dcrat | 28c5a31d5015f85f87106a7e876e78aa94801b36fd57d87272315d74c42fb9f7

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22/12/2024, 04:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_28c5a31d5015f85f87106a7e876e78aa94801b36fd57d87272315d74c42fb9f7.exe
Size

1.3MB
MD5

86530bf4b3d606a1f3031a93d8d02712
SHA1

9a4ebab5ec898e73aa30c28fd695ec95e6e6e22b
SHA256

28c5a31d5015f85f87106a7e876e78aa94801b36fd57d87272315d74c42fb9f7
SHA512

f42cc0f5a0a1a909a9f16a6c08a882dee15ca34e4b6514d2e35c3eb3a0206f11f8cb8230c483baede054248bd93afafe505e524c4d7549aa9e8afb983d1fe771
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 36 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5036	3588	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5084	3588	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2636	3588	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2800	3588	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3680	3588	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2012	3588	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4148	3588	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	444	3588	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	292	3588	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2112	3588	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3020	3588	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	392	3588	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3112	3588	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4712	3588	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1364	3588	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2972	3588	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2232	3588	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4512	3588	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	808	3588	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5064	3588	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2328	3588	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1448	3588	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3128	3588	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1476	3588	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4124	3588	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1468	3588	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2932	3588	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2584	3588	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4452	3588	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3460	3588	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1064	3588	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3596	3588	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1168	3588	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5096	3588	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	776	3588	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1268	3588	schtasks.exe	86

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x000a000000023b8a-10.dat	dcrat
behavioral2/memory/3544-13-0x0000000000780000-0x0000000000890000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 13 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3352	powershell.exe
3524	powershell.exe
1808	powershell.exe
4056	powershell.exe
1216	powershell.exe
2508	powershell.exe
4776	powershell.exe
296	powershell.exe
3320	powershell.exe
2744	powershell.exe
5000	powershell.exe
4108	powershell.exe
3628	powershell.exe

Checks computer location settings 2 TTPs 14 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	JaffaCakes118_28c5a31d5015f85f87106a7e876e78aa94801b36fd57d87272315d74c42fb9f7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	WmiPrvSE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	WmiPrvSE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	WmiPrvSE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	WmiPrvSE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	WmiPrvSE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	WmiPrvSE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	WmiPrvSE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	WmiPrvSE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	WmiPrvSE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	WmiPrvSE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	WmiPrvSE.exe

Executes dropped EXE 13 IoCs

pid	Process
3544	DllCommonsvc.exe
4448	WmiPrvSE.exe
4712	WmiPrvSE.exe
4528	WmiPrvSE.exe
2928	WmiPrvSE.exe
4752	WmiPrvSE.exe
2972	WmiPrvSE.exe
4548	WmiPrvSE.exe
948	WmiPrvSE.exe
1452	WmiPrvSE.exe
2404	WmiPrvSE.exe
2308	WmiPrvSE.exe
4056	WmiPrvSE.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs

Web Service

T1102

flow	ioc
49	raw.githubusercontent.com
19	raw.githubusercontent.com
36	raw.githubusercontent.com
46	raw.githubusercontent.com
47	raw.githubusercontent.com
48	raw.githubusercontent.com
50	raw.githubusercontent.com
20	raw.githubusercontent.com
22	raw.githubusercontent.com
37	raw.githubusercontent.com
40	raw.githubusercontent.com
41	raw.githubusercontent.com

