dcrat | 1197d6191e1899c47d8a17b899f03dcaaf7f3105db196a6d514c469e1b3bc9e7

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2024 00:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_1197d6191e1899c47d8a17b899f03dcaaf7f3105db196a6d514c469e1b3bc9e7.exe
Size

1.3MB
MD5

662eb62315bdd0c75616d1890a2e2717
SHA1

7fd0a233add6c42bc6bcb14527de31027bf21cc6
SHA256

1197d6191e1899c47d8a17b899f03dcaaf7f3105db196a6d514c469e1b3bc9e7
SHA512

620afbf5e6704d5a5c35731c47ea06acbb62d74021e30f821d188212dfa9341798c6a7e6fc599e9de72407fe340dec272c7bbf5d60b5402ea9cd7d85f6550013
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 36 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	764	3064	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3052	3064	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4948	3064	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	408	3064	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3548	3064	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5000	3064	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2288	3064	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3084	3064	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3668	3064	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1840	3064	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3104	3064	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1204	3064	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2716	3064	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4392	3064	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1572	3064	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3488	3064	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3004	3064	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	3064	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3048	3064	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4812	3064	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	312	3064	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1504	3064	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3484	3064	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	644	3064	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1784	3064	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1584	3064	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2852	3064	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1032	3064	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	680	3064	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	432	3064	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2664	3064	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3100	3064	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2416	3064	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2908	3064	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4528	3064	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4752	3064	schtasks.exe	88

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x0008000000023bb9-10.dat	dcrat
behavioral2/memory/5056-13-0x00000000000B0000-0x00000000001C0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 13 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4380	powershell.exe
5116	powershell.exe
3588	powershell.exe
4964	powershell.exe
1800	powershell.exe
924	powershell.exe
2116	powershell.exe
996	powershell.exe
1712	powershell.exe
3972	powershell.exe
1608	powershell.exe
3400	powershell.exe
1564	powershell.exe

Checks computer location settings 2 TTPs 16 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	JaffaCakes118_1197d6191e1899c47d8a17b899f03dcaaf7f3105db196a6d514c469e1b3bc9e7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	dllhost.exe

Executes dropped EXE 15 IoCs

pid	Process
5056	DllCommonsvc.exe
848	dllhost.exe
3616	dllhost.exe
4052	dllhost.exe
1860	dllhost.exe
4752	dllhost.exe
4988	dllhost.exe
3548	dllhost.exe
3372	dllhost.exe
3896	dllhost.exe
3012	dllhost.exe
2424	dllhost.exe
5060	dllhost.exe
4380	dllhost.exe
2800	dllhost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 14 IoCs

Web Service

T1102

flow	ioc
14	raw.githubusercontent.com
40	raw.githubusercontent.com
49	raw.githubusercontent.com
51	raw.githubusercontent.com
13	raw.githubusercontent.com
37	raw.githubusercontent.com
48	raw.githubusercontent.com
41	raw.githubusercontent.com
50	raw.githubusercontent.com
53	raw.githubusercontent.com
52	raw.githubusercontent.com
23	raw.githubusercontent.com
36	raw.githubusercontent.com
42	raw.githubusercontent.com

