dcrat | 5e9c1e0388f48ddd3cfb5ad2186b0a8cce076bcf5fc5c161607c67339daa8a6b

Analysis

max time kernel
146s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2024 04:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_5e9c1e0388f48ddd3cfb5ad2186b0a8cce076bcf5fc5c161607c67339daa8a6b.exe
Size

1.3MB
MD5

e09e5ed218d422495447ea4769ea219f
SHA1

9b4f67ac07f54669bfe2072094013cad7783e1ae
SHA256

5e9c1e0388f48ddd3cfb5ad2186b0a8cce076bcf5fc5c161607c67339daa8a6b
SHA512

fff49f033a7974f8326cb462fc114a74f05c1c9fe0287b0cbcba4509e77ebd4913f84b8c537004c15f02da545c1d3aaf6111263f2a4f576dbd6e943f5ae2ef1e
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 33 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	760	60	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1152	60	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1252	60	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3732	60	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3280	60	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3592	60	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1320	60	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2320	60	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4092	60	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1668	60	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4948	60	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4500	60	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4380	60	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2144	60	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2292	60	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3540	60	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5116	60	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	644	60	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	388	60	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	216	60	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3016	60	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1092	60	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3600	60	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4452	60	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1412	60	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4224	60	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4352	60	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2564	60	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3736	60	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2684	60	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	640	60	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4888	60	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4416	60	schtasks.exe	86

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x0031000000023b74-10.dat	dcrat
behavioral2/memory/3544-13-0x00000000003E0000-0x00000000004F0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
5016	powershell.exe
2700	powershell.exe
1568	powershell.exe
1140	powershell.exe
3400	powershell.exe
2100	powershell.exe
1920	powershell.exe
2256	powershell.exe
4564	powershell.exe
2384	powershell.exe
4736	powershell.exe
728	powershell.exe

Checks computer location settings 2 TTPs 17 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	JaffaCakes118_5e9c1e0388f48ddd3cfb5ad2186b0a8cce076bcf5fc5c161607c67339daa8a6b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	System.exe

Executes dropped EXE 15 IoCs

pid	Process
3544	DllCommonsvc.exe
2740	System.exe
1456	System.exe
1072	System.exe
2396	System.exe
4212	System.exe
3140	System.exe
3544	System.exe
2184	System.exe
3360	System.exe
872	System.exe
4360	System.exe
3732	System.exe
3696	System.exe
4316	System.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 15 IoCs

Web Service

T1102

flow	ioc
18	raw.githubusercontent.com
43	raw.githubusercontent.com
56	raw.githubusercontent.com
15	raw.githubusercontent.com
34	raw.githubusercontent.com
52	raw.githubusercontent.com
54	raw.githubusercontent.com
39	raw.githubusercontent.com
40	raw.githubusercontent.com
44	raw.githubusercontent.com
45	raw.githubusercontent.com
55	raw.githubusercontent.com
13	raw.githubusercontent.com
48	raw.githubusercontent.com
53	raw.githubusercontent.com

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\winlogon.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\cc11b995f2a76d	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Mail\smss.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Mail\69ddcba757bf72	DllCommonsvc.exe
File created	C:\Program Files\WindowsPowerShell\SppExtComObj.exe	DllCommonsvc.exe
File created	C:\Program Files\WindowsPowerShell\e1ef82546f0b02	DllCommonsvc.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\ja-JP\RuntimeBroker.exe	DllCommonsvc.exe
File created	C:\Windows\ja-JP\9e8d7a4ca61bd9	DllCommonsvc.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.FilePicker_cw5n1h2txyewy\microsoft.system.package.metadata\sppsvc.exe	DllCommonsvc.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.FilePicker_cw5n1h2txyewy\microsoft.system.package.metadata\0a1fd5f707cd16	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_5e9c1e0388f48ddd3cfb5ad2186b0a8cce076bcf5fc5c161607c67339daa8a6b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	JaffaCakes118_5e9c1e0388f48ddd3cfb5ad2186b0a8cce076bcf5fc5c161607c67339daa8a6b.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	System.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 33 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3280	schtasks.exe
1320	schtasks.exe
3736	schtasks.exe
2564	schtasks.exe
4092	schtasks.exe
1668	schtasks.exe
388	schtasks.exe
4452	schtasks.exe
2684	schtasks.exe
1152	schtasks.exe
2320	schtasks.exe
4500	schtasks.exe
2292	schtasks.exe
1412	schtasks.exe
4888	schtasks.exe
4416	schtasks.exe
3592	schtasks.exe
1092	schtasks.exe
4352	schtasks.exe
640	schtasks.exe
5116	schtasks.exe
3600	schtasks.exe
760	schtasks.exe
4380	schtasks.exe
3016	schtasks.exe
1252	schtasks.exe
3732	schtasks.exe
4948	schtasks.exe
2144	schtasks.exe
3540	schtasks.exe
644	schtasks.exe
216	schtasks.exe
4224	schtasks.exe

