dcrat | 00333a738de3902737ef620dffbb0cab2b6b950493c24074238a400ece4891e5

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21/12/2024, 23:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_00333a738de3902737ef620dffbb0cab2b6b950493c24074238a400ece4891e5.exe
Size

1.3MB
MD5

a0bdf4e53db7070e43b1763145a19178
SHA1

38b188e3b1f5be2b425dbf01dbf3a59a1d90176b
SHA256

00333a738de3902737ef620dffbb0cab2b6b950493c24074238a400ece4891e5
SHA512

51e9049e5ad321ea367f95463b9a00c1d142995f489dd0824db1c1b2e607dbcd27285369a43278ef5d7698ce8dfe5809f4b8ba5791177fc0eff13373c6cf04df
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 33 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2416	4936	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4920	4936	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1796	4936	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4572	4936	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	808	4936	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	528	4936	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2348	4936	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1512	4936	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2172	4936	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2984	4936	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2376	4936	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1964	4936	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3948	4936	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	708	4936	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3684	4936	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2084	4936	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	912	4936	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3184	4936	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3444	4936	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4416	4936	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3504	4936	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3224	4936	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	836	4936	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3988	4936	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	4936	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4000	4936	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2248	4936	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2860	4936	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4448	4936	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4856	4936	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2936	4936	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2340	4936	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4560	4936	schtasks.exe	87

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x0007000000023ca3-10.dat	dcrat
behavioral2/memory/1600-13-0x00000000002B0000-0x00000000003C0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3856	powershell.exe
1300	powershell.exe
4456	powershell.exe
2468	powershell.exe
4424	powershell.exe
2184	powershell.exe
4700	powershell.exe
3736	powershell.exe
2116	powershell.exe
1664	powershell.exe
4864	powershell.exe
508	powershell.exe

Checks computer location settings 2 TTPs 17 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	conhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	conhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	conhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	conhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	conhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	conhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	conhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	JaffaCakes118_00333a738de3902737ef620dffbb0cab2b6b950493c24074238a400ece4891e5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	conhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	conhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	conhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	conhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	conhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	conhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	conhost.exe

Executes dropped EXE 16 IoCs

pid	Process
1600	DllCommonsvc.exe
5108	conhost.exe
5072	conhost.exe
3164	conhost.exe
3916	conhost.exe
2416	conhost.exe
2912	conhost.exe
3864	conhost.exe
2960	conhost.exe
4440	conhost.exe
4308	conhost.exe
1760	conhost.exe
2828	conhost.exe
1720	conhost.exe
1228	conhost.exe
2960	conhost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 15 IoCs

Web Service

T1102

flow	ioc
24	raw.githubusercontent.com
59	raw.githubusercontent.com
47	raw.githubusercontent.com
48	raw.githubusercontent.com
15	raw.githubusercontent.com
28	raw.githubusercontent.com
42	raw.githubusercontent.com
46	raw.githubusercontent.com
40	raw.githubusercontent.com
57	raw.githubusercontent.com
58	raw.githubusercontent.com
16	raw.githubusercontent.com
41	raw.githubusercontent.com
55	raw.githubusercontent.com
56	raw.githubusercontent.com