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\MSBuild\StartMenuExperienceHost.exe	DllCommonsvc.exe
File created	C:\Program Files\MSBuild\55b276f4edf653	DllCommonsvc.exe
File created	C:\Program Files\Windows Media Player\Icons\SearchApp.exe	DllCommonsvc.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\DigitalLocker\121e5b5079f7c0	DllCommonsvc.exe
File created	C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\microsoft.system.package.metadata\Autogen\sysmon.exe	DllCommonsvc.exe
File created	C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\microsoft.system.package.metadata\Autogen\121e5b5079f7c0	DllCommonsvc.exe
File created	C:\Windows\SKB\LanguageModels\services.exe	DllCommonsvc.exe
File created	C:\Windows\SKB\LanguageModels\c5b4cb5e9653cc	DllCommonsvc.exe
File created	C:\Windows\DigitalLocker\sysmon.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_1197d6191e1899c47d8a17b899f03dcaaf7f3105db196a6d514c469e1b3bc9e7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	JaffaCakes118_1197d6191e1899c47d8a17b899f03dcaaf7f3105db196a6d514c469e1b3bc9e7.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	dllhost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4392	schtasks.exe
3004	schtasks.exe
644	schtasks.exe
2908	schtasks.exe
2288	schtasks.exe
1572	schtasks.exe
3100	schtasks.exe
1584	schtasks.exe
2416	schtasks.exe
4528	schtasks.exe
4948	schtasks.exe
408	schtasks.exe
3668	schtasks.exe
1504	schtasks.exe
2664	schtasks.exe
4752	schtasks.exe
2724	schtasks.exe
3048	schtasks.exe
3484	schtasks.exe
680	schtasks.exe
1032	schtasks.exe
3548	schtasks.exe
5000	schtasks.exe
3084	schtasks.exe
312	schtasks.exe
3052	schtasks.exe
1840	schtasks.exe
3488	schtasks.exe
4812	schtasks.exe
1784	schtasks.exe
764	schtasks.exe
3104	schtasks.exe
1204	schtasks.exe
2716	schtasks.exe
2852	schtasks.exe
432	schtasks.exe

Suspicious behavior: EnumeratesProcesses 56 IoCs

pid	Process
5056	DllCommonsvc.exe
5056	DllCommonsvc.exe
5056	DllCommonsvc.exe
996	powershell.exe
996	powershell.exe
5116	powershell.exe
5116	powershell.exe
924	powershell.exe
924	powershell.exe
3588	powershell.exe
3588	powershell.exe
4964	powershell.exe
4964	powershell.exe
1608	powershell.exe
1608	powershell.exe
2116	powershell.exe
2116	powershell.exe
1564	powershell.exe
1564	powershell.exe
3972	powershell.exe
3972	powershell.exe
1712	powershell.exe
1712	powershell.exe
3400	powershell.exe
3400	powershell.exe
4380	powershell.exe
4380	powershell.exe
1800	powershell.exe
1800	powershell.exe
924	powershell.exe
1564	powershell.exe
3400	powershell.exe
996	powershell.exe
2116	powershell.exe
5116	powershell.exe
4964	powershell.exe
3972	powershell.exe
1608	powershell.exe
1712	powershell.exe
1800	powershell.exe
3588	powershell.exe
4380	powershell.exe
848	dllhost.exe
3616	dllhost.exe
4052	dllhost.exe
1860	dllhost.exe
4752	dllhost.exe
4988	dllhost.exe
3548	dllhost.exe
3372	dllhost.exe
3896	dllhost.exe
3012	dllhost.exe
2424	dllhost.exe
5060	dllhost.exe
4380	dllhost.exe
2800	dllhost.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

