dcrat | acec4b47400be22ff71705ddc58db03a4727060ec9e021894651ed8abb681351

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2024 02:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_acec4b47400be22ff71705ddc58db03a4727060ec9e021894651ed8abb681351.exe
Size

1.3MB
MD5

7372ccb0ea82d0b8bd73ee2255522c5c
SHA1

0286c116782cf98a8d88c0e1ba26c7a269bacfe3
SHA256

acec4b47400be22ff71705ddc58db03a4727060ec9e021894651ed8abb681351
SHA512

451b22184e30c995f1180e54bc16200c421f3965aa6c26dae7a238fcbf75d94f93740e639b92c460743fdba5c1aed654eb09600fc71ee67994c3a2498b80820b
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 42 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1188	4068	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	8	4068	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1320	4068	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2324	4068	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4292	4068	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5012	4068	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	676	4068	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1428	4068	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3436	4068	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3972	4068	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2012	4068	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3844	4068	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4564	4068	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1952	4068	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1228	4068	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4092	4068	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3280	4068	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1356	4068	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1004	4068	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2304	4068	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	448	4068	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2904	4068	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1716	4068	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	4068	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2192	4068	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2584	4068	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4336	4068	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4136	4068	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1092	4068	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4852	4068	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3864	4068	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3620	4068	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4228	4068	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3612	4068	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2924	4068	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1860	4068	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	964	4068	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	408	4068	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2336	4068	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3496	4068	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	620	4068	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3576	4068	schtasks.exe	89

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x000a000000023b85-10.dat	dcrat
behavioral2/memory/1436-13-0x00000000005F0000-0x0000000000700000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 15 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3240	powershell.exe
1372	powershell.exe
2236	powershell.exe
424	powershell.exe
1508	powershell.exe
2968	powershell.exe
604	powershell.exe
3580	powershell.exe
1688	powershell.exe
1852	powershell.exe
100	powershell.exe
1616	powershell.exe
2808	powershell.exe
1768	powershell.exe
2856	powershell.exe

Checks computer location settings 2 TTPs 12 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	JaffaCakes118_acec4b47400be22ff71705ddc58db03a4727060ec9e021894651ed8abb681351.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe

Executes dropped EXE 11 IoCs

pid	Process
1436	DllCommonsvc.exe
4364	SearchApp.exe
4288	SearchApp.exe
1400	SearchApp.exe
1680	SearchApp.exe
3844	SearchApp.exe
3612	SearchApp.exe
3728	SearchApp.exe
60	SearchApp.exe
1180	SearchApp.exe
3348	SearchApp.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
38	raw.githubusercontent.com
43	raw.githubusercontent.com
46	raw.githubusercontent.com
49	raw.githubusercontent.com
50	raw.githubusercontent.com
16	raw.githubusercontent.com
17	raw.githubusercontent.com
23	raw.githubusercontent.com
51	raw.githubusercontent.com
29	raw.githubusercontent.com
42	raw.githubusercontent.com

