                                              MD5

                                              bc0fcc5c7fa71eba10a54b11c27472f6

                                              SHA1

                                              fe67b48d0724731cbcc85a58ebe71ab6047ef2df

                                              SHA256

                                              751c2365301f396e60dbd32e76de1eae843261acd45d3eef41c3394724a5a106

                                              SHA512

                                              a5bc4c1b14179826b26cf8a44f782fad6525a848051fb42f9a3778afd47eaeac013f14d1acd21cb5619354532cbc57b995530c32cbdb84d29c2a569349d5a7ad

                                            • C:\Users\Admin\AppData\Local\Temp\Oupdpj3XpI.bat

                                              Filesize

                                              201B

                                              MD5

                                              81f21bc3eaebb55712064214af6126e1

                                              SHA1

                                              49a9d4047a480ca3d02e15b0ac39b80fba14c628

                                              SHA256

                                              91b3511d6487b47076478403aa076aad6dbf385a19fde5b41bd6efdfe3794f32

                                              SHA512

                                              e923415b0666efdefddfc600ec7e1656b624fe9dc24194effc47ffa3a813dbb6ae1028eb1f28c1af4c4918ca521a81482d5c30fc91814ece043ba0f9e09b736d

                                            • C:\Users\Admin\AppData\Local\Temp\RE4R3BzSze.bat

                                              Filesize

                                              201B

                                              MD5

                                              4647100d7660a9133df75201ed057997

                                              SHA1

                                              020a04da5075c5c6b053d0bc8fe01950d581f120

                                              SHA256

                                              85cbd0153bd882bedbfe0d39da466cedb5d69dd90521ea2d3268ca5de54a5e35

                                              SHA512

                                              dedf2d11e4a8926cc6ae4a313b0d7bd85bb33472614b16b5a04d23ef13d4b31c7c300c016dca8c8fa79ab4672d5ecc4b3795ae34e71c02b38fb4aa73c5778ef8

                                            • C:\Users\Admin\AppData\Local\Temp\TarF185.tmp

                                              Filesize

                                              181KB

                                              MD5

                                              4ea6026cf93ec6338144661bf1202cd1

                                              SHA1

                                              a1dec9044f750ad887935a01430bf49322fbdcb7

                                              SHA256

                                              8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                              SHA512

                                              6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                            • C:\Users\Admin\AppData\Local\Temp\Y29a6RA8xz.bat

                                              Filesize

                                              201B

                                              MD5

                                              a6089311c50e86c4485f624ab55c25d4

                                              SHA1

                                              9895035b93f64af8c37ce02db8c9ffa1e1850fe1

                                              SHA256

                                              ccd7ace21e3690190f40adcbfc47de7c67e400a70558aa1440c6444507e515a7

                                              SHA512

                                              70d63159d0ffe7f76739871d6e010f33115e6458bd4d69386473455cea00899dbba4e2107e6e6ff7df0ac62d37a90b2a3e9b97c0d3c8eb7c601319c889574825

                                            • C:\Users\Admin\AppData\Local\Temp\ZfR0hqQ1j6.bat

                                              Filesize

                                              201B

                                              MD5

                                              7c077d097b2a26a34cc28636cdedbf71

                                              SHA1

                                              39b32c4b0886da40366a8c04e81238671b06fe4d

                                              SHA256

                                              d95b122925dd5ab138247d12320105a37596e9585120b41802e1b06da3af89b3

                                              SHA512

                                              4eb81420cb4930c24e0a67d6aa052fe3b928e6ef6a3c6da2a6dfdc4455a9f9e5a6418e76d274d4b73a68901124d1a24e4abaac59ee8afbf9207bdce15532b774

                                            • C:\Users\Admin\AppData\Local\Temp\m1XclINWiF.bat

                                              Filesize

                                              201B

                                              MD5

                                              d6dd93fa373194d37eb0ff2ad271839a

                                              SHA1

                                              a46bacc7bdaf83f61a7d6e02f363c56022bdbe20

                                              SHA256

                                              f7e09187a1b5703f2d7054b1ce8682e6ef45fbb871575ec7117b118ec4306ba2

                                              SHA512

                                              31781855d4daeed1e6d4d8e7b0e0f258e97dafb4a9e5a576d6719dbd09414f46ce4c24b93e0bf2ee76d437cf797f0bd389e454d2168c84782acd1aa082e6f5c7