Suspicious behavior: EnumeratesProcesses 58 IoCs

pid	Process
3544	DllCommonsvc.exe
3544	DllCommonsvc.exe
3544	DllCommonsvc.exe
3544	DllCommonsvc.exe
3544	DllCommonsvc.exe
3544	DllCommonsvc.exe
3544	DllCommonsvc.exe
2384	powershell.exe
2384	powershell.exe
2256	powershell.exe
2256	powershell.exe
4736	powershell.exe
4736	powershell.exe
5016	powershell.exe
5016	powershell.exe
1920	powershell.exe
1920	powershell.exe
1568	powershell.exe
1568	powershell.exe
2700	powershell.exe
2700	powershell.exe
3400	powershell.exe
3400	powershell.exe
728	powershell.exe
728	powershell.exe
2100	powershell.exe
2100	powershell.exe
1140	powershell.exe
1140	powershell.exe
4564	powershell.exe
4564	powershell.exe
2740	System.exe
2740	System.exe
5016	powershell.exe
2256	powershell.exe
1920	powershell.exe
2384	powershell.exe
2100	powershell.exe
1568	powershell.exe
4736	powershell.exe
3400	powershell.exe
728	powershell.exe
2700	powershell.exe
1140	powershell.exe
4564	powershell.exe
1456	System.exe
1072	System.exe
2396	System.exe
4212	System.exe
3140	System.exe
3544	System.exe
2184	System.exe
3360	System.exe
872	System.exe
4360	System.exe
3732	System.exe
3696	System.exe
4316	System.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