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files\WindowsPowerShell\Configuration\Registration\explorer.exe	DllCommonsvc.exe
File created	C:\Program Files\WindowsPowerShell\Configuration\Registration\7a0fd90576e088	DllCommonsvc.exe
File created	C:\Program Files\Windows Media Player\Network Sharing\DllCommonsvc.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\9e8d7a4ca61bd9	DllCommonsvc.exe
File created	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Registry.exe	DllCommonsvc.exe
File created	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\ee2ad38f3d4382	DllCommonsvc.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\RuntimeBroker.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\9e8d7a4ca61bd9	DllCommonsvc.exe
File created	C:\Program Files\Windows Media Player\Network Sharing\a76d7bf15d8370	DllCommonsvc.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\RuntimeBroker.exe	DllCommonsvc.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\System\RuntimeBroker.exe	DllCommonsvc.exe
File created	C:\Windows\System\9e8d7a4ca61bd9	DllCommonsvc.exe
File created	C:\Windows\SystemResources\Windows.UI.Search\Images\WmiPrvSE.exe	DllCommonsvc.exe
File created	C:\Windows\ImmersiveControlPanel\0a1fd5f707cd16	DllCommonsvc.exe
File created	C:\Windows\Migration\WTR\System.exe	DllCommonsvc.exe
File opened for modification	C:\Windows\System\RuntimeBroker.exe	DllCommonsvc.exe
File created	C:\Windows\SystemResources\Windows.UI.Search\Images\24dbde2999530e	DllCommonsvc.exe
File created	C:\Windows\ImmersiveControlPanel\sppsvc.exe	DllCommonsvc.exe
File created	C:\Windows\Migration\WTR\27d1bcfc3c54e0	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_28c5a31d5015f85f87106a7e876e78aa94801b36fd57d87272315d74c42fb9f7.exe