Drops file in Program Files directory 11 IoCs

description	ioc	Process
File created	C:\Program Files\WindowsApps\cmd.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\SearchApp.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Defender\uk-UA\sppsvc.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Defender\uk-UA\0a1fd5f707cd16	DllCommonsvc.exe
File created	C:\Program Files\WindowsPowerShell\Configuration\Registration\cmd.exe	DllCommonsvc.exe
File created	C:\Program Files\WindowsPowerShell\Configuration\Registration\ebf1f9fa8afd6d	DllCommonsvc.exe
File created	C:\Program Files\MSBuild\sysmon.exe	DllCommonsvc.exe
File created	C:\Program Files\MSBuild\121e5b5079f7c0	DllCommonsvc.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\fontdrvhost.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\5b884080fd4f94	DllCommonsvc.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\38384e6a620884	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_acec4b47400be22ff71705ddc58db03a4727060ec9e021894651ed8abb681351.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 11 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	JaffaCakes118_acec4b47400be22ff71705ddc58db03a4727060ec9e021894651ed8abb681351.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	SearchApp.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
676	schtasks.exe
1428	schtasks.exe
3280	schtasks.exe
2192	schtasks.exe
1860	schtasks.exe
3576	schtasks.exe
1952	schtasks.exe
448	schtasks.exe
2584	schtasks.exe
2336	schtasks.exe
2012	schtasks.exe
2304	schtasks.exe
1716	schtasks.exe
4852	schtasks.exe
3612	schtasks.exe
1188	schtasks.exe
1320	schtasks.exe
2324	schtasks.exe
3972	schtasks.exe
1356	schtasks.exe
1092	schtasks.exe
3864	schtasks.exe
620	schtasks.exe
8	schtasks.exe
3436	schtasks.exe
4564	schtasks.exe
4092	schtasks.exe
4336	schtasks.exe
3620	schtasks.exe
3844	schtasks.exe
1228	schtasks.exe
2904	schtasks.exe
4228	schtasks.exe
3496	schtasks.exe
5012	schtasks.exe
4136	schtasks.exe
2924	schtasks.exe
4292	schtasks.exe
1004	schtasks.exe
2624	schtasks.exe
964	schtasks.exe
408	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1436	DllCommonsvc.exe
1436	DllCommonsvc.exe
1436	DllCommonsvc.exe
1436	DllCommonsvc.exe
1436	DllCommonsvc.exe
1436	DllCommonsvc.exe
1436	DllCommonsvc.exe
1436	DllCommonsvc.exe
1436	DllCommonsvc.exe
1436	DllCommonsvc.exe
1436	DllCommonsvc.exe
1436	DllCommonsvc.exe
1436	DllCommonsvc.exe
1436	DllCommonsvc.exe
1436	DllCommonsvc.exe
1852	powershell.exe
3240	powershell.exe
1852	powershell.exe
3240	powershell.exe
1768	powershell.exe
1768	powershell.exe
2856	powershell.exe
2856	powershell.exe
100	powershell.exe
100	powershell.exe
1688	powershell.exe
1688	powershell.exe
2236	powershell.exe
2236	powershell.exe
2968	powershell.exe
2968	powershell.exe
3580	powershell.exe
3580	powershell.exe
2808	powershell.exe
2808	powershell.exe
1372	powershell.exe
1372	powershell.exe
1616	powershell.exe
1616	powershell.exe
424	powershell.exe
424	powershell.exe
1508	powershell.exe
1508	powershell.exe
604	powershell.exe
604	powershell.exe
1688	powershell.exe
2236	powershell.exe
1852	powershell.exe
2856	powershell.exe
2808	powershell.exe
1768	powershell.exe
424	powershell.exe
3240	powershell.exe
100	powershell.exe
2968	powershell.exe
1372	powershell.exe
1508	powershell.exe
604	powershell.exe
1616	powershell.exe
3580	powershell.exe
4364	SearchApp.exe
4288	SearchApp.exe
1400	SearchApp.exe
1680	SearchApp.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: SeDebugPrivilege	1436	DllCommonsvc.exe
Token: SeDebugPrivilege	1852	powershell.exe
Token: SeDebugPrivilege	3240	powershell.exe
Token: SeDebugPrivilege	1768	powershell.exe
Token: SeDebugPrivilege	2856	powershell.exe
Token: SeDebugPrivilege	100	powershell.exe
Token: SeDebugPrivilege	1688	powershell.exe
Token: SeDebugPrivilege	2236	powershell.exe
Token: SeDebugPrivilege	424	powershell.exe
Token: SeDebugPrivilege	2808	powershell.exe
Token: SeDebugPrivilege	2968	powershell.exe
Token: SeDebugPrivilege	1508	powershell.exe
Token: SeDebugPrivilege	3580	powershell.exe
Token: SeDebugPrivilege	1372	powershell.exe
Token: SeDebugPrivilege	604	powershell.exe
Token: SeDebugPrivilege	1616	powershell.exe
Token: SeDebugPrivilege	4364	SearchApp.exe