description	pid	Process
Token: SeDebugPrivilege	5056	DllCommonsvc.exe
Token: SeDebugPrivilege	996	powershell.exe
Token: SeDebugPrivilege	5116	powershell.exe
Token: SeDebugPrivilege	924	powershell.exe
Token: SeDebugPrivilege	3588	powershell.exe
Token: SeDebugPrivilege	4964	powershell.exe
Token: SeDebugPrivilege	1608	powershell.exe
Token: SeDebugPrivilege	2116	powershell.exe
Token: SeDebugPrivilege	1564	powershell.exe
Token: SeDebugPrivilege	1712	powershell.exe
Token: SeDebugPrivilege	3972	powershell.exe
Token: SeDebugPrivilege	3400	powershell.exe
Token: SeDebugPrivilege	4380	powershell.exe
Token: SeDebugPrivilege	1800	powershell.exe
Token: SeDebugPrivilege	848	dllhost.exe
Token: SeDebugPrivilege	3616	dllhost.exe
Token: SeDebugPrivilege	4052	dllhost.exe
Token: SeDebugPrivilege	1860	dllhost.exe
Token: SeDebugPrivilege	4752	dllhost.exe
Token: SeDebugPrivilege	4988	dllhost.exe
Token: SeDebugPrivilege	3548	dllhost.exe
Token: SeDebugPrivilege	3372	dllhost.exe
Token: SeDebugPrivilege	3896	dllhost.exe
Token: SeDebugPrivilege	3012	dllhost.exe
Token: SeDebugPrivilege	2424	dllhost.exe
Token: SeDebugPrivilege	5060	dllhost.exe
Token: SeDebugPrivilege	4380	dllhost.exe
Token: SeDebugPrivilege	2800	dllhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3316 wrote to memory of 2512	3316	JaffaCakes118_1197d6191e1899c47d8a17b899f03dcaaf7f3105db196a6d514c469e1b3bc9e7.exe	83
PID 3316 wrote to memory of 2512	3316	JaffaCakes118_1197d6191e1899c47d8a17b899f03dcaaf7f3105db196a6d514c469e1b3bc9e7.exe	83
PID 3316 wrote to memory of 2512	3316	JaffaCakes118_1197d6191e1899c47d8a17b899f03dcaaf7f3105db196a6d514c469e1b3bc9e7.exe	83
PID 2512 wrote to memory of 4292	2512	WScript.exe	85
PID 2512 wrote to memory of 4292	2512	WScript.exe	85
PID 2512 wrote to memory of 4292	2512	WScript.exe	85
PID 4292 wrote to memory of 5056	4292	cmd.exe	87
PID 4292 wrote to memory of 5056	4292	cmd.exe	87
PID 5056 wrote to memory of 4380	5056	DllCommonsvc.exe	126
PID 5056 wrote to memory of 4380	5056	DllCommonsvc.exe	126
PID 5056 wrote to memory of 924	5056	DllCommonsvc.exe	127
PID 5056 wrote to memory of 924	5056	DllCommonsvc.exe	127
PID 5056 wrote to memory of 5116	5056	DllCommonsvc.exe	128
PID 5056 wrote to memory of 5116	5056	DllCommonsvc.exe	128
PID 5056 wrote to memory of 4964	5056	DllCommonsvc.exe	129
PID 5056 wrote to memory of 4964	5056	DllCommonsvc.exe	129
PID 5056 wrote to memory of 2116	5056	DllCommonsvc.exe	130
PID 5056 wrote to memory of 2116	5056	DllCommonsvc.exe	130
PID 5056 wrote to memory of 3588	5056	DllCommonsvc.exe	131
PID 5056 wrote to memory of 3588	5056	DllCommonsvc.exe	131
PID 5056 wrote to memory of 996	5056	DllCommonsvc.exe	136
PID 5056 wrote to memory of 996	5056	DllCommonsvc.exe	136
PID 5056 wrote to memory of 1800	5056	DllCommonsvc.exe	138
PID 5056 wrote to memory of 1800	5056	DllCommonsvc.exe	138
PID 5056 wrote to memory of 1564	5056	DllCommonsvc.exe	139
PID 5056 wrote to memory of 1564	5056	DllCommonsvc.exe	139
PID 5056 wrote to memory of 1608	5056	DllCommonsvc.exe	140
PID 5056 wrote to memory of 1608	5056	DllCommonsvc.exe	140
PID 5056 wrote to memory of 3972	5056	DllCommonsvc.exe	141
PID 5056 wrote to memory of 3972	5056	DllCommonsvc.exe	141
PID 5056 wrote to memory of 1712	5056	DllCommonsvc.exe	142
PID 5056 wrote to memory of 1712	5056	DllCommonsvc.exe	142
PID 5056 wrote to memory of 3400	5056	DllCommonsvc.exe	143
PID 5056 wrote to memory of 3400	5056	DllCommonsvc.exe	143
PID 5056 wrote to memory of 4624	5056	DllCommonsvc.exe	152
PID 5056 wrote to memory of 4624	5056	DllCommonsvc.exe	152
PID 4624 wrote to memory of 3052	4624	cmd.exe	154
PID 4624 wrote to memory of 3052	4624	cmd.exe	154
PID 4624 wrote to memory of 848	4624	cmd.exe	156
PID 4624 wrote to memory of 848	4624	cmd.exe	156
PID 848 wrote to memory of 2592	848	dllhost.exe	158
PID 848 wrote to memory of 2592	848	dllhost.exe	158
PID 2592 wrote to memory of 2328	2592	cmd.exe	160
PID 2592 wrote to memory of 2328	2592	cmd.exe	160
PID 2592 wrote to memory of 3616	2592	cmd.exe	167
PID 2592 wrote to memory of 3616	2592	cmd.exe	167
PID 3616 wrote to memory of 3076	3616	dllhost.exe	176
PID 3616 wrote to memory of 3076	3616	dllhost.exe	176
PID 3076 wrote to memory of 4880	3076	cmd.exe	178
PID 3076 wrote to memory of 4880	3076	cmd.exe	178
PID 3076 wrote to memory of 4052	3076	cmd.exe	182
PID 3076 wrote to memory of 4052	3076	cmd.exe	182
PID 4052 wrote to memory of 2804	4052	dllhost.exe	184
PID 4052 wrote to memory of 2804	4052	dllhost.exe	184
PID 2804 wrote to memory of 1192	2804	cmd.exe	186
PID 2804 wrote to memory of 1192	2804	cmd.exe	186
PID 2804 wrote to memory of 1860	2804	cmd.exe	188
PID 2804 wrote to memory of 1860	2804	cmd.exe	188
PID 1860 wrote to memory of 948	1860	dllhost.exe	190
PID 1860 wrote to memory of 948	1860	dllhost.exe	190
PID 948 wrote to memory of 1784	948	cmd.exe	192
PID 948 wrote to memory of 1784	948	cmd.exe	192
PID 948 wrote to memory of 4752	948	cmd.exe	194
PID 948 wrote to memory of 4752	948	cmd.exe	194