description	pid	Process
Token: SeDebugPrivilege	3544	DllCommonsvc.exe
Token: SeDebugPrivilege	5016	powershell.exe
Token: SeDebugPrivilege	2256	powershell.exe
Token: SeDebugPrivilege	2384	powershell.exe
Token: SeDebugPrivilege	4736	powershell.exe
Token: SeDebugPrivilege	1568	powershell.exe
Token: SeDebugPrivilege	1920	powershell.exe
Token: SeDebugPrivilege	2700	powershell.exe
Token: SeDebugPrivilege	3400	powershell.exe
Token: SeDebugPrivilege	728	powershell.exe
Token: SeDebugPrivilege	2100	powershell.exe
Token: SeDebugPrivilege	2740	System.exe
Token: SeDebugPrivilege	1140	powershell.exe
Token: SeDebugPrivilege	4564	powershell.exe
Token: SeDebugPrivilege	1456	System.exe
Token: SeDebugPrivilege	1072	System.exe
Token: SeDebugPrivilege	2396	System.exe
Token: SeDebugPrivilege	4212	System.exe
Token: SeDebugPrivilege	3140	System.exe
Token: SeDebugPrivilege	3544	System.exe
Token: SeDebugPrivilege	2184	System.exe
Token: SeDebugPrivilege	3360	System.exe
Token: SeDebugPrivilege	872	System.exe
Token: SeDebugPrivilege	4360	System.exe
Token: SeDebugPrivilege	3732	System.exe
Token: SeDebugPrivilege	3696	System.exe
Token: SeDebugPrivilege	4316	System.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2848 wrote to memory of 3572	2848	JaffaCakes118_5e9c1e0388f48ddd3cfb5ad2186b0a8cce076bcf5fc5c161607c67339daa8a6b.exe	82
PID 2848 wrote to memory of 3572	2848	JaffaCakes118_5e9c1e0388f48ddd3cfb5ad2186b0a8cce076bcf5fc5c161607c67339daa8a6b.exe	82
PID 2848 wrote to memory of 3572	2848	JaffaCakes118_5e9c1e0388f48ddd3cfb5ad2186b0a8cce076bcf5fc5c161607c67339daa8a6b.exe	82
PID 3572 wrote to memory of 4848	3572	WScript.exe	83
PID 3572 wrote to memory of 4848	3572	WScript.exe	83
PID 3572 wrote to memory of 4848	3572	WScript.exe	83
PID 4848 wrote to memory of 3544	4848	cmd.exe	85
PID 4848 wrote to memory of 3544	4848	cmd.exe	85
PID 3544 wrote to memory of 4564	3544	DllCommonsvc.exe	120
PID 3544 wrote to memory of 4564	3544	DllCommonsvc.exe	120
PID 3544 wrote to memory of 5016	3544	DllCommonsvc.exe	121
PID 3544 wrote to memory of 5016	3544	DllCommonsvc.exe	121
PID 3544 wrote to memory of 2256	3544	DllCommonsvc.exe	122
PID 3544 wrote to memory of 2256	3544	DllCommonsvc.exe	122
PID 3544 wrote to memory of 1920	3544	DllCommonsvc.exe	123
PID 3544 wrote to memory of 1920	3544	DllCommonsvc.exe	123
PID 3544 wrote to memory of 2100	3544	DllCommonsvc.exe	125
PID 3544 wrote to memory of 2100	3544	DllCommonsvc.exe	125
PID 3544 wrote to memory of 3400	3544	DllCommonsvc.exe	126
PID 3544 wrote to memory of 3400	3544	DllCommonsvc.exe	126
PID 3544 wrote to memory of 728	3544	DllCommonsvc.exe	127
PID 3544 wrote to memory of 728	3544	DllCommonsvc.exe	127
PID 3544 wrote to memory of 4736	3544	DllCommonsvc.exe	128
PID 3544 wrote to memory of 4736	3544	DllCommonsvc.exe	128
PID 3544 wrote to memory of 1140	3544	DllCommonsvc.exe	129
PID 3544 wrote to memory of 1140	3544	DllCommonsvc.exe	129
PID 3544 wrote to memory of 2700	3544	DllCommonsvc.exe	130
PID 3544 wrote to memory of 2700	3544	DllCommonsvc.exe	130
PID 3544 wrote to memory of 1568	3544	DllCommonsvc.exe	131
PID 3544 wrote to memory of 1568	3544	DllCommonsvc.exe	131
PID 3544 wrote to memory of 2384	3544	DllCommonsvc.exe	132
PID 3544 wrote to memory of 2384	3544	DllCommonsvc.exe	132
PID 3544 wrote to memory of 2740	3544	DllCommonsvc.exe	143
PID 3544 wrote to memory of 2740	3544	DllCommonsvc.exe	143
PID 2740 wrote to memory of 2184	2740	System.exe	145
PID 2740 wrote to memory of 2184	2740	System.exe	145
PID 2184 wrote to memory of 2444	2184	cmd.exe	147
PID 2184 wrote to memory of 2444	2184	cmd.exe	147
PID 2184 wrote to memory of 1456	2184	cmd.exe	152
PID 2184 wrote to memory of 1456	2184	cmd.exe	152
PID 1456 wrote to memory of 3736	1456	System.exe	153
PID 1456 wrote to memory of 3736	1456	System.exe	153
PID 3736 wrote to memory of 2372	3736	cmd.exe	155
PID 3736 wrote to memory of 2372	3736	cmd.exe	155
PID 3736 wrote to memory of 1072	3736	cmd.exe	158
PID 3736 wrote to memory of 1072	3736	cmd.exe	158
PID 1072 wrote to memory of 1204	1072	System.exe	160
PID 1072 wrote to memory of 1204	1072	System.exe	160
PID 1204 wrote to memory of 2724	1204	cmd.exe	162
PID 1204 wrote to memory of 2724	1204	cmd.exe	162
PID 1204 wrote to memory of 2396	1204	cmd.exe	164
PID 1204 wrote to memory of 2396	1204	cmd.exe	164
PID 2396 wrote to memory of 4780	2396	System.exe	165
PID 2396 wrote to memory of 4780	2396	System.exe	165
PID 4780 wrote to memory of 4656	4780	cmd.exe	167
PID 4780 wrote to memory of 4656	4780	cmd.exe	167
PID 4780 wrote to memory of 4212	4780	cmd.exe	168
PID 4780 wrote to memory of 4212	4780	cmd.exe	168
PID 4212 wrote to memory of 2984	4212	System.exe	169
PID 4212 wrote to memory of 2984	4212	System.exe	169
PID 2984 wrote to memory of 4564	2984	cmd.exe	171
PID 2984 wrote to memory of 4564	2984	cmd.exe	171
PID 2984 wrote to memory of 3140	2984	cmd.exe	172
PID 2984 wrote to memory of 3140	2984	cmd.exe	172