Token: SeDebugPrivilege	4288	SearchApp.exe
Token: SeDebugPrivilege	1400	SearchApp.exe
Token: SeDebugPrivilege	1680	SearchApp.exe
Token: SeDebugPrivilege	3844	SearchApp.exe
Token: SeDebugPrivilege	3612	SearchApp.exe
Token: SeDebugPrivilege	3728	SearchApp.exe
Token: SeDebugPrivilege	60	SearchApp.exe
Token: SeDebugPrivilege	1180	SearchApp.exe
Token: SeDebugPrivilege	3348	SearchApp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4408 wrote to memory of 3724	4408	JaffaCakes118_acec4b47400be22ff71705ddc58db03a4727060ec9e021894651ed8abb681351.exe	83
PID 4408 wrote to memory of 3724	4408	JaffaCakes118_acec4b47400be22ff71705ddc58db03a4727060ec9e021894651ed8abb681351.exe	83
PID 4408 wrote to memory of 3724	4408	JaffaCakes118_acec4b47400be22ff71705ddc58db03a4727060ec9e021894651ed8abb681351.exe	83
PID 3724 wrote to memory of 2812	3724	WScript.exe	86
PID 3724 wrote to memory of 2812	3724	WScript.exe	86
PID 3724 wrote to memory of 2812	3724	WScript.exe	86
PID 2812 wrote to memory of 1436	2812	cmd.exe	88
PID 2812 wrote to memory of 1436	2812	cmd.exe	88
PID 1436 wrote to memory of 1616	1436	DllCommonsvc.exe	133
PID 1436 wrote to memory of 1616	1436	DllCommonsvc.exe	133
PID 1436 wrote to memory of 2856	1436	DllCommonsvc.exe	134
PID 1436 wrote to memory of 2856	1436	DllCommonsvc.exe	134
PID 1436 wrote to memory of 100	1436	DllCommonsvc.exe	135
PID 1436 wrote to memory of 100	1436	DllCommonsvc.exe	135
PID 1436 wrote to memory of 3240	1436	DllCommonsvc.exe	136
PID 1436 wrote to memory of 3240	1436	DllCommonsvc.exe	136
PID 1436 wrote to memory of 3580	1436	DllCommonsvc.exe	137
PID 1436 wrote to memory of 3580	1436	DllCommonsvc.exe	137
PID 1436 wrote to memory of 1768	1436	DllCommonsvc.exe	139
PID 1436 wrote to memory of 1768	1436	DllCommonsvc.exe	139
PID 1436 wrote to memory of 604	1436	DllCommonsvc.exe	140
PID 1436 wrote to memory of 604	1436	DllCommonsvc.exe	140
PID 1436 wrote to memory of 1852	1436	DllCommonsvc.exe	141
PID 1436 wrote to memory of 1852	1436	DllCommonsvc.exe	141
PID 1436 wrote to memory of 2968	1436	DllCommonsvc.exe	142
PID 1436 wrote to memory of 2968	1436	DllCommonsvc.exe	142
PID 1436 wrote to memory of 424	1436	DllCommonsvc.exe	143
PID 1436 wrote to memory of 424	1436	DllCommonsvc.exe	143
PID 1436 wrote to memory of 2808	1436	DllCommonsvc.exe	144
PID 1436 wrote to memory of 2808	1436	DllCommonsvc.exe	144
PID 1436 wrote to memory of 2236	1436	DllCommonsvc.exe	145
PID 1436 wrote to memory of 2236	1436	DllCommonsvc.exe	145
PID 1436 wrote to memory of 1688	1436	DllCommonsvc.exe	146
PID 1436 wrote to memory of 1688	1436	DllCommonsvc.exe	146
PID 1436 wrote to memory of 1372	1436	DllCommonsvc.exe	147
PID 1436 wrote to memory of 1372	1436	DllCommonsvc.exe	147
PID 1436 wrote to memory of 1508	1436	DllCommonsvc.exe	148
PID 1436 wrote to memory of 1508	1436	DllCommonsvc.exe	148
PID 1436 wrote to memory of 3200	1436	DllCommonsvc.exe	163
PID 1436 wrote to memory of 3200	1436	DllCommonsvc.exe	163
PID 3200 wrote to memory of 4056	3200	cmd.exe	165
PID 3200 wrote to memory of 4056	3200	cmd.exe	165
PID 3200 wrote to memory of 4364	3200	cmd.exe	169
PID 3200 wrote to memory of 4364	3200	cmd.exe	169
PID 4364 wrote to memory of 3496	4364	SearchApp.exe	170
PID 4364 wrote to memory of 3496	4364	SearchApp.exe	170
PID 3496 wrote to memory of 4700	3496	cmd.exe	172
PID 3496 wrote to memory of 4700	3496	cmd.exe	172
PID 3496 wrote to memory of 4288	3496	cmd.exe	173
PID 3496 wrote to memory of 4288	3496	cmd.exe	173
PID 4288 wrote to memory of 1768	4288	SearchApp.exe	175
PID 4288 wrote to memory of 1768	4288	SearchApp.exe	175
PID 1768 wrote to memory of 2932	1768	cmd.exe	177
PID 1768 wrote to memory of 2932	1768	cmd.exe	177
PID 1768 wrote to memory of 1400	1768	cmd.exe	178
PID 1768 wrote to memory of 1400	1768	cmd.exe	178
PID 1400 wrote to memory of 2584	1400	SearchApp.exe	179
PID 1400 wrote to memory of 2584	1400	SearchApp.exe	179
PID 2584 wrote to memory of 1168	2584	cmd.exe	181
PID 2584 wrote to memory of 1168	2584	cmd.exe	181
PID 2584 wrote to memory of 1680	2584	cmd.exe	182
PID 2584 wrote to memory of 1680	2584	cmd.exe	182
PID 1680 wrote to memory of 1508	1680	SearchApp.exe	184
PID 1680 wrote to memory of 1508	1680	SearchApp.exe	184