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Sidebar\Gadgets\OfficeClickToRun.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\e6c9b481da804f	DllCommonsvc.exe
File created	C:\Program Files\VideoLAN\VLC\skins\spoolsv.exe	DllCommonsvc.exe
File created	C:\Program Files\VideoLAN\VLC\skins\f3b6ecef712a24	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\en-US\SppExtComObj.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\en-US\e1ef82546f0b02	DllCommonsvc.exe
File created	C:\Program Files (x86)\Adobe\SearchApp.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Adobe\38384e6a620884	DllCommonsvc.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\Setup\29c1c3cc0f7685	DllCommonsvc.exe
File created	C:\Windows\uk-UA\winlogon.exe	DllCommonsvc.exe
File created	C:\Windows\uk-UA\cc11b995f2a76d	DllCommonsvc.exe
File created	C:\Windows\diagnostics\scheduled\Maintenance\winlogon.exe	DllCommonsvc.exe
File created	C:\Windows\Setup\unsecapp.exe	DllCommonsvc.exe
File opened for modification	C:\Windows\Setup\unsecapp.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_00333a738de3902737ef620dffbb0cab2b6b950493c24074238a400ece4891e5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	JaffaCakes118_00333a738de3902737ef620dffbb0cab2b6b950493c24074238a400ece4891e5.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	conhost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 33 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2248	schtasks.exe
2416	schtasks.exe
1512	schtasks.exe
4416	schtasks.exe
3504	schtasks.exe
708	schtasks.exe
3184	schtasks.exe
4448	schtasks.exe
2936	schtasks.exe
1796	schtasks.exe
808	schtasks.exe
2348	schtasks.exe
3948	schtasks.exe
4560	schtasks.exe
2984	schtasks.exe
2084	schtasks.exe
2376	schtasks.exe
3684	schtasks.exe
2860	schtasks.exe
2172	schtasks.exe
912	schtasks.exe
3444	schtasks.exe
1948	schtasks.exe
2340	schtasks.exe
4920	schtasks.exe
528	schtasks.exe
3224	schtasks.exe
4000	schtasks.exe
4572	schtasks.exe
1964	schtasks.exe
836	schtasks.exe
3988	schtasks.exe
4856	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1600	DllCommonsvc.exe
1600	DllCommonsvc.exe
1600	DllCommonsvc.exe
1600	DllCommonsvc.exe
1600	DllCommonsvc.exe
1600	DllCommonsvc.exe
1600	DllCommonsvc.exe
1600	DllCommonsvc.exe
1600	DllCommonsvc.exe
1600	DllCommonsvc.exe
1600	DllCommonsvc.exe
1600	DllCommonsvc.exe
2116	powershell.exe
2116	powershell.exe
2468	powershell.exe
2468	powershell.exe
4864	powershell.exe
4864	powershell.exe
2184	powershell.exe
2184	powershell.exe
1300	powershell.exe
1300	powershell.exe
3856	powershell.exe
3856	powershell.exe
1664	powershell.exe
1664	powershell.exe
3736	powershell.exe
3736	powershell.exe
4424	powershell.exe
4424	powershell.exe
4700	powershell.exe
4700	powershell.exe
508	powershell.exe
508	powershell.exe
4424	powershell.exe
4456	powershell.exe
4456	powershell.exe
5108	conhost.exe
5108	conhost.exe
508	powershell.exe
4700	powershell.exe
2468	powershell.exe
3856	powershell.exe
1300	powershell.exe
2116	powershell.exe
4864	powershell.exe
2184	powershell.exe
1664	powershell.exe
3736	powershell.exe
4456	powershell.exe
5072	conhost.exe
3164	conhost.exe
3916	conhost.exe
2416	conhost.exe
2912	conhost.exe
3864	conhost.exe
2960	conhost.exe
4440	conhost.exe
4308	conhost.exe
1760	conhost.exe
2828	conhost.exe
1720	conhost.exe
1228	conhost.exe
2960	conhost.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