Modifies registry class 13 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	WmiPrvSE.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	WmiPrvSE.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	WmiPrvSE.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	WmiPrvSE.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	WmiPrvSE.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	WmiPrvSE.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	WmiPrvSE.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	WmiPrvSE.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	WmiPrvSE.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	WmiPrvSE.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	JaffaCakes118_28c5a31d5015f85f87106a7e876e78aa94801b36fd57d87272315d74c42fb9f7.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	WmiPrvSE.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4712	schtasks.exe
2232	schtasks.exe
1476	schtasks.exe
4124	schtasks.exe
5036	schtasks.exe
2932	schtasks.exe
2584	schtasks.exe
5096	schtasks.exe
3112	schtasks.exe
808	schtasks.exe
1468	schtasks.exe
776	schtasks.exe
5084	schtasks.exe
2800	schtasks.exe
4148	schtasks.exe
1064	schtasks.exe
292	schtasks.exe
1364	schtasks.exe
4512	schtasks.exe
3128	schtasks.exe
2636	schtasks.exe
2112	schtasks.exe
2328	schtasks.exe
1268	schtasks.exe
5064	schtasks.exe
1448	schtasks.exe
3596	schtasks.exe
1168	schtasks.exe
2012	schtasks.exe
3020	schtasks.exe
392	schtasks.exe
2972	schtasks.exe
3680	schtasks.exe
444	schtasks.exe
4452	schtasks.exe
3460	schtasks.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
3544	DllCommonsvc.exe
3544	DllCommonsvc.exe
3544	DllCommonsvc.exe
4056	powershell.exe
4056	powershell.exe
3628	powershell.exe
3628	powershell.exe
4108	powershell.exe
4108	powershell.exe
4776	powershell.exe
4776	powershell.exe
3524	powershell.exe
3524	powershell.exe
1808	powershell.exe
1808	powershell.exe
2744	powershell.exe
2744	powershell.exe
296	powershell.exe
296	powershell.exe
5000	powershell.exe
5000	powershell.exe
3320	powershell.exe
3320	powershell.exe
3352	powershell.exe
3352	powershell.exe
1216	powershell.exe
1216	powershell.exe
3352	powershell.exe
2508	powershell.exe
2508	powershell.exe
3524	powershell.exe
1808	powershell.exe
2508	powershell.exe
4776	powershell.exe
3628	powershell.exe
4056	powershell.exe
4108	powershell.exe
1216	powershell.exe
2744	powershell.exe
3320	powershell.exe
5000	powershell.exe
296	powershell.exe
4448	WmiPrvSE.exe
4712	WmiPrvSE.exe
4528	WmiPrvSE.exe
2928	WmiPrvSE.exe
4752	WmiPrvSE.exe
2972	WmiPrvSE.exe
4548	WmiPrvSE.exe
948	WmiPrvSE.exe
1452	WmiPrvSE.exe
2404	WmiPrvSE.exe
2308	WmiPrvSE.exe
4056	WmiPrvSE.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: SeDebugPrivilege	3544	DllCommonsvc.exe
Token: SeDebugPrivilege	4056	powershell.exe
Token: SeDebugPrivilege	3628	powershell.exe
Token: SeDebugPrivilege	4108	powershell.exe
Token: SeDebugPrivilege	4776	powershell.exe
Token: SeDebugPrivilege	3524	powershell.exe
Token: SeDebugPrivilege	5000	powershell.exe
Token: SeDebugPrivilege	1808	powershell.exe
Token: SeDebugPrivilege	2744	powershell.exe
Token: SeDebugPrivilege	296	powershell.exe
Token: SeDebugPrivilege	3320	powershell.exe
Token: SeDebugPrivilege	3352	powershell.exe
Token: SeDebugPrivilege	1216	powershell.exe
Token: SeDebugPrivilege	2508	powershell.exe
Token: SeDebugPrivilege	4448	WmiPrvSE.exe
Token: SeDebugPrivilege	4712	WmiPrvSE.exe
Token: SeDebugPrivilege	4528	WmiPrvSE.exe
Token: SeDebugPrivilege	2928	WmiPrvSE.exe
Token: SeDebugPrivilege	4752	WmiPrvSE.exe
Token: SeDebugPrivilege	2972	WmiPrvSE.exe
Token: SeDebugPrivilege	4548	WmiPrvSE.exe
Token: SeDebugPrivilege	948	WmiPrvSE.exe
Token: SeDebugPrivilege	1452	WmiPrvSE.exe
Token: SeDebugPrivilege	2404	WmiPrvSE.exe
Token: SeDebugPrivilege	2308	WmiPrvSE.exe