                                            • C:\Users\Admin\AppData\Local\Temp\oYNvu0ZNBR.bat

                                              Filesize

                                              201B

                                              MD5

                                              e314a3d6ba5973cbfd663e163df8f640

                                              SHA1

                                              0a4d5fbeec4823213b3819d7dbe37e29b09424dd

                                              SHA256

                                              430b644e5399787ccb064e834bf15db984ddc9399664c89e1d7c21d8798be912

                                              SHA512

                                              b75be15ce022bf374d0ff6b4d696fc495e4a866acc69fd4572426595ecdb6b99aa7ca61ca60257d9473f9c5e70e829af5fa2347e426dfacc1570f5df01d50fa1

                                            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                              Filesize

                                              7KB

                                              MD5

                                              86c8dd5d16f23b41e6d62d10863b16a3

                                              SHA1

                                              e46f108c036e9b6f7e8aea6031d8f8945937a96a

                                              SHA256

                                              2dd5036c66ec335cb86ef5bcbcafd10dd69daedb47aef062dd0e5ce2cf6d30ee

                                              SHA512

                                              759e01374ec1669fc379b7d815117428674eff493d06154f540d915e7cbcb089184a370cc17112aa1ac06b88e1d34a65678ec28ce4eb6e97526c8463e1889515

                                            • C:\providercommon\1zu9dW.bat

                                              Filesize

                                              36B

                                              MD5

                                              6783c3ee07c7d151ceac57f1f9c8bed7

                                              SHA1

                                              17468f98f95bf504cc1f83c49e49a78526b3ea03

                                              SHA256

                                              8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                              SHA512

                                              c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                            • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                              Filesize

                                              197B

                                              MD5

                                              8088241160261560a02c84025d107592

                                              SHA1

                                              083121f7027557570994c9fc211df61730455bb5

                                              SHA256

                                              2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                              SHA512

                                              20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                            • \providercommon\DllCommonsvc.exe

                                              Filesize

                                              1.0MB

                                              MD5

                                              bd31e94b4143c4ce49c17d3af46bcad0

                                              SHA1

                                              f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                              SHA256

                                              b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                              SHA512

                                              f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                            • memory/824-279-0x0000000000FE0000-0x00000000010F0000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/1152-48-0x0000000000100000-0x0000000000210000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/1236-54-0x0000000002280000-0x0000000002288000-memory.dmp

                                              Filesize

                                              32KB

                                            • memory/1236-50-0x000000001B5E0000-0x000000001B8C2000-memory.dmp

                                              Filesize

                                              2.9MB

                                            • memory/1320-458-0x0000000001320000-0x0000000001430000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/1320-13-0x00000000000D0000-0x00000000001E0000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/1320-16-0x0000000000810000-0x000000000081C000-memory.dmp

                                              Filesize

                                              48KB

                                            • memory/1320-17-0x0000000000820000-0x000000000082C000-memory.dmp

                                              Filesize

                                              48KB

                                            • memory/1320-15-0x0000000000660000-0x000000000066C000-memory.dmp

                                              Filesize

                                              48KB

                                            • memory/1320-14-0x0000000000650000-0x0000000000662000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/1476-639-0x0000000000F60000-0x0000000001070000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/2368-579-0x00000000004C0000-0x00000000004D2000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/2368-578-0x0000000000C00000-0x0000000000D10000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/2488-699-0x00000000003C0000-0x00000000004D0000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/2492-398-0x0000000000560000-0x0000000000572000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/2544-219-0x0000000000550000-0x0000000000562000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/2732-518-0x00000000003B0000-0x00000000004C0000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/2828-159-0x00000000003D0000-0x00000000004E0000-memory.dmp

                                              Filesize

                                              1.1MB