description	pid	Process
Token: SeDebugPrivilege	1600	DllCommonsvc.exe
Token: SeDebugPrivilege	2116	powershell.exe
Token: SeDebugPrivilege	2468	powershell.exe
Token: SeDebugPrivilege	4864	powershell.exe
Token: SeDebugPrivilege	2184	powershell.exe
Token: SeDebugPrivilege	4424	powershell.exe
Token: SeDebugPrivilege	4700	powershell.exe
Token: SeDebugPrivilege	508	powershell.exe
Token: SeDebugPrivilege	1300	powershell.exe
Token: SeDebugPrivilege	1664	powershell.exe
Token: SeDebugPrivilege	3856	powershell.exe
Token: SeDebugPrivilege	3736	powershell.exe
Token: SeDebugPrivilege	5108	conhost.exe
Token: SeDebugPrivilege	4456	powershell.exe
Token: SeDebugPrivilege	5072	conhost.exe
Token: SeDebugPrivilege	3164	conhost.exe
Token: SeDebugPrivilege	3916	conhost.exe
Token: SeDebugPrivilege	2416	conhost.exe
Token: SeDebugPrivilege	2912	conhost.exe
Token: SeDebugPrivilege	3864	conhost.exe
Token: SeDebugPrivilege	2960	conhost.exe
Token: SeDebugPrivilege	4440	conhost.exe
Token: SeDebugPrivilege	4308	conhost.exe
Token: SeDebugPrivilege	1760	conhost.exe
Token: SeDebugPrivilege	2828	conhost.exe
Token: SeDebugPrivilege	1720	conhost.exe
Token: SeDebugPrivilege	1228	conhost.exe
Token: SeDebugPrivilege	2960	conhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 388 wrote to memory of 3068	388	JaffaCakes118_00333a738de3902737ef620dffbb0cab2b6b950493c24074238a400ece4891e5.exe	83
PID 388 wrote to memory of 3068	388	JaffaCakes118_00333a738de3902737ef620dffbb0cab2b6b950493c24074238a400ece4891e5.exe	83
PID 388 wrote to memory of 3068	388	JaffaCakes118_00333a738de3902737ef620dffbb0cab2b6b950493c24074238a400ece4891e5.exe	83
PID 3068 wrote to memory of 1456	3068	WScript.exe	84
PID 3068 wrote to memory of 1456	3068	WScript.exe	84
PID 3068 wrote to memory of 1456	3068	WScript.exe	84
PID 1456 wrote to memory of 1600	1456	cmd.exe	86
PID 1456 wrote to memory of 1600	1456	cmd.exe	86
PID 1600 wrote to memory of 4456	1600	DllCommonsvc.exe	121
PID 1600 wrote to memory of 4456	1600	DllCommonsvc.exe	121
PID 1600 wrote to memory of 2468	1600	DllCommonsvc.exe	122
PID 1600 wrote to memory of 2468	1600	DllCommonsvc.exe	122
PID 1600 wrote to memory of 4864	1600	DllCommonsvc.exe	123
PID 1600 wrote to memory of 4864	1600	DllCommonsvc.exe	123
PID 1600 wrote to memory of 4424	1600	DllCommonsvc.exe	124
PID 1600 wrote to memory of 4424	1600	DllCommonsvc.exe	124
PID 1600 wrote to memory of 2184	1600	DllCommonsvc.exe	125
PID 1600 wrote to memory of 2184	1600	DllCommonsvc.exe	125
PID 1600 wrote to memory of 4700	1600	DllCommonsvc.exe	126
PID 1600 wrote to memory of 4700	1600	DllCommonsvc.exe	126
PID 1600 wrote to memory of 3736	1600	DllCommonsvc.exe	127
PID 1600 wrote to memory of 3736	1600	DllCommonsvc.exe	127
PID 1600 wrote to memory of 3856	1600	DllCommonsvc.exe	128
PID 1600 wrote to memory of 3856	1600	DllCommonsvc.exe	128
PID 1600 wrote to memory of 1300	1600	DllCommonsvc.exe	129
PID 1600 wrote to memory of 1300	1600	DllCommonsvc.exe	129
PID 1600 wrote to memory of 2116	1600	DllCommonsvc.exe	130
PID 1600 wrote to memory of 2116	1600	DllCommonsvc.exe	130
PID 1600 wrote to memory of 1664	1600	DllCommonsvc.exe	131
PID 1600 wrote to memory of 1664	1600	DllCommonsvc.exe	131
PID 1600 wrote to memory of 508	1600	DllCommonsvc.exe	132
PID 1600 wrote to memory of 508	1600	DllCommonsvc.exe	132
PID 1600 wrote to memory of 5108	1600	DllCommonsvc.exe	144
PID 1600 wrote to memory of 5108	1600	DllCommonsvc.exe	144
PID 5108 wrote to memory of 980	5108	conhost.exe	146
PID 5108 wrote to memory of 980	5108	conhost.exe	146
PID 980 wrote to memory of 5076	980	cmd.exe	148
PID 980 wrote to memory of 5076	980	cmd.exe	148
PID 980 wrote to memory of 5072	980	cmd.exe	152
PID 980 wrote to memory of 5072	980	cmd.exe	152
PID 5072 wrote to memory of 4804	5072	conhost.exe	156
PID 5072 wrote to memory of 4804	5072	conhost.exe	156
PID 4804 wrote to memory of 4404	4804	cmd.exe	158
PID 4804 wrote to memory of 4404	4804	cmd.exe	158
PID 4804 wrote to memory of 3164	4804	cmd.exe	159
PID 4804 wrote to memory of 3164	4804	cmd.exe	159
PID 3164 wrote to memory of 5048	3164	conhost.exe	161
PID 3164 wrote to memory of 5048	3164	conhost.exe	161
PID 5048 wrote to memory of 4624	5048	cmd.exe	163
PID 5048 wrote to memory of 4624	5048	cmd.exe	163
PID 5048 wrote to memory of 3916	5048	cmd.exe	165
PID 5048 wrote to memory of 3916	5048	cmd.exe	165
PID 3916 wrote to memory of 1760	3916	conhost.exe	166
PID 3916 wrote to memory of 1760	3916	conhost.exe	166
PID 1760 wrote to memory of 2008	1760	cmd.exe	168
PID 1760 wrote to memory of 2008	1760	cmd.exe	168
PID 1760 wrote to memory of 2416	1760	cmd.exe	169
PID 1760 wrote to memory of 2416	1760	cmd.exe	169
PID 2416 wrote to memory of 3212	2416	conhost.exe	170
PID 2416 wrote to memory of 3212	2416	conhost.exe	170
PID 3212 wrote to memory of 1512	3212	cmd.exe	172
PID 3212 wrote to memory of 1512	3212	cmd.exe	172
PID 3212 wrote to memory of 2912	3212	cmd.exe	173
PID 3212 wrote to memory of 2912	3212	cmd.exe	173

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_00333a738de3902737ef620dffbb0cab2b6b950493c24074238a400ece4891e5.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_00333a738de3902737ef620dffbb0cab2b6b950493c24074238a400ece4891e5.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:388
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3068
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1456
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1600
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4456
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Setup\unsecapp.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2468
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4864
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\uk-UA\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4424
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2184
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4700
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\TableTextService\en-US\SppExtComObj.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3736
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\SearchApp.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3856
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1300
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Music\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2116
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\Gadgets\OfficeClickToRun.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1664
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\skins\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:508
    - - C:\Users\Admin\Music\conhost.exe
        
        "C:\Users\Admin\Music\conhost.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5108
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\onYrHPGvDe.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:980
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:5076
        
        C:\Users\Admin\Music\conhost.exe
        
        "C:\Users\Admin\Music\conhost.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5072
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\N4rS0hE0df.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:4804
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:4404
        
        C:\Users\Admin\Music\conhost.exe
        
        "C:\Users\Admin\Music\conhost.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3164
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NADK710Kqv.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:5048
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:4624
        
        C:\Users\Admin\Music\conhost.exe
        
        "C:\Users\Admin\Music\conhost.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3916
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yNYzWO1Iaj.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:1760
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:2008
        
        C:\Users\Admin\Music\conhost.exe
        
        "C:\Users\Admin\Music\conhost.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2416
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dnlY2uCtHd.bat"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:3212
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:1512
        
        C:\Users\Admin\Music\conhost.exe
        
        "C:\Users\Admin\Music\conhost.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2912
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YyUd3mmyLr.bat"
        16⤵
        
        PID:2332
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:3508
        
        C:\Users\Admin\Music\conhost.exe
        
        "C:\Users\Admin\Music\conhost.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3864
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\N4rS0hE0df.bat"
        18⤵
        
        PID:2180
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:4556
        
        C:\Users\Admin\Music\conhost.exe
        
        "C:\Users\Admin\Music\conhost.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2960
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YpMZYQImRp.bat"
        20⤵
        
        PID:4404
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:4192
        
        C:\Users\Admin\Music\conhost.exe
        
        "C:\Users\Admin\Music\conhost.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4440
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dnlY2uCtHd.bat"
        22⤵
        
        PID:3164
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:4312
        
        C:\Users\Admin\Music\conhost.exe
        
        "C:\Users\Admin\Music\conhost.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4308
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\V3SaMhi525.bat"
        24⤵
        
        PID:5016
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:2388
        
        C:\Users\Admin\Music\conhost.exe
        
        "C:\Users\Admin\Music\conhost.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1760
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AMKHlt6LWj.bat"
        26⤵
        
        PID:5092
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:4548
        
        C:\Users\Admin\Music\conhost.exe
        
        "C:\Users\Admin\Music\conhost.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2828
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\T7QXgceCiI.bat"
        28⤵
        
        PID:4456
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        29⤵
        
        PID:1944
        
        C:\Users\Admin\Music\conhost.exe
        
        "C:\Users\Admin\Music\conhost.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1720
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\N4rS0hE0df.bat"
        30⤵
        
        PID:4988
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        31⤵
        
        PID:4212
        
        C:\Users\Admin\Music\conhost.exe
        
        "C:\Users\Admin\Music\conhost.exe"
        31⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1228
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tebxeZNirC.bat"
        32⤵
        
        PID:432
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        33⤵
        
        PID:3976
        
        C:\Users\Admin\Music\conhost.exe
        
        "C:\Users\Admin\Music\conhost.exe"
        33⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 14 /tr "'C:\Windows\Setup\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Windows\Setup\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 13 /tr "'C:\Windows\Setup\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Windows\uk-UA\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\uk-UA\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Windows\uk-UA\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\providercommon\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Adobe\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Adobe\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Default User\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Music\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Admin\Music\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Music\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Sidebar\Gadgets\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Gadgets\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Sidebar\Gadgets\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Program Files\VideoLAN\VLC\skins\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\skins\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Program Files\VideoLAN\VLC\skins\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e448fe0d240184c6597a31d3be2ced58

SHA1
372b8d8c19246d3e38cd3ba123cc0f56070f03cd

SHA256
c660f0db85a1e7f0f68db19868979bf50bd541531babf77a701e1b1ce5e6a391

SHA512
0b7f7eae7700d32b18eee3677cb7f89b46ace717fa7e6b501d6c47d54f15dff7e12b49f5a7d36a6ffe4c16165c7d55162db4f3621db545b6af638035752beab4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\AMKHlt6LWj.bat

Filesize
197B

MD5
37fe06ce63360d8a8aac2511f25867ec

SHA1
781f5d00a3d1637c4778a3ab321192df8f3e0cd2

SHA256
b1f334e33f96370b1f664bd03180aca26e2dbb93d20c59192dff7b1bd16ca30e

SHA512
ce154ecedae34352f7438882580927319a92403388efb801c8f1618c420ad23bdbd0be2795abcbc9c8605391044918af8276efdb3e9a1bfe58fcf6fe632f93d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\N4rS0hE0df.bat

Filesize
197B

MD5
5a3a2b7ab7e426ece5119cc7b468462f

SHA1
88787a5d3a2a0c6e4425b76e5968f36319996994

SHA256
066bdd9ec5a18845f1f2fcab2de16915bdc3f9fd248fec92fe8c6b949aea4467

SHA512
e4bdfd01005735ae3452b40e918c0e02e0eea86146274b7c95deabde0eea0b8548255ff8ef2f3ec9d7488a83fa9b17cc9d74fa6aea83fc04b31dfad1efb7be37

Download Submit
C:\Users\Admin\AppData\Local\Temp\NADK710Kqv.bat

Filesize
197B

MD5
ee5e9d2a36b3bf4f3729d522ca507ca1

SHA1
dc62d31c058397b9577751c17915e4192c863b74

SHA256
b6d1e4b40c4ee0279dd5fb246b5387baa9cd51607d9ab1d5753443b86d1713fa

SHA512
23db41e30f4dc55e5251c85b66aeca145bc4820b002dae59a9d0fd42f787ae2d9ce1b95db2f3e4bb33c8eb9bf6d36db9034a4f76258e70dc74f84e6ccc264124

Download Submit
C:\Users\Admin\AppData\Local\Temp\T7QXgceCiI.bat

Filesize
197B

MD5
f1793a5dbc3f9c894882d9a210344941

SHA1
75f984077fa028e2f6969948c248928cf5c637c0

SHA256
956e3cc1d654f7580eac9cb585682c58dd51abc542dd1648855674dc57b850f7

SHA512
15727fef1f012d3b8e26e97acf97fe20f00c653d23a30b778b35b1c6c8e64acc5a2854cd81ce7f548223c2bb079e05685165447bb2c291d462a7a52db824d1a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\V3SaMhi525.bat

Filesize
197B

MD5
52f6785eb4ea109f393d5c3e4c11085b

SHA1
6c3ebb261964dd30333a1813687e7357739e14df

SHA256
9abee400c1f57d2cbfde837a2a30dacc0d51f91cec0de0ab3759f197e5ab9511

SHA512
f12c625670db72dc439c0a0f62a7a69fbc89dde18b1ce25adc6dab7a99d7ba650efc654d168e608916b00771b4f3d5a08336c722dc61435707db92988e6a05bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\YpMZYQImRp.bat

Filesize
197B

MD5
68c0ec215b02e9452545a5427a90453f

SHA1
21e0793b9ff2ce49c50f65841ca398966caecca8

SHA256
33c9c3600d531a933be63b13660c21b6bc3c533a6f0b92dc8b2f295d5276da38

SHA512
bac78cf318b20c8bff677af52f159bd49e2ad9060055248172d796d489fcb8e92d9a46ee3eba49f7d3aee7b9d74346f3bbacd8aaadcc2d2f1de06d1e9916f980

Download Submit
C:\Users\Admin\AppData\Local\Temp\YyUd3mmyLr.bat

Filesize
197B

MD5
0bb05e047f7cca410adc8824d1d7cacc

SHA1
e8339bfbc51e980ad238eed63226dd46674a319d

SHA256
06503545933b22a2df81e95141695027b38780c7d6196eb3d291815f923c6177

SHA512
87afa130a5f494938c54cf7e230d3c7f7c1005c9b1401dd6ac3f2b1c8505fad7ed3b460dfc88cdc4ebd9285412eba33e3935df6dce4192c94296d174ce5fb088

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_v51uiksz.pcd.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\dnlY2uCtHd.bat

Filesize
197B

MD5
2141ba3c94373f5e2ebec858c4e43962

SHA1
a694ba351bb21184f36944a95fad5ca5642ad719

SHA256
4026fd07f2f7022035a05755b23cdfc65f3e2f8412197280349635231f152e2d

SHA512
c79e87175b01e8e2c3bb196d6c55ac76d1422cd7af2be7a199877a45051a74552f6abecd8062e2e3c17012bb5c61a6d72cf60684a76751566b76c974bb59a056

Download Submit
C:\Users\Admin\AppData\Local\Temp\onYrHPGvDe.bat

Filesize
197B

MD5
d2975777e6ea8f259a001b1b3937d740

SHA1
a0162420ab623f3cc974fb3a4067be76a62ddf6b

SHA256
8cc2aafb6dbb0d92bf73182fee54f7d9b5a51e113403d9b6c768c8a540f6f18a

SHA512
9cca67fe7c595e17390d7252dc2c07b5dbe5a074c028b246a914c1505364d435a9b6ee2f03fc44a778f8458f689b40c8aee84c5437c43ebd79b71fc56cede278

Download Submit
C:\Users\Admin\AppData\Local\Temp\tebxeZNirC.bat

Filesize
197B

MD5
19f337ef37d429abd5ff4bc04582ea11

SHA1
f8db251f6ca47f1760b8b171a1bf37a4db8fa7b6

SHA256
591f68f215d4660703a59a694e273a55afb1bfd0a3d42fa419db62b0bc3d5f9a

SHA512
e140656cada76ece391bb12178dde81853675b1febbc1e906ef3d78a77183638b00ca13c13bc2dcfe18fd0547aaa5ef5b310cdf51828100d520b43b5355dcc69

Download Submit
C:\Users\Admin\AppData\Local\Temp\yNYzWO1Iaj.bat

Filesize
197B

MD5
92b091c7d31ac9e75d348fb4f7fe7360

SHA1
b8b079c2e62f530ebc6b0696a3026177502b35e7

SHA256
07b85dea970cc8688f24b810f66b2514e9c01b17606dd243dd231ed13e903e84

SHA512
1e8b3ef6d0549636d746e6a73131eb9a1205451be516fe53e7d09eae9c6d7ed8d5bf0eee76a72e5ec73036be586864fe610299fd12cb3a1f3379d1d0bc2d7438

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/1600-15-0x0000000002490000-0x000000000249C000-memory.dmp

Filesize
48KB

Download
memory/1600-12-0x00007FF9878F3000-0x00007FF9878F5000-memory.dmp

Filesize
8KB

Download
memory/1600-13-0x00000000002B0000-0x00000000003C0000-memory.dmp

Filesize
1.1MB

Download
memory/1600-14-0x0000000000B80000-0x0000000000B92000-memory.dmp

Filesize
72KB

Download
memory/1600-17-0x000000001B0F0000-0x000000001B0FC000-memory.dmp

Filesize
48KB

Download
memory/1600-16-0x00000000024A0000-0x00000000024AC000-memory.dmp

Filesize
48KB

Download
memory/1720-268-0x0000000000D60000-0x0000000000D72000-memory.dmp

Filesize
72KB

Download
memory/2416-216-0x0000000002910000-0x0000000002922000-memory.dmp

Filesize
72KB

Download
memory/2468-60-0x0000015BF5D70000-0x0000015BF5D92000-memory.dmp

Filesize
136KB

Download
memory/2828-261-0x0000000002420000-0x0000000002432000-memory.dmp

Filesize
72KB

Download
memory/2960-235-0x0000000002A80000-0x0000000002A92000-memory.dmp

Filesize
72KB

Download
memory/2960-281-0x0000000002690000-0x00000000026A2000-memory.dmp

Filesize
72KB

Download
memory/3164-202-0x0000000000F30000-0x0000000000F42000-memory.dmp

Filesize
72KB

Download
memory/3916-209-0x0000000000E00000-0x0000000000E12000-memory.dmp

Filesize
72KB

Download
memory/4440-242-0x000000001B610000-0x000000001B622000-memory.dmp

Filesize
72KB

Download
memory/5072-195-0x0000000000AB0000-0x0000000000AC2000-memory.dmp

Filesize
72KB

Download
memory/5108-192-0x000000001C2D0000-0x000000001C43A000-memory.dmp

Filesize
1.4MB

Download
memory/5108-102-0x0000000001160000-0x0000000001172000-memory.dmp

Filesize
72KB

Download