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1197d6191e1899c47d8a17b899f03dcaaf7f3105db196a6d514c469e1b3bc9e7.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1197d6191e1899c47d8a17b899f03dcaaf7f3105db196a6d514c469e1b3bc9e7.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3316
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2512
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4292
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5056
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4380
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:924
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5116
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SKB\LanguageModels\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4964
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\RuntimeBroker.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2116
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3588
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:996
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1800
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\StartMenuExperienceHost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1564
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1608
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\DigitalLocker\sysmon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3972
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\microsoft.system.package.metadata\Autogen\sysmon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1712
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\StartMenuExperienceHost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3400
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lMdGL7rdPU.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4624
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:3052
      - C:\providercommon\dllhost.exe
        
        "C:\providercommon\dllhost.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:848
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KYEunsIO9t.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2592
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2328
        
        C:\providercommon\dllhost.exe
        
        "C:\providercommon\dllhost.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3616
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eNTIt1NKYH.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:3076
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:4880
        
        C:\providercommon\dllhost.exe
        
        "C:\providercommon\dllhost.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4052
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2sHl3bGdB9.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:2804
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:1192
        
        C:\providercommon\dllhost.exe
        
        "C:\providercommon\dllhost.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1860
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1n8esAjYxK.bat"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:948
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:1784
        
        C:\providercommon\dllhost.exe
        
        "C:\providercommon\dllhost.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4752
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xgactKMGCU.bat"
        15⤵
        
        PID:1648
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:1164
        
        C:\providercommon\dllhost.exe
        
        "C:\providercommon\dllhost.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4988
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cRRFCwJQFV.bat"
        17⤵
        
        PID:1596
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:1740
        
        C:\providercommon\dllhost.exe
        
        "C:\providercommon\dllhost.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3548
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IVqzzTSBcr.bat"
        19⤵
        
        PID:1564
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2220
        
        C:\providercommon\dllhost.exe
        
        "C:\providercommon\dllhost.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3372
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6qhkY4Aj1y.bat"
        21⤵
        