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_acec4b47400be22ff71705ddc58db03a4727060ec9e021894651ed8abb681351.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_acec4b47400be22ff71705ddc58db03a4727060ec9e021894651ed8abb681351.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4408
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3724
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2812
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1436
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1616
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2856
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\WindowsPowerShell\Configuration\Registration\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:100
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\sysmon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3240
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3580
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\SearchApp.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1768
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:604
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1852
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\SearchApp.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2968
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\Shared Gadgets\fontdrvhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:424
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\SearchApp.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2808
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\fontdrvhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2236
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\uk-UA\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1688
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1372
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\RuntimeBroker.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1508
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BbivAIkaHe.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3200
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:4056
      - C:\providercommon\SearchApp.exe
        
        "C:\providercommon\SearchApp.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4364
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\U04fYIssV3.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:3496
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:4700
        
        C:\providercommon\SearchApp.exe
        
        "C:\providercommon\SearchApp.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4288
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Q0tVgmHuxR.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1768
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2932
        
        C:\providercommon\SearchApp.exe
        
        "C:\providercommon\SearchApp.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1400
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qX4ufk0Q6M.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:2584
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:1168
        
        C:\providercommon\SearchApp.exe
        
        "C:\providercommon\SearchApp.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1680
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\L8pPJcA7Kt.bat"
        13⤵
        
        PID:1508
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:940
        
        C:\providercommon\SearchApp.exe
        
        "C:\providercommon\SearchApp.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3844
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\M1TWCJOn7d.bat"
        15⤵
        
        PID:2652
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:4704
        
        C:\providercommon\SearchApp.exe
        
        "C:\providercommon\SearchApp.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3612
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BDCDGXc9ch.bat"
        17⤵
        
        PID:1728
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:4528
        
        C:\providercommon\SearchApp.exe
        
        "C:\providercommon\SearchApp.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3728
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0Sh6ipYOoX.bat"
        19⤵
        
        PID:4652
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:3048
        
        C:\providercommon\SearchApp.exe
        
        "C:\providercommon\SearchApp.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:60
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KxKP0srito.bat"
        21⤵
        
        PID:2492
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:1112
        
        C:\providercommon\SearchApp.exe
        
        "C:\providercommon\SearchApp.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1180
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hibqn60Xcy.bat"
        23⤵
        
        PID:620
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:2344
        
        C:\providercommon\SearchApp.exe
        
        "C:\providercommon\SearchApp.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:8