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5e9c1e0388f48ddd3cfb5ad2186b0a8cce076bcf5fc5c161607c67339daa8a6b.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5e9c1e0388f48ddd3cfb5ad2186b0a8cce076bcf5fc5c161607c67339daa8a6b.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2848
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3572
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4848
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3544
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4564
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Music\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5016
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2256
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SystemApps\Microsoft.Windows.FilePicker_cw5n1h2txyewy\microsoft.system.package.metadata\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1920
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2100
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\SppExtComObj.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3400
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:728
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\SppExtComObj.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4736
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ja-JP\RuntimeBroker.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1140
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2700
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\StartMenuExperienceHost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1568
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\WindowsPowerShell\SppExtComObj.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2384
    - - C:\Users\Public\Music\System.exe
        
        "C:\Users\Public\Music\System.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2740
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5DPJyftqFq.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2184
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2444
        
        C:\Users\Public\Music\System.exe
        
        "C:\Users\Public\Music\System.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1456
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kXH0MsH7jV.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:3736
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2372
        
        C:\Users\Public\Music\System.exe
        
        "C:\Users\Public\Music\System.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1072
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uSuCPwp4Rh.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:1204
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2724
        
        C:\Users\Public\Music\System.exe
        
        "C:\Users\Public\Music\System.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2396
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\42uKfvaRom.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:4780
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:4656
        
        C:\Users\Public\Music\System.exe
        
        "C:\Users\Public\Music\System.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4212
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Pi2dGiCBJ7.bat"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:2984
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:4564
        
        C:\Users\Public\Music\System.exe
        
        "C:\Users\Public\Music\System.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3140
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Zlmto9DLwM.bat"
        16⤵
        
        PID:4196
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:3688
        
        C:\Users\Public\Music\System.exe
        
        "C:\Users\Public\Music\System.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3544
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Mv8e4zbUuN.bat"
        18⤵
        
        PID:864
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:3148
        
        C:\Users\Public\Music\System.exe
        
        "C:\Users\Public\Music\System.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2184
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hbGxgnDDQj.bat"
        20⤵
        
        PID:4268
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:3192
        
        C:\Users\Public\Music\System.exe
        
        "C:\Users\Public\Music\System.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3360
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tGPC7CVf0d.bat"
        22⤵
        
        PID:2252
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:1996
        
        C:\Users\Public\Music\System.exe
        
        "C:\Users\Public\Music\System.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:872
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RnBkS9jGYw.bat"
        24⤵
        
        PID:2724
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:1152
        
        C:\Users\Public\Music\System.exe
        
        "C:\Users\Public\Music\System.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4360
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3HNGHapxv4.bat"
        26⤵
        
        PID:2396
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:3124
        
        C:\Users\Public\Music\System.exe
        
        "C:\Users\Public\Music\System.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3732
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kXH0MsH7jV.bat"
        28⤵
        
        PID:3740
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        29⤵
        
        PID:644
        
        C:\Users\Public\Music\System.exe
        
        "C:\Users\Public\Music\System.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3696
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sWs9jrlB8v.bat"
        30⤵
        
        PID:924
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        31⤵
        
        PID:3524
        
        C:\Users\Public\Music\System.exe
        
        "C:\Users\Public\Music\System.exe"
        31⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4316
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KqyXtY4PgZ.bat"
        32⤵
        
        PID:1368
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        33⤵
        
        PID:4020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Music\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Public\Music\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Music\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Windows\SystemApps\Microsoft.Windows.FilePicker_cw5n1h2txyewy\microsoft.system.package.metadata\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\SystemApps\Microsoft.Windows.FilePicker_cw5n1h2txyewy\microsoft.system.package.metadata\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Windows\SystemApps\Microsoft.Windows.FilePicