dcrat | fdab201136b38b2332a278f66e51a161a4b6f6b65b1ed6fcda5450f7c1903525

Analysis

max time kernel
146s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-12-2024 20:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_fdab201136b38b2332a278f66e51a161a4b6f6b65b1ed6fcda5450f7c1903525.exe
Size

1.3MB
MD5

9d9cc9b7ae3b9af2acbaa8ee4351a623
SHA1

996e8145fa86dc36e98c70e6c4e1262f4809ca2a
SHA256

fdab201136b38b2332a278f66e51a161a4b6f6b65b1ed6fcda5450f7c1903525
SHA512

6b7d0300083eee64c409cc94161319f96c7e71b0661c720eedef8af4e4c0fab37c9df93ae4dead360cc741e8bd110e5b97fbcebe49580849cbdd24920ec06b09
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 30 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1152	532	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	408	532	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	660	532	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4812	532	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3012	532	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2752	532	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4972	532	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2380	532	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3208	532	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4556	532	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2360	532	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4652	532	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4564	532	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5080	532	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	372	532	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2012	532	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3808	532	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	732	532	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1552	532	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4808	532	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2388	532	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4884	532	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	672	532	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2080	532	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3288	532	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3408	532	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4760	532	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1620	532	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2600	532	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2280	532	schtasks.exe	86

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x000e000000023bd7-10.dat	dcrat
behavioral2/memory/4592-13-0x00000000000D0000-0x00000000001E0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3200	powershell.exe
2972	powershell.exe
464	powershell.exe
2132	powershell.exe
4264	powershell.exe
4288	powershell.exe
3056	powershell.exe
3904	powershell.exe
1668	powershell.exe
4284	powershell.exe
2768	powershell.exe
2488	powershell.exe

Checks computer location settings 2 TTPs 17 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	JaffaCakes118_fdab201136b38b2332a278f66e51a161a4b6f6b65b1ed6fcda5450f7c1903525.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe

Executes dropped EXE 15 IoCs

pid	Process
4592	DllCommonsvc.exe
4040	DllCommonsvc.exe
3204	DllCommonsvc.exe
2004	DllCommonsvc.exe
4224	DllCommonsvc.exe
2516	DllCommonsvc.exe
4840	DllCommonsvc.exe
3724	DllCommonsvc.exe
5112	DllCommonsvc.exe
5080	DllCommonsvc.exe
2676	DllCommonsvc.exe
3220	DllCommonsvc.exe
4356	DllCommonsvc.exe
4820	DllCommonsvc.exe
3240	DllCommonsvc.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 15 IoCs

Web Service

T1102

flow	ioc
45	raw.githubusercontent.com
52	raw.githubusercontent.com
39	raw.githubusercontent.com
40	raw.githubusercontent.com
44	raw.githubusercontent.com
54	raw.githubusercontent.com
56	raw.githubusercontent.com
25	raw.githubusercontent.com
57	raw.githubusercontent.com
17	raw.githubusercontent.com
46	raw.githubusercontent.com
53	raw.githubusercontent.com
55	raw.githubusercontent.com
58	raw.githubusercontent.com
16	raw.githubusercontent.com

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Internet Explorer\it-IT\sysmon.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Internet Explorer\it-IT\121e5b5079f7c0	DllCommonsvc.exe
File created	C:\Program Files\Windows NT\Accessories\ja-JP\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows NT\Accessories\ja-JP\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Program Files\Windows Mail\DllCommonsvc.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Mail\a76d7bf15d8370	DllCommonsvc.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\Registry.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\ee2ad38f3d4382	DllCommonsvc.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\SystemApps\Microsoft.Windows.CallingShellApp_cw5n1h2txyewy\OfficeClickToRun.exe	DllCommonsvc.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.CallingShellApp_cw5n1h2txyewy\OfficeClickToRun.exe	DllCommonsvc.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.CallingShellApp_cw5n1h2txyewy\e6c9b481da804f	DllCommonsvc.exe
File created	C:\Windows\PLA\Rules\en-US\Registry.exe	DllCommonsvc.exe
File opened for modification	C:\Windows\PLA\Rules\en-US\Registry.exe	DllCommonsvc.exe
File created	C:\Windows\PLA\Rules\en-US\ee2ad38f3d4382	DllCommonsvc.exe
File created	C:\Windows\Offline Web Pages\fontdrvhost.exe	DllCommonsvc.exe
File created	C:\Windows\Offline Web Pages\5b884080fd4f94	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_fdab201136b38b2332a278f66e51a161a4b6f6b65b1ed6fcda5450f7c1903525.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	JaffaCakes118_fdab201136b38b2332a278f66e51a161a4b6f6b65b1ed6fcda5450f7c1903525.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	DllCommonsvc.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 30 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1152	schtasks.exe
4808	schtasks.exe
2280	schtasks.exe
3012	schtasks.exe
2752	schtasks.exe
3208	schtasks.exe
3808	schtasks.exe
672	schtasks.exe
4760	schtasks.exe
2080	schtasks.exe
408	schtasks.exe
660	schtasks.exe
4812	schtasks.exe
4652	schtasks.exe
2012	schtasks.exe
2388	schtasks.exe
4972	schtasks.exe
5080	schtasks.exe
1552	schtasks.exe
3408	schtasks.exe
1620	schtasks.exe
2600	schtasks.exe
4556	schtasks.exe
2360	schtasks.exe
372	schtasks.exe
732	schtasks.exe
2380	schtasks.exe
4564	schtasks.exe
4884	schtasks.exe
3288	schtasks.exe

Suspicious behavior: EnumeratesProcesses 52 IoCs

pid	Process
4592	DllCommonsvc.exe
464	powershell.exe
1668	powershell.exe
2972	powershell.exe
2132	powershell.exe
464	powershell.exe
1668	powershell.exe
2972	powershell.exe
2132	powershell.exe
4040	DllCommonsvc.exe
4040	DllCommonsvc.exe
4040	DllCommonsvc.exe
4040	DllCommonsvc.exe
4040	DllCommonsvc.exe
4264	powershell.exe
2768	powershell.exe
3904	powershell.exe
4284	powershell.exe
3056	powershell.exe
2488	powershell.exe
2488	powershell.exe
4288	powershell.exe
4288	powershell.exe
3200	powershell.exe
3200	powershell.exe
3056	powershell.exe
3056	powershell.exe
3200	powershell.exe
3204	DllCommonsvc.exe
3204	DllCommonsvc.exe
4264	powershell.exe
4264	powershell.exe
2488	powershell.exe
2768	powershell.exe
2768	powershell.exe
3904	powershell.exe
3904	powershell.exe
4284	powershell.exe
4284	powershell.exe
4288	powershell.exe
2004	DllCommonsvc.exe
4224	DllCommonsvc.exe
2516	DllCommonsvc.exe
4840	DllCommonsvc.exe
3724	DllCommonsvc.exe
5112	DllCommonsvc.exe
5080	DllCommonsvc.exe
2676	DllCommonsvc.exe
3220	DllCommonsvc.exe
4356	DllCommonsvc.exe
4820	DllCommonsvc.exe
3240	DllCommonsvc.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

description	pid	Process
Token: SeDebugPrivilege	4592	DllCommonsvc.exe
Token: SeDebugPrivilege	464	powershell.exe
Token: SeDebugPrivilege	1668	powershell.exe
Token: SeDebugPrivilege	2972	powershell.exe
Token: SeDebugPrivilege	2132	powershell.exe
Token: SeDebugPrivilege	4040	DllCommonsvc.exe
Token: SeDebugPrivilege	4264	powershell.exe
Token: SeDebugPrivilege	2768	powershell.exe
Token: SeDebugPrivilege	3904	powershell.exe
Token: SeDebugPrivilege	4284	powershell.exe
Token: SeDebugPrivilege	4288	powershell.exe
Token: SeDebugPrivilege	3056	powershell.exe
Token: SeDebugPrivilege	2488	powershell.exe
Token: SeDebugPrivilege	3204	DllCommonsvc.exe
Token: SeDebugPrivilege	3200	powershell.exe
Token: SeDebugPrivilege	2004	DllCommonsvc.exe
Token: SeDebugPrivilege	4224	DllCommonsvc.exe
Token: SeDebugPrivilege	2516	DllCommonsvc.exe
Token: SeDebugPrivilege	4840	DllCommonsvc.exe
Token: SeDebugPrivilege	3724	DllCommonsvc.exe
Token: SeDebugPrivilege	5112	DllCommonsvc.exe
Token: SeDebugPrivilege	5080	DllCommonsvc.exe
Token: SeDebugPrivilege	2676	DllCommonsvc.exe
Token: SeDebugPrivilege	3220	DllCommonsvc.exe
Token: SeDebugPrivilege	4356	DllCommonsvc.exe
Token: SeDebugPrivilege	4820	DllCommonsvc.exe
Token: SeDebugPrivilege	3240	DllCommonsvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3512 wrote to memory of 1880	3512	JaffaCakes118_fdab201136b38b2332a278f66e51a161a4b6f6b65b1ed6fcda5450f7c1903525.exe	82
PID 3512 wrote to memory of 1880	3512	JaffaCakes118_fdab201136b38b2332a278f66e51a161a4b6f6b65b1ed6fcda5450f7c1903525.exe	82
PID 3512 wrote to memory of 1880	3512	JaffaCakes118_fdab201136b38b2332a278f66e51a161a4b6f6b65b1ed6fcda5450f7c1903525.exe	82
PID 1880 wrote to memory of 4676	1880	WScript.exe	83
PID 1880 wrote to memory of 4676	1880	WScript.exe	83
PID 1880 wrote to memory of 4676	1880	WScript.exe	83
PID 4676 wrote to memory of 4592	4676	cmd.exe	85
PID 4676 wrote to memory of 4592	4676	cmd.exe	85
PID 4592 wrote to memory of 2132	4592	DllCommonsvc.exe	96
PID 4592 wrote to memory of 2132	4592	DllCommonsvc.exe	96
PID 4592 wrote to memory of 1668	4592	DllCommonsvc.exe	97
PID 4592 wrote to memory of 1668	4592	DllCommonsvc.exe	97
PID 4592 wrote to memory of 2972	4592	DllCommonsvc.exe	98
PID 4592 wrote to memory of 2972	4592	DllCommonsvc.exe	98
PID 4592 wrote to memory of 464	4592	DllCommonsvc.exe	99
PID 4592 wrote to memory of 464	4592	DllCommonsvc.exe	99
PID 4592 wrote to memory of 3828	4592	DllCommonsvc.exe	104
PID 4592 wrote to memory of 3828	4592	DllCommonsvc.exe	104
PID 3828 wrote to memory of 5000	3828	cmd.exe	106
PID 3828 wrote to memory of 5000	3828	cmd.exe	106
PID 3828 wrote to memory of 4040	3828	cmd.exe	109
PID 3828 wrote to memory of 4040	3828	cmd.exe	109
PID 4040 wrote to memory of 4264	4040	DllCommonsvc.exe	131
PID 4040 wrote to memory of 4264	4040	DllCommonsvc.exe	131
PID 4040 wrote to memory of 4284	4040	DllCommonsvc.exe	132
PID 4040 wrote to memory of 4284	4040	DllCommonsvc.exe	132
PID 4040 wrote to memory of 2768	4040	DllCommonsvc.exe	133
PID 4040 wrote to memory of 2768	4040	DllCommonsvc.exe	133
PID 4040 wrote to memory of 4288	4040	DllCommonsvc.exe	134
PID 4040 wrote to memory of 4288	4040	DllCommonsvc.exe	134
PID 4040 wrote to memory of 3056	4040	DllCommonsvc.exe	135
PID 4040 wrote to memory of 3056	4040	DllCommonsvc.exe	135
PID 4040 wrote to memory of 3904	4040	DllCommonsvc.exe	136
PID 4040 wrote to memory of 3904	4040	DllCommonsvc.exe	136
PID 4040 wrote to memory of 2488	4040	DllCommonsvc.exe	137
PID 4040 wrote to memory of 2488	4040	DllCommonsvc.exe	137
PID 4040 wrote to memory of 3200	4040	DllCommonsvc.exe	138
PID 4040 wrote to memory of 3200	4040	DllCommonsvc.exe	138
PID 4040 wrote to memory of 3204	4040	DllCommonsvc.exe	147
PID 4040 wrote to memory of 3204	4040	DllCommonsvc.exe	147
PID 3204 wrote to memory of 4808	3204	DllCommonsvc.exe	150
PID 3204 wrote to memory of 4808	3204	DllCommonsvc.exe	150
PID 4808 wrote to memory of 3556	4808	cmd.exe	152
PID 4808 wrote to memory of 3556	4808	cmd.exe	152
PID 4808 wrote to memory of 2004	4808	cmd.exe	155
PID 4808 wrote to memory of 2004	4808	cmd.exe	155
PID 2004 wrote to memory of 3492	2004	DllCommonsvc.exe	156
PID 2004 wrote to memory of 3492	2004	DllCommonsvc.exe	156
PID 3492 wrote to memory of 880	3492	cmd.exe	159
PID 3492 wrote to memory of 880	3492	cmd.exe	159
PID 3492 wrote to memory of 4224	3492	cmd.exe	161
PID 3492 wrote to memory of 4224	3492	cmd.exe	161
PID 4224 wrote to memory of 2064	4224	DllCommonsvc.exe	162
PID 4224 wrote to memory of 2064	4224	DllCommonsvc.exe	162
PID 2064 wrote to memory of 4788	2064	cmd.exe	164
PID 2064 wrote to memory of 4788	2064	cmd.exe	164
PID 2064 wrote to memory of 2516	2064	cmd.exe	165
PID 2064 wrote to memory of 2516	2064	cmd.exe	165
PID 2516 wrote to memory of 4888	2516	DllCommonsvc.exe	166
PID 2516 wrote to memory of 4888	2516	DllCommonsvc.exe	166
PID 4888 wrote to memory of 5012	4888	cmd.exe	168
PID 4888 wrote to memory of 5012	4888	cmd.exe	168
PID 4888 wrote to memory of 4840	4888	cmd.exe	169
PID 4888 wrote to memory of 4840	4888	cmd.exe	169

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_fdab201136b38b2332a278f66e51a161a4b6f6b65b1ed6fcda5450f7c1903525.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_fdab201136b38b2332a278f66e51a161a4b6f6b65b1ed6fcda5450f7c1903525.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3512
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1880
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4676
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4592
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2132
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SystemApps\Microsoft.Windows.CallingShellApp_cw5n1h2txyewy\OfficeClickToRun.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1668
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\it-IT\sysmon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2972
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\taskhostw.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:464
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ar0OY31ljn.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3828
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:5000
      - C:\providercommon\DllCommonsvc.exe
        
        "C:\providercommon\DllCommonsvc.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4040
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4264
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PLA\Rules\en-US\Registry.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4284
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\Accessories\ja-JP\csrss.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2768
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\DllCommonsvc.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4288
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\Idle.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3056
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Offline Web Pages\fontdrvhost.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3904
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\DllCommonsvc.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2488
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\Registry.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3200
        
        C:\Program Files\Windows Mail\DllCommonsvc.exe
        
        "C:\Program Files\Windows Mail\DllCommonsvc.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3204
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WSSqGJyhfL.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:4808
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:3556
        
        C:\Program Files\Windows Mail\DllCommonsvc.exe
        
        "C:\Program Files\Windows Mail\DllCommonsvc.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2004
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PfMhC4n1i0.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:3492
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:880
        
        C:\Program Files\Windows Mail\DllCommonsvc.exe
        
        "C:\Program Files\Windows Mail\DllCommonsvc.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4224
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8zQYTmmGlF.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:2064
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:4788
        
        C:\Program Files\Windows Mail\DllCommonsvc.exe
        
        "C:\Program Files\Windows Mail\DllCommonsvc.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2516
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WSSqGJyhfL.bat"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:4888
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:5012
        
        C:\Program Files\Windows Mail\DllCommonsvc.exe
        
        "C:\Program Files\Windows Mail\DllCommonsvc.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4840
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1CKPPXbanu.bat"
        16⤵
        
        PID:3896
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:4308
        
        C:\Program Files\Windows Mail\DllCommonsvc.exe
        
        "C:\Program Files\Windows Mail\DllCommonsvc.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3724
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SaOkt9ru2m.bat"
        18⤵
        
        PID:3116
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:1072
        
        C:\Program Files\Windows Mail\DllCommonsvc.exe
        
        "C:\Program Files\Windows Mail\DllCommonsvc.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5112
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RjWoOVK6wo.bat"
        20⤵
        
        PID:2624
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:4744
        
        C:\Program Files\Windows Mail\DllCommonsvc.exe
        
        "C:\Program Files\Windows Mail\DllCommonsvc.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5080
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CxpWyGgMb4.bat"
        22⤵
        
        PID:4204
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:4676
        
        C:\Program Files\Windows Mail\DllCommonsvc.exe
        
        "C:\Program Files\Windows Mail\DllCommonsvc.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2676
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\daA37ewxym.bat"
        24⤵
        
        PID:4936
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:4192
        
        C:\Program Files\Windows Mail\DllCommonsvc.exe
        
        "C:\Program Files\Windows Mail\DllCommonsvc.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3220
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DiMaLaQqUm.bat"
        26⤵
        
        PID:4044
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:3276
        
        C:\Program Files\Windows Mail\DllCommonsvc.exe
        
        "C:\Program Files\Windows Mail\DllCommonsvc.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4356
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DiMaLaQqUm.bat"
        28⤵
        
        PID:2488
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        29⤵
        
        PID:3652
        
        C:\Program Files\Windows Mail\DllCommonsvc.exe
        
        "C:\Program Files\Windows Mail\DllCommonsvc.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4820
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NjKeWzk8OD.bat"
        30⤵
        
        PID:4136
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        31⤵
        
        PID:3032
        
        C:\Program Files\Windows Mail\DllCommonsvc.exe
        
        "C:\Program Files\Windows Mail\DllCommonsvc.exe"
        31⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3240
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YXbxSkVmu9.bat"
        32⤵
        
        PID:1072
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        33⤵
        
        PID:1192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\Windows\SystemApps\Microsoft.Windows.CallingShellApp_cw5n1h2txyewy\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Windows\SystemApps\Microsoft.Windows.CallingShellApp_cw5n1h2txyewy\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 14 /tr "'C:\Windows\SystemApps\Microsoft.Windows.CallingShellApp_cw5n1h2txyewy\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 5 /tr "'C:\Windows\PLA\Rules\en-US\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Windows\PLA\Rules\en-US\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\Windows\PLA\Rules\en-US\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows NT\Accessories\ja-JP\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\ja-JP\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows NT\Accessories\ja-JP\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Windows\Offline Web Pages\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\Offline Web Pages\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Windows\Offline Web Pages\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Mail\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Mail\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\DllCommonsvc.exe.log

Filesize
1KB

MD5
7f3c0ae41f0d9ae10a8985a2c327b8fb

SHA1
d58622bf6b5071beacf3b35bb505bde2000983e3

SHA256
519fceae4d0dd4d09edd1b81bcdfa8aeab4b59eee77a4cd4b6295ce8e591a900

SHA512
8a8fd17eef071f86e672cba0d8fc2cfed6118aff816100b9d7c06eb96443c04c04bc5692259c8d7ecb1563e877921939c61726605af4f969e3f586f0913ed125

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a1008cfb29cdc25b4180c736ec404335

SHA1
39760fbcc8c1a64e856e98d61ce194d39b727438

SHA256
0eb4209b0f8c0dce02580b4d3ec5692d33be08b1a61858aad0413116afc95558

SHA512
00c2cde1601217c28fd71c2daefb21c7fcfeeee7e6badcd1b7f353f4e6df7817f5c4665148a1468b10ea31547642b999e3db5914d6e5f0cb1123243fd9ef213f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
b77a9ceea31820624963a4d9bc92c3f2

SHA1
9d607362dd1e73dd0118f53d10dc40ceba96de51

SHA256
f6564fac403c9953410c87c206e15f5461791e939cb185fe033020f45ce7dd9f

SHA512
8a6469d41c193cdd57f575942f44b9a88f5a3e529e922ba2588fd292224c636a9702f6cb32e2d3a2cd2d276bb4b6734f863d87135e8693eb6defecf70f8c9693

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
815f9e54d2e55a6cd87a044f75fdba0c

SHA1
9e2c91b5d015a2f96539227ed0a5d83cf26f6c08

SHA256
ec7d07723ca9c032e3662c0a316318065854ed4dc54106a5214278cbd148e75f

SHA512
9198d94b9d3ef35693881e3dc3e1c7f4b42d98f23a27f58cec67309628504de6940f0ac58bff1de2923b9d1b2dd11be82ea98bad9419d2e22f610df01c7401a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
8846686b7f2d146c0baa27459eedbd8d

SHA1
c953a3d1c7870a9d7ded709301f3ae7f1ea94e61

SHA256
33e3dc5ccf5c09b1c26c524b284335712ef653a2b2169732d8d890f615026c65

SHA512
3e72136bff1772ae7934c67ead939b4783ffb9a3657a366881504c7a11e76abe6469b6a4701b031fd564e6d257f7c62f52fb69f93a67459fadf909fefbbe6154

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3505effaead0f06d098f1aec01836881

SHA1
94bafdbeb2f5adbd8cec709574df5b8dbcc5eba3

SHA256
5d39a25ff8842c7c14aa14f99c5e3e1606fb7516c57f03dc41069df3c3de0517

SHA512
934d8eab5bc2ec20e800c668f3c3434829feade4771918a22d712f7ba39f91f93877a1e9dc1beac966646af0c9dd2cf118041535143b3abc585fea8dfb1299f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1CKPPXbanu.bat

Filesize
211B

MD5
0ab237ae4314b14ad5a5a4f9f9099d87

SHA1
7fcebd9f5d5ebdf12360607aa9f7e876b20cbb1a

SHA256
960b722b09d30273c9951a736c4029162cf0e9476c666e2fe116c187fa9be301

SHA512
ef65ee66d9619223d08df746620b0424085b06702dd2a8ebc221e660299369d5729e6843013ee511733ab3bb1365715f9736f66cb5cdeff8d55be68f7e5708fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\8zQYTmmGlF.bat

Filesize
211B

MD5
8d42f64a0da6d370b206d2d2b649e4cc

SHA1
623c9b84e49b264c1d5424c0b979dd04bbfbbc05

SHA256
18eddea1badd66daefa8f1071fdf413f399917c5ceef2c18614e7acf809b1b28

SHA512
6a7f8c41dbf943bc478349cb5dd5c19cb81a0e7243289c0564b9a85dd3ccbcad781f48bdbeb1c69dbb29c9e3bbf656fe96081e4a22f93c9bf2ab3e64ae128850

Download Submit
C:\Users\Admin\AppData\Local\Temp\CxpWyGgMb4.bat

Filesize
211B

MD5
36114f769a214470a7939a295cb77df4

SHA1
e33e1db3657b8f2fa40c35cf56419602933c465a

SHA256
c551c5cbe7778736924b65e354ae6ffb8c9a5cf3bcd6cd66799b0c3604db5000

SHA512
50830695a8371c3a5c5325673ca9106f0c97e30657d5d2ebad8244151972373c277735fdceaf2449e8226e40fac7f595cf2d8ed5910658dda2a23dbc3749114c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DiMaLaQqUm.bat

Filesize
211B

MD5
eb76284acccf856f10ea77b74a40189e

SHA1
7c1483cba1063041bd9950a1d6d34c3605aa44d8

SHA256
985818bf8a0e515ebc0b1376659f84cfa1cc71e35a4b80a4199e443f4e02baeb

SHA512
47d98b0367409bd5162c31dca8993c9f4b298ca20e73e1dde9df4292d6a894807683e1058eee895ee11cb8a8190cca52456ce594bb0afa9809a8a720c153c108

Download Submit
C:\Users\Admin\AppData\Local\Temp\NjKeWzk8OD.bat

Filesize
211B

MD5
3bd926834826e7b8cad971010a258dfb

SHA1
a0625945db267cc54623f2d22e0da1b9f8bf22b1

SHA256
ca611aa8917c55a3ebd641cb5a9f4b4a875d46ccbf60f5ff349d97f140cb14cf

SHA512
4194f475ec1c3e1dedcb1ccd903a228cdc09dbb9b7b65e63bbd82c3668d8a3e2d7a0b352ee5005aac8c2b719b04794b573a4580762ddf459df8e783eb0150efc

Download Submit
C:\Users\Admin\AppData\Local\Temp\PfMhC4n1i0.bat

Filesize
211B

MD5
dfef13385efad6385aa29737af3d67b7

SHA1
2a69b2656335b8ba2accfdc7b9176667ad3b06b9

SHA256
0bd366976d8ebabadb02bf1ea5a7ec8ace69967f170839bfa0bf091d836420ad

SHA512
363ea57ec8badba4122dd5535462b14dd208eee806214f0bb5fb9fbfb335713eeaf7a9191359b4808b93d33df2076b61cd143c944660bbcc10d45daf12dfc44b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RjWoOVK6wo.bat

Filesize
211B

MD5
f3b88c5b344ee7a1ef3e73e074c49f77

SHA1
0abf8cd4b61675c78e5342b1d6a373eb572f1d97

SHA256
a6767a6b5852909e601819af511b97b5bdcddb068fb4e45b6df88bf92ab2390f

SHA512
9f29b0974eb3502aa588ed7ddb6bf592b057b04b6d3453080adcbcc6b6c595187f197eae4fa145e426a33e6539a993c6404065c01c481a6173db50308f6080ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\SaOkt9ru2m.bat

Filesize
211B

MD5
f08162b22987e0ac0720920b374f76c0

SHA1
f211d41bb73363c8dec1ec1996d1f655ae9e2363

SHA256
257f56289d2a70e8418d2c85911c512d33deb59cd04f629ca8991c5fc86b63ef

SHA512
31d18d5055aca899355dbf3f7d7ebe0efb00a066cb1a842281ef3c87070b150ee70f04d780ebf5c808489b0c9737ca1452b5546f9560ad7e2fc8a6a6f2bfc15d

Download Submit
C:\Users\Admin\AppData\Local\Temp\WSSqGJyhfL.bat

Filesize
211B

MD5
22ebc4ec305d59765e2e06c104a98200

SHA1
3a09ebe2d4e1236a865dc0fb8268e776ea1a9dee

SHA256
ab0a83942a72ae067a565e37addd969c687dfaf58d1aac90e35f67789b1b5e5f

SHA512
0f2070edf631792e9a5988c6fba95b558baa0bbf1b61aaf79da3d9136904d2b11d329ea9daaacd1a607b12b08e4338673054d999f4a390225512b8c7b00ff21d

Download Submit
C:\Users\Admin\AppData\Local\Temp\YXbxSkVmu9.bat

Filesize
211B

MD5
c61b4b3b3a17dc1579ee8705a7a911e4

SHA1
9b921d16847d254fcfb6e0aa4d5dd3d73b4bf609

SHA256
e2e1b4a7b005fadea0cfb743fe6c1337d00a448ae68b3a10c1793cca853f2992

SHA512
1e0543c30cab8f4b107e8d4fea19e0bd054832ff9c578d97a13f72a35dab78b12a0beec9c72d7157ecb64899eb23f53fd36f82c6ad44b590bba54348dd247f1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2h2yh0ti.u1p.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ar0OY31ljn.bat

Filesize
199B

MD5
646ed21d5ac7ade27f9f7087264ac2fa

SHA1
011ba17c2e284c448899192f31b084b17fddcf23

SHA256
114ef82b94b22073f00b8017230b91ebc4576f40131e8ceef355ecee71634360

SHA512
c3fbd6ae7b824cab36d647f48f119c641b030785180a84543bf2a9ca73259a180765138fe52c54c40d49b096e601f80fed451d0706e971a14099935b9582c57b

Download Submit
C:\Users\Admin\AppData\Local\Temp\daA37ewxym.bat

Filesize
211B

MD5
590596ad998beb32ee4adff19db3d814

SHA1
ef66e23ea6d978cf7df82a224d7e5d2fd6fcc752

SHA256
2633f2fa25ffe1437d1b8a6cd703a973458f21ffb37c9d754efdb5585dd82e51

SHA512
9ac6360d2315cf0a0aa182b27e30b758c486ac65fdd856a5c97a3a9d0896e6047107c3b37d5318b24991484a5ddcfe636dc28ff7750dda481b28f6d4c83f4ee5

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/464-37-0x000001A9D1DD0000-0x000001A9D1DF2000-memory.dmp

Filesize
136KB

Download
memory/2516-210-0x0000000000EC0000-0x0000000000ED2000-memory.dmp

Filesize
72KB

Download
memory/2676-241-0x0000000000CD0000-0x0000000000CE2000-memory.dmp

Filesize
72KB

Download
memory/3220-248-0x00000000024B0000-0x00000000024C2000-memory.dmp

Filesize
72KB

Download
memory/4040-78-0x000000001AF10000-0x000000001AF22000-memory.dmp

Filesize
72KB

Download
memory/4224-203-0x000000001B850000-0x000000001B862000-memory.dmp

Filesize
72KB

Download
memory/4592-14-0x0000000000B00000-0x0000000000B12000-memory.dmp

Filesize
72KB

Download
memory/4592-13-0x00000000000D0000-0x00000000001E0000-memory.dmp

Filesize
1.1MB

Download
memory/4592-12-0x00007FFB39AF3000-0x00007FFB39AF5000-memory.dmp

Filesize
8KB

Download
memory/4592-17-0x0000000002540000-0x000000000254C000-memory.dmp

Filesize
48KB

Download
memory/4592-15-0x0000000002400000-0x000000000240C000-memory.dmp

Filesize
48KB

Download
memory/4592-16-0x0000000002530000-0x000000000253C000-memory.dmp

Filesize
48KB

Download