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Program Files\WindowsPowerShell\Configuration\Registration\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\Configuration\Registration\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Program Files\WindowsPowerShell\Configuration\Registration\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 14 /tr "'C:\Program Files\MSBuild\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files\MSBuild\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 10 /tr "'C:\Program Files\MSBuild\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 8 /tr "'C:\providercommon\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\providercommon\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 7 /tr "'C:\providercommon\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 9 /tr "'C:\providercommon\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\providercommon\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 6 /tr "'C:\providercommon\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\providercommon\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\providercommon\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\providercommon\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Defender\uk-UA\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\uk-UA\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Defender\uk-UA\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\providercommon\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SearchApp.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
59d97011e091004eaffb9816aa0b9abd

SHA1
1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

SHA256
18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

SHA512
d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a8e8360d573a4ff072dcc6f09d992c88

SHA1
3446774433ceaf0b400073914facab11b98b6807

SHA256
bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b

SHA512
4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e8ce785f8ccc6d202d56fefc59764945

SHA1
ca032c62ddc5e0f26d84eff9895eb87f14e15960

SHA256
d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

SHA512
66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

Download Submit
C:\Users\Admin\AppData\Local\Temp\0Sh6ipYOoX.bat

Filesize
196B

MD5
a96becc23ffb4ce58150535403219e25

SHA1
d5682220f117c3b76fed95189dd184e237db26c2

SHA256
0958b3f5dd900ef7cd2cbd067a5ced873a9c17c4c9112593b25894aba1fc456d

SHA512
7eaf4c22d999a5f58e85a4a3322642a9dfa2906eea9fd61fdbb697a7abf18ed9d431db1c40354d63e547212c7bcc7b209b62728ec22b5dc5163dba9ca0664a1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\BDCDGXc9ch.bat

Filesize
196B

MD5
ba8ee1f8f5bfe97c26ac72dd99cb4c48

SHA1
ff86cee041687bd70dc40b94fb81c0f68651aa5c

SHA256
9b44f34a5aa1a4b67ac3565d777877b4597f2fe95cd12e979677336513a7bd7f

SHA512
77d11e2c590421c7ac0a181a507c512ee45fd3c9d6930e6c236913765873ef163ef73445149f571a3654ad881bed5f30a00c9ce79ac47f1d035f83ba83793457

Download Submit
C:\Users\Admin\AppData\Local\Temp\BbivAIkaHe.bat

Filesize
196B

MD5
3872a6b3ab3ff864803d4b83202381c6

SHA1
411138398a3746d4a0b63069ec8711c44ec28bbe

SHA256
96a402d30148045eb5fe07182a6a0539e07fc11c26f7decf9f044ef645e36bcc

SHA512
b3c294302bd3a4a6d5d1e20cb3f8da532e35d6347a0cbe5cfcb504dcc1d13976044d9ffa51abdee89078be91cb52388a372807e54905493bed750be519dc609a

Download Submit
C:\Users\Admin\AppData\Local\Temp\KxKP0srito.bat

Filesize
196B

MD5
6007ee486be5814e8d6a4662863ddac3

SHA1
07711151b3470286f18ccb21c7b30a48f19d4163

SHA256
b821236d00f2b8c04f7333792dfd25cc6e9923a9d014833c70d35051b4b9de94

SHA512
dd6e83e0b9e3c9d2e663f345093eeb2b0454e121d29b00f456ba4c507dc543ea6fd487ae1cd8bd646232d7472a4eafe1d071654587279fd10bdd8e06e3909cf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\L8pPJcA7Kt.bat

Filesize
196B

MD5
96f9beca37f292aaa0a26fe3a13bd44c

SHA1
1e2a66b8d2455569ffa5225233bb784c6c1ba207

SHA256
5f9c92177a1cd79658258c68a5ea54c426cc496bb69ea1c0428269c073775180

SHA512
190281f0832f1d263d05cffa9d14374767d93a08c26b8c109e4e2a682b41dc96d8a4335db8f0eccfa42ab57c50f5845ad65ac328085702486ef1dbcc09f92136

Download Submit
C:\Users\Admin\AppData\Local\Temp\M1TWCJOn7d.bat

Filesize
196B

MD5
4236c1dfb2adf3069eb227f6b3b97098

SHA1
dcaef584bf2cc1e33169a2da8098b2626bcbedcb

SHA256
8249807ea452dd43b051b181cdc4c82f72af79c5109c8ea4b46b640d373665ca

SHA512
9ce900a0e39a151d7f3f749755b03fffb36aea2d34edb32ab7ff15a0d520720b0c55779c1a4101244f9bf5689c18b8137f1e91798528ab37c851aafe80473d75

Download Submit
C:\Users\Admin\AppData\Local\Temp\Q0tVgmHuxR.bat

Filesize
196B

MD5
56ec49ae62f265fee439f8e96e55c151

SHA1
c57aa709e740d6577abecc13a4d3934bc1be9b74

SHA256
5d1e132806b1a7f66722d714235468c243c3fe8b49bdeb41385c61d0aed055e8

SHA512
d5a8be3d2aad1f6ea45ee7df9f34f167228cdbf14aaee01b25425268ba88ad2e94f7489e3b84299876920a6fc1fa40a75518b373481bfb98d35049bc375cc23c

Download Submit
C:\Users\Admin\AppData\Local\Temp\U04fYIssV3.bat

Filesize
196B

MD5
1063ce535be0b2547ccd2ff842c3c81b

SHA1
62cfa0220ad4e69e5bcae7cb31474bbb0cb3c322

SHA256
e51861cf1349f497157f1f86067c683df88c068e82d07dce290c2325fe51f659

SHA512
1ff61f2c64d167e7e296ed4b5266885304e61706d11db6c66b83c911a7e80b8f0844d398781aa5e79b301435541cb30d32067690b7c5beda3f996cd6122b1b2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_k1itl4uf.e3v.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\hibqn60Xcy.bat

Filesize
196B

MD5
efe8c0685cd5ebe1811aa5448f6cf930

SHA1
dc5826575b1e18cf1e6960da2d6b573ba81682f7

SHA256
b5049abb5e545e01087d3858908c215e87cee35f70f5e3e8bd317618a3ba08b9

SHA512
c726e4d5975f27c7c57dbb9f4cbf1ffcc72dd144df23ee05d76b3159d4a90ea1001c60576112a199830f335839e958ca7d7f6d27a7a1a0ff8bbbfb9523d9b0a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\qX4ufk0Q6M.bat

Filesize
196B

MD5
8933f64f152f779efee34e8e6a344f90

SHA1
2201eb2a074d18cfb71e966ca2276068e225230c

SHA256
4dd0d64312d6bc9a87bb7b771da5cfac888fd67cfbcdef7a905f286fb1170c0b

SHA512
b4005fde99aef182c0eee79be2034cb77d07b127c8d4d0b6f5497cca3d0a6bfe0049ab03210ca1efb553091e5a07fc2b0e42428b232b7e5e703b08e4578fc32e

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/1436-17-0x00000000028F0000-0x00000000028FC000-memory.dmp

Filesize
48KB

Download
memory/1436-16-0x00000000028E0000-0x00000000028EC000-memory.dmp

Filesize
48KB

Download
memory/1436-15-0x00000000028C0000-0x00000000028CC000-memory.dmp

Filesize
48KB

Download
memory/1436-14-0x00000000028B0000-0x00000000028C2000-memory.dmp

Filesize
72KB

Download
memory/1436-13-0x00000000005F0000-0x0000000000700000-memory.dmp

Filesize
1.1MB

Download
memory/1436-12-0x00007FFB5E3A3000-0x00007FFB5E3A5000-memory.dmp

Filesize
8KB

Download
memory/1680-243-0x00000000022F0000-0x0000000002302000-memory.dmp

Filesize
72KB

Download
memory/1680-248-0x000000001BCE0000-0x000000001BE4A000-memory.dmp

Filesize
1.4MB

Download
memory/1852-65-0x0000020675240000-0x0000020675262000-memory.dmp

Filesize
136KB

Download
memory/3348-283-0x0000000002E70000-0x0000000002E82000-memory.dmp

Filesize
72KB

Download
memory/3728-264-0x0000000001510000-0x0000000001522000-memory.dmp

Filesize
72KB

Download
memory/3844-255-0x000000001BC10000-0x000000001BD7A000-memory.dmp

Filesize
1.4MB

Download
memory/4364-222-0x0000000000FF0000-0x0000000001002000-memory.dmp

Filesize
72KB

Download