Token: SeDebugPrivilege	4056	WmiPrvSE.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3336 wrote to memory of 4024	3336	JaffaCakes118_28c5a31d5015f85f87106a7e876e78aa94801b36fd57d87272315d74c42fb9f7.exe	82
PID 3336 wrote to memory of 4024	3336	JaffaCakes118_28c5a31d5015f85f87106a7e876e78aa94801b36fd57d87272315d74c42fb9f7.exe	82
PID 3336 wrote to memory of 4024	3336	JaffaCakes118_28c5a31d5015f85f87106a7e876e78aa94801b36fd57d87272315d74c42fb9f7.exe	82
PID 4024 wrote to memory of 360	4024	WScript.exe	87
PID 4024 wrote to memory of 360	4024	WScript.exe	87
PID 4024 wrote to memory of 360	4024	WScript.exe	87
PID 360 wrote to memory of 3544	360	cmd.exe	89
PID 360 wrote to memory of 3544	360	cmd.exe	89
PID 3544 wrote to memory of 4056	3544	DllCommonsvc.exe	126
PID 3544 wrote to memory of 4056	3544	DllCommonsvc.exe	126
PID 3544 wrote to memory of 1216	3544	DllCommonsvc.exe	127
PID 3544 wrote to memory of 1216	3544	DllCommonsvc.exe	127
PID 3544 wrote to memory of 2508	3544	DllCommonsvc.exe	128
PID 3544 wrote to memory of 2508	3544	DllCommonsvc.exe	128
PID 3544 wrote to memory of 4776	3544	DllCommonsvc.exe	129
PID 3544 wrote to memory of 4776	3544	DllCommonsvc.exe	129
PID 3544 wrote to memory of 296	3544	DllCommonsvc.exe	130
PID 3544 wrote to memory of 296	3544	DllCommonsvc.exe	130
PID 3544 wrote to memory of 5000	3544	DllCommonsvc.exe	131
PID 3544 wrote to memory of 5000	3544	DllCommonsvc.exe	131
PID 3544 wrote to memory of 3524	3544	DllCommonsvc.exe	132
PID 3544 wrote to memory of 3524	3544	DllCommonsvc.exe	132
PID 3544 wrote to memory of 3352	3544	DllCommonsvc.exe	133
PID 3544 wrote to memory of 3352	3544	DllCommonsvc.exe	133
PID 3544 wrote to memory of 4108	3544	DllCommonsvc.exe	134
PID 3544 wrote to memory of 4108	3544	DllCommonsvc.exe	134
PID 3544 wrote to memory of 2744	3544	DllCommonsvc.exe	140
PID 3544 wrote to memory of 2744	3544	DllCommonsvc.exe	140
PID 3544 wrote to memory of 3628	3544	DllCommonsvc.exe	141
PID 3544 wrote to memory of 3628	3544	DllCommonsvc.exe	141
PID 3544 wrote to memory of 3320	3544	DllCommonsvc.exe	142
PID 3544 wrote to memory of 3320	3544	DllCommonsvc.exe	142
PID 3544 wrote to memory of 1808	3544	DllCommonsvc.exe	143
PID 3544 wrote to memory of 1808	3544	DllCommonsvc.exe	143
PID 3544 wrote to memory of 3760	3544	DllCommonsvc.exe	151
PID 3544 wrote to memory of 3760	3544	DllCommonsvc.exe	151
PID 3760 wrote to memory of 2244	3760	cmd.exe	155
PID 3760 wrote to memory of 2244	3760	cmd.exe	155
PID 3760 wrote to memory of 4448	3760	cmd.exe	158
PID 3760 wrote to memory of 4448	3760	cmd.exe	158
PID 4448 wrote to memory of 2256	4448	WmiPrvSE.exe	159
PID 4448 wrote to memory of 2256	4448	WmiPrvSE.exe	159
PID 2256 wrote to memory of 2008	2256	cmd.exe	161
PID 2256 wrote to memory of 2008	2256	cmd.exe	161
PID 2256 wrote to memory of 4712	2256	cmd.exe	162
PID 2256 wrote to memory of 4712	2256	cmd.exe	162
PID 4712 wrote to memory of 3512	4712	WmiPrvSE.exe	164
PID 4712 wrote to memory of 3512	4712	WmiPrvSE.exe	164
PID 3512 wrote to memory of 3628	3512	cmd.exe	166
PID 3512 wrote to memory of 3628	3512	cmd.exe	166
PID 3512 wrote to memory of 4528	3512	cmd.exe	168
PID 3512 wrote to memory of 4528	3512	cmd.exe	168
PID 4528 wrote to memory of 3612	4528	WmiPrvSE.exe	169
PID 4528 wrote to memory of 3612	4528	WmiPrvSE.exe	169
PID 3612 wrote to memory of 4740	3612	cmd.exe	171
PID 3612 wrote to memory of 4740	3612	cmd.exe	171
PID 3612 wrote to memory of 2928	3612	cmd.exe	172
PID 3612 wrote to memory of 2928	3612	cmd.exe	172
PID 2928 wrote to memory of 5028	2928	WmiPrvSE.exe	173
PID 2928 wrote to memory of 5028	2928	WmiPrvSE.exe	173
PID 5028 wrote to memory of 5076	5028	cmd.exe	175
PID 5028 wrote to memory of 5076	5028	cmd.exe	175
PID 5028 wrote to memory of 4752	5028	cmd.exe	176
PID 5028 wrote to memory of 4752	5028	cmd.exe	176

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_28c5a31d5015f85f87106a7e876e78aa94801b36fd57d87272315d74c42fb9f7.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_28c5a31d5015f85f87106a7e876e78aa94801b36fd57d87272315d74c42fb9f7.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3336
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4024
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:360
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3544
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4056
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System\RuntimeBroker.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1216
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\WindowsPowerShell\Configuration\Registration\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2508
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\WindowsPowerShell\Modules\RuntimeBroker.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4776
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\Network Sharing\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:296
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Adobe\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5000
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SystemResources\Windows.UI.Search\Images\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3524
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ImmersiveControlPanel\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3352
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\RuntimeBroker.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4108
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Migration\WTR\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2744
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3628
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3320
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Registry.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1808
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\I1ExlHFW7K.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3760
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2244
      - C:\Windows\SystemResources\Windows.UI.Search\Images\WmiPrvSE.exe
        
        "C:\Windows\SystemResources\Windows.UI.Search\Images\WmiPrvSE.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4448
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zDcPfnAXs0.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2256
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2008
        
        C:\Windows\SystemResources\Windows.UI.Search\Images\WmiPrvSE.exe
        
        "C:\Windows\SystemResources\Windows.UI.Search\Images\WmiPrvSE.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4712
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Pkopelt31u.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:3512
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:3628
        
        C:\Windows\SystemResources\Windows.UI.Search\Images\WmiPrvSE.exe
        
        "C:\Windows\SystemResources\Windows.UI.Search\Images\WmiPrvSE.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4528
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vCRFnHZZKP.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:3612
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:4740
        
        C:\Windows\SystemResources\Windows.UI.Search\Images\WmiPrvSE.exe
        
        "C:\Windows\SystemResources\Windows.UI.Search\Images\WmiPrvSE.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2928
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pI0EcicZAo.bat"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:5028
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:5076
        
        C:\Windows\SystemResources\Windows.UI.Search\Images\WmiPrvSE.exe
        
        "C:\Windows\SystemResources\Windows.UI.Search\Images\WmiPrvSE.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4752
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\F1gdtReUkn.bat"
        15⤵
        
        PID:4956
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:4524
        
        C:\Windows\SystemResources\Windows.UI.Search\Images\WmiPrvSE.exe
        
        "C:\Windows\SystemResources\Windows.UI.Search\Images\WmiPrvSE.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2972
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\574RqM7W2b.bat"
        17⤵
        
        PID:2000
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:4984
        
        C:\Windows\SystemResources\Windows.UI.Search\Images\WmiPrvSE.exe
        
        "C:\Windows\SystemResources\Windows.UI.Search\Images\WmiPrvSE.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4548
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NfeiSKMyn5.bat"
        19⤵
        
        PID:660
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:4188
        
        C:\Windows\SystemResources\Windows.UI.Search\Images\WmiPrvSE.exe
        
        "C:\Windows\SystemResources\Windows.UI.Search\Images\WmiPrvSE.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:948
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EqBdbgL5Ji.bat"
        21⤵
        
        PID:4032
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:4712
        
        C:\Windows\SystemResources\Windows.UI.Search\Images\WmiPrvSE.exe
        
        "C:\Windows\SystemResources\Windows.UI.Search\Images\WmiPrvSE.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1452
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lHo4kC1bcD.bat"
        23⤵
        
        PID:2488
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:4812
        
        C:\Windows\SystemResources\Windows.UI.Search\Images\WmiPrvSE.exe
        
        "C:\Windows\SystemResources\Windows.UI.Search\Images\WmiPrvSE.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2404
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\D5faDLbbQ0.bat"
        25⤵
        
        PID:1216
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:2904
        
        C:\Windows\SystemResources\Windows.UI.Search\Images\WmiPrvSE.exe
        
        "C:\Windows\SystemResources\Windows.UI.Search\Images\WmiPrvSE.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2308
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Pbgl9PPr7s.bat"
        27⤵
        
        PID:2340
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        28⤵
        
        PID:4640
        
        C:\Windows\SystemResources\Windows.UI.Search\Images\WmiPrvSE.exe
        
        "C:\Windows\SystemResources\Windows.UI.Search\Images\WmiPrvSE.exe"
        28⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Windows\System\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\System\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Windows\System\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Program Files\WindowsPowerShell\Configuration\Registration\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\Configuration\Registration\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Program Files\WindowsPowerShell\Configuration\Registration\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Media Player\Network Sharing\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\Network Sharing\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Media Player\Network Sharing\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Adobe\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\All Users\Adobe\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Adobe\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Windows\SystemResources\Windows.UI.Search\Images\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\SystemResources\Windows.UI.Search\Images\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Windows\SystemResources\Windows.UI.Search\Images\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Windows\ImmersiveControlPanel\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\ImmersiveControlPanel\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Windows\ImmersiveControlPanel\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Windows\Migration\WTR\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Windows\Migration\WTR\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 5 /tr "'C:\Users\Default\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Users\Default\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 6 /tr "'C:\Users\Default\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 7 /tr "'C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\WmiPrvSE.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e243a38635ff9a06c87c2a61a2200656

SHA1
ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

SHA256
af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

SHA512
4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\574RqM7W2b.bat

Filesize
229B

MD5
84ed24cef940f987468cf1c769391b0a

SHA1
334b50a9e076cb8a5ce16da94121aa78b4ef3a5c

SHA256
caf6416bf64b9f012f1472844923614696a11e47c55a2057bf126e83cda7cce0

SHA512
e3d1958fe19f56ec4ecf6697f7fc5e264917c01c794283e46b3ad74fdd0d744b0b73baaacee468435dddf6507686bb3b8edf545235a4b9bda836c34561ada3b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\D5faDLbbQ0.bat

Filesize
229B

MD5
04f543f930c3e650258e20224522c33a

SHA1
942198747501dfc8bdd67fe50ec56564dd7b56b8

SHA256
6cb93b62edf3c77202b83f6b3cb7e5c0a120c30542c0a58e8f065f0dce2468e7

SHA512
6af221e5454e4323a1979d926d2850c257a0b78c22d7a8197ae2da2e94f422b15a478788f2345219db0e34aa6d7b841ce06a82ed7424a619f1ac39124abcd765

Download Submit
C:\Users\Admin\AppData\Local\Temp\EqBdbgL5Ji.bat

Filesize
229B

MD5
a0e1c726c11f946e3913ab13944a4d3d

SHA1
656de254437530181ca14be4fa95463840002c2b

SHA256
ba5736121bcdc1f96fc04ab0de4b9eb622200544daf0f6565189b84bbbba331f

SHA512
447be5f820e5c4de24ce45fb63edc5785566570c4d89139f17738fc0053563b3eaa02cccaa881760806cd11a314c880c68066793249b6be14a989aafad800bfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\F1gdtReUkn.bat

Filesize
229B

MD5
57c2e17457b1bcc3afc4bd1111a10258

SHA1
8fc40c87530b48cdc26067c8f9c760c5d39a8165

SHA256
e5bf0fd33d62aa9a09bd15c17a509513cf580333c9c5cf87ec86e020351a4aad

SHA512
b684d6ffcf519bb6c3a44ae623a146bfb85f3f96785ce6abccf6d0a60484c7cc85d1dfc74259c8da1fa47fec38e1560075145f19078ebdce0046f22b5e59cc51

Download Submit
C:\Users\Admin\AppData\Local\Temp\I1ExlHFW7K.bat

Filesize
229B

MD5
d97c1ec48783a23f9decea241fb703aa

SHA1
352bfa7d2861bf618ba11e60dd9e21582ddb86d0

SHA256
6dad202024fbb34ac2683ed1bc781e7b791ede9af08a402829cfbd5ad76a44e3

SHA512
dd1d6b8fec3d5d4faeab6fce79c2a6be7180b50974eca01b8682ef1b79f633a71cd250aef8490a4c39786b16730e57987c3e9c4ed4e050803ee91587a4f6c01a

Download Submit
C:\Users\Admin\AppData\Local\Temp\NfeiSKMyn5.bat

Filesize
229B

MD5
1a581f0547eb85a52b9ac0708d2c650a

SHA1
4a81d7b74dc20e8b541981ce1cc8cd722f16ce18

SHA256
90fcb2c9be38d805025dbe481f470bb2c985107dc7888743dedff76b9b9104fd

SHA512
b8e996b42e7b5aa3f2c69b6a16e206efdd0309409197ea55f7918d00dacb973f926147bcca1fec86a87d9ad81dca6bd06b06e0a10bc78635062da6eb63d481e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pbgl9PPr7s.bat

Filesize
229B

MD5
f7e1582cb2509310eb1e7a4a425068da

SHA1
65983a5599051760c58716630641f90b82e88e8f

SHA256
4805e93141d7ff04b4a3e8061d44352b5e645e0507fe3afa7801fe2236371c23

SHA512
a30d5b7242dbac5d056fb34e37e9e1d86d5a74408543cea9b6a30caa1312eb0e9a85826339789192c97a71ba76e82cd080c071bbc94b07081e737c3280d2cd2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pkopelt31u.bat