        PID:2812
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:3656
        
        C:\providercommon\dllhost.exe
        
        "C:\providercommon\dllhost.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3896
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9minE9DcLk.bat"
        23⤵
        
        PID:452
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:3476
        
        C:\providercommon\dllhost.exe
        
        "C:\providercommon\dllhost.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3012
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\b7oBPqXqtO.bat"
        25⤵
        
        PID:4512
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:5032
        
        C:\providercommon\dllhost.exe
        
        "C:\providercommon\dllhost.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2424
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZBm8ilTxac.bat"
        27⤵
        
        PID:2324
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        28⤵
        
        PID:2956
        
        C:\providercommon\dllhost.exe
        
        "C:\providercommon\dllhost.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5060
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qtVTp5BaF9.bat"
        29⤵
        
        PID:4964
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        30⤵
        
        PID:4276
        
        C:\providercommon\dllhost.exe
        
        "C:\providercommon\dllhost.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4380
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tpXWVAFTZv.bat"
        31⤵
        
        PID:116
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        32⤵
        
        PID:1800
        
        C:\providercommon\dllhost.exe
        
        "C:\providercommon\dllhost.exe"
        32⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\providercommon\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Windows\SKB\LanguageModels\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\SKB\LanguageModels\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Windows\SKB\LanguageModels\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\providercommon\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\providercommon\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\providercommon\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\providercommon\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 11 /tr "'C:\providercommon\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\providercommon\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 10 /tr "'C:\providercommon\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 13 /tr "'C:\Windows\DigitalLocker\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 13 /tr "'C:\Windows\DigitalLocker\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 9 /tr "'C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\microsoft.system.package.metadata\Autogen\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\microsoft.system.package.metadata\Autogen\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 7 /tr "'C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\microsoft.system.package.metadata\Autogen\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 10 /tr "'C:\Program Files\MSBuild\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files\MSBuild\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 11 /tr "'C:\Program Files\MSBuild\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dllhost.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
440cb38dbee06645cc8b74d51f6e5f71

SHA1
d7e61da91dc4502e9ae83281b88c1e48584edb7c

SHA256
8ef7a682dfd99ff5b7e9de0e1be43f0016d68695a43c33c028af2635cc15ecfe

SHA512
3aab19578535e6ba0f6beb5690c87d970292100704209d2dcebddcdd46c6bead27588ef5d98729bfd50606a54cc1edf608b3d15bef42c13b9982aaaf15de7fd6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e243a38635ff9a06c87c2a61a2200656

SHA1
ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

SHA256
af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

SHA512
4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Temp\1n8esAjYxK.bat

Filesize
194B

MD5
10049c3bb479ddb3d3fa9b93d4d43136

SHA1
81d260ac6717f6e6d0fa7fd1238663cbc16ec843

SHA256
de74620c10e39c5d0cac9fe66a7416f26af9bec4dbabcca96cd4af68dfdd8a1e

SHA512
54ae3ab575359e1b5cca89811ad4177322431b8e3ed0e2e892b43c0f2a78f4f21b19aa36e68d0ef1ffbe164c0052220eae877a44ee33373c0124abd3b0ffc175

Download Submit
C:\Users\Admin\AppData\Local\Temp\2sHl3bGdB9.bat

Filesize
194B

MD5
1e8023b31697700ea0d3d2a6a1471c4a

SHA1
9ed9b5ee0f96044b42edae17bf9ef682aa7091f7

SHA256
087410b75d52b695fd0d6fc1219ec77093f5fe82b1e76cb16566bf4eafa57dac

SHA512
bb4e7caba332c07648dbc3378947973453c6b06096e20f3d8c4221fe4bd9c8b4482b09b9434e4157ee5132c480c2acb720fcb4d31c87a668e385b397f6bf2691

Download Submit
C:\Users\Admin\AppData\Local\Temp\6qhkY4Aj1y.bat

Filesize
194B

MD5
c31ff6075b7b9bdc0124d3fd04c52ef1

SHA1
a4d72b2ffeb0df83176f0b16bac6df78466ca26c

SHA256
179d54330fbdcd242afae793d03c8411fa9650c766760150359932f725f128ba

SHA512
74c895ce09893561180a72cee68a6c2dd0d5b299cbbab69d18eeb990fdc9b73b44d1ce4bb488bf91b238b25f1e12a96f15cf0ebd0f4402a833d08e2b5c71b05e

Download Submit
C:\Users\Admin\AppData\Local\Temp\9minE9DcLk.bat

Filesize
194B

MD5
ca6f3b29649f5fbf859d1182074422dd

SHA1
c0be87390e4d12ad6e75f439244b421ffa2c0bf1

SHA256
e8d830e75608cd20d773aaa75629b6aae23444f0448a65d60cf6cc57766ce71d

SHA512
31154e0f4d7132f7a2e24727888ac9053b69ad5c9fc7a879915fd342c67a09fdce2f9462fee164d265a2ceadbbf064b3de35cd1b8f053ac579945dc9d252337d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IVqzzTSBcr.bat

Filesize
194B

MD5
9e222cf3090a3c137a942360429ddbc7

SHA1
29faba9d282a93ac5cd5849822c658eaea88b8a0

SHA256
e95378ede949db3518de2fe1672205e7677fec06b65f8f5b34030c8c6c20b26e

SHA512
152e57ebc2bd8edfdad8122a0bfb95db9273898cfc196588ccb433d9aaca02e8990ce4c7012c68f4d9f9999f60a74fc80624134b08da7165d6ec48f06f02841a

Download Submit
C:\Users\Admin\AppData\Local\Temp\KYEunsIO9t.bat

Filesize
194B

MD5
0eeec5248c1a404e702de7e41ffab84a

SHA1
745e8118689fa234990fad3d2cb8aa23f8cbcd22

SHA256
5f4b8c70b199cd0507452ef37976ee5714a5630f9679fe24bfa9577699006634

SHA512
db2876da88278a2b3862dbed98d592dbdfffc26685f6cf562cf00bcb511c24f89a5718318f9e4958b9e4cf1a3773bf57f0bfa104bea80909913cd217ddd02a06

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZBm8ilTxac.bat

Filesize
194B

MD5
c6c8d1b4df06a9bbef518bb9d249460a

SHA1
cef38ff71639adb97340391e913417e069bc4095

SHA256
630b449c9c9ce4b6344b889d131af084bc8a0b19ab179b7ecd02b4f0bf0cafe5

SHA512
7faaaa168513f3331a5223aee5ae08842d0f5c6e949531f1a9e033dbb5d6fd65da5334abb4d02e7da355b3be69a8f0632e1b62e2454835aea6406dfa8c897448

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lesamoap.ovh.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\b7oBPqXqtO.bat

Filesize
194B

MD5
d34b029aa4f4fbfa6ee8716e84cc6247

SHA1
a80867d395fb8c7eee0acecc3931d944f05dc9e8

SHA256
074b847fd10a2adc7001a64067659f09f155e012aa357d7b2afc13c0d1538f5d

SHA512
25b08826bf7b77ead324f00c30006089b74979c7aeb8b1a7008ac938ab399e223a9b3f5ad44c45983c74f575e3253edf1c109ae2a66dbbb7ec0c01a80ce45a31

Download Submit
C:\Users\Admin\AppData\Local\Temp\cRRFCwJQFV.bat

Filesize
194B

MD5
9a4c0c2b9ce0c5e506fe7b6590dc5417

SHA1
df18642556a3e11b58df08f10134b0acd05a58a5

SHA256
79907e69d8d9e6629842258398b122853283a16b6ab2e876e2c3f5aa892e5df1

SHA512
08bc034a1e7e7c3f70fe66b8967d62c15dfe5e0f68da4f2c32521e28f8d45972119fa97d04edf325b5742194c46474cf21fd92fe581361f7fdd0da7f5eb465a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\eNTIt1NKYH.bat

Filesize
194B

MD5
16cce5a6187982e4e03cb78e5c2304f0

SHA1
da14929acb30435460dd09647d0314876eca4944

SHA256
08d29d774fc2c87cfcbd86e42708940fee704e4a2153eeeb1371baaec2f3957b

SHA512
2bf6d002f9cbbaabc0afc280304093d7e0eac3b3f5c384aa86190badf9c20b3029642b3b30fe37103d9d689045ea3d7ad75dce11d70da7bcfe2d0c3943247b9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\lMdGL7rdPU.bat

Filesize
194B

MD5
7adf5eda2bd63e07ea14b60518697e12

SHA1
3b738b53767d7c08d84ae64ded5099ab938f4e32

SHA256
171310a40af476dcbc345ef0099718b4798a1efc05744875f8e4a8d85c532465

SHA512
f1a57a4a2eee40a9c4aa0f5f6f35dffcfcce17de8ae3384bdea45b4120a3d283ca0dc637723d678c97eba686a41d51884b9098f5c42156959dad208c6f12b819

Download Submit
C:\Users\Admin\AppData\Local\Temp\qtVTp5BaF9.bat

Filesize
194B

MD5
ed8cd8cde8182772e09d8e3e1b303719

SHA1
955118d2c059f6832e1ef6eb2015c7cbb7b129ea

SHA256
3e7cf3ff28c09424d58e58a090b8f0d09e41070cddcafef0fb5511f038b3af38

SHA512
030193e59ff4fd42ed8d59dc9f487f48cda5d69cb705cc7f2740a43126916d105b31dc506f2c50b5504576be02b8afb3b523c2471ad68757ca5654906b16d3e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tpXWVAFTZv.bat

Filesize
194B

MD5
95cbaf25f7db16f7bae72c4dcb3001f0

SHA1
f445a16f27fdad5101ef56143b4d74d81d798e36

SHA256
6e9a9fadd14e40ede270b09431db76fd667088fc30cd78292b72138c6c261162

SHA512
79001a039941401cdb1f64ff84db13a39bf2a7ab581bf18c8aea215dba80fb397e83f7a9074c81bc4a0c3d9ae5e10be4ee31d90eb1f28dac79e02ec1f1b52664

Download Submit
C:\Users\Admin\AppData\Local\Temp\xgactKMGCU.bat

Filesize
194B

MD5
462e25cb87a7608b982ce054adf93203

SHA1
f6643df0ed2c68cfda8c31dd007b1ad4823ee06b

SHA256
2f8056c7a86a5eda022b3fcc79ffb2297b1ce1aa082dcecb633b7b97462d3fa6

SHA512
dfaf1c0d523a31b3635e71dfc522146e29462f608f13772fa3082085bf9b4d7e01ddf2ffc1aadba8ad53441f9e9b6ff170018c4c728b76b6a1f506b9a489c5eb

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/2800-277-0x0000000002650000-0x0000000002662000-memory.dmp

Filesize
72KB

Download
memory/4380-270-0x0000000002370000-0x0000000002382000-memory.dmp

Filesize
72KB

Download
memory/5056-16-0x0000000000AF0000-0x0000000000AFC000-memory.dmp

Filesize
48KB

Download
memory/5056-12-0x00007FF823C43000-0x00007FF823C45000-memory.dmp

Filesize
8KB

Download
memory/5056-13-0x00000000000B0000-0x00000000001C0000-memory.dmp

Filesize
1.1MB

Download
memory/5056-14-0x0000000000AD0000-0x0000000000AE2000-memory.dmp

Filesize
72KB

Download
memory/5056-15-0x0000000000AE0000-0x0000000000AEC000-memory.dmp

Filesize
48KB

Download
memory/5056-17-0x00000000022F0000-0x00000000022FC000-memory.dmp

Filesize
48KB

Download
memory/5116-65-0x0000021E50990000-0x0000021E509B2000-memory.dmp

Filesize
136KB

Download