Filesize
229B

MD5
bc9b750b27aa129b20055a3e88e8184c

SHA1
f4195c60057aba27f07020636f7ebca893ed9aa6

SHA256
b77e5d4d2f4e3c8d70a5d2170ca0733cb9c31514edafb253f4db9aad145bcc28

SHA512
0cd5c4e58730632383c81fd245a0893757e4331ff1631fc2c899f26fa518604033fff50298c4f1cf1dd789d2356efac573d0a08eb2f3701d2a58d871173b25cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fsm0e3ga.ym4.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\lHo4kC1bcD.bat

Filesize
229B

MD5
34e35929ae7c7a58453e7344c1cae4c4

SHA1
0647ad8f6772415d6d7ac3c58e0cd778c5d7b0b5

SHA256
ac81f1b6dd183cb27e94d05275909929c490e4bd3a9b9461ae88b45d1f8cc2a2

SHA512
5c98958828129e96fabfe09007a58688be30673d5f5d0d83764375106ee7b657f6f558e1d37e05c42b22a3dfbba7533bb4cba36fe62b4288b0c069c63844885e

Download Submit
C:\Users\Admin\AppData\Local\Temp\pI0EcicZAo.bat

Filesize
229B

MD5
37aca9290edafdd34bf764a7c33437ec

SHA1
0a797fbfd8c23b3164a6b2ce75254bad5ee10901

SHA256
55f7fdd8f1f03993b70becc3987d444525c6195c326d45d83953ee523fc4966f

SHA512
dcebe3d4c094165132255211a59d5750321d0246bce28880827f163d38952e6b8b68cf2947c9be619a39e606f48e959da1129d148e396dd73981333a66350c0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\vCRFnHZZKP.bat

Filesize
229B

MD5
ee184ddb27f612db257cb4b02ba7fe36

SHA1
3ad50d3e54d66142fca0e66839a9530e5c6c8ce7

SHA256
c2cf0fbfcac7f423c472fb2361117942de321bff1d5f294665fc677311bfff13

SHA512
fb8621bfe85e7a67d89ce08647ee629f89a604e3581d22db4c01f447d8c32621fd5d9d547d070fa527fe950ef5a18912f1e39b6f8826f6fbf9c70897fd471969

Download Submit
C:\Users\Admin\AppData\Local\Temp\zDcPfnAXs0.bat

Filesize
229B

MD5
69ebe303328085602864f43ec584a166

SHA1
e6f0b4cf526b12e746cd4dd732fde2d842e7be3a

SHA256
355137eee0b81e411f19ebdb34282882c528d4955d1f0422395018d7a6c16577

SHA512
5ca08f9ec1a15f655d400effdb09d6519fecc78128aecf38c9fffffabe25faa10ac82f8dd12701a7752f449ce16be6796cedce13e802ecf9737497b8af5dd985

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/2404-255-0x0000000001860000-0x0000000001872000-memory.dmp

Filesize
72KB

Download
memory/2928-218-0x000000001B7F0000-0x000000001B802000-memory.dmp

Filesize
72KB

Download
memory/3352-47-0x0000012FA14F0000-0x0000012FA1512000-memory.dmp

Filesize
136KB

Download
memory/3544-14-0x0000000002BC0000-0x0000000002BD2000-memory.dmp

Filesize
72KB

Download
memory/3544-15-0x0000000002BE0000-0x0000000002BEC000-memory.dmp

Filesize
48KB

Download
memory/3544-16-0x0000000002BD0000-0x0000000002BDC000-memory.dmp

Filesize
48KB

Download
memory/3544-13-0x0000000000780000-0x0000000000890000-memory.dmp

Filesize
1.1MB

Download
memory/3544-12-0x00007FFCE63A3000-0x00007FFCE63A5000-memory.dmp

Filesize
8KB

Download
memory/3544-17-0x000000001B3C0000-0x000000001B3CC000-memory.dmp

Filesize
48KB

Download
memory/4528-211-0x0000000001440000-0x0000000001452000-memory.dmp

Filesize
72KB

Download
memory/4712-204-0x0000000001800000-0x0000000001812000-memory.dmp

Filesize
72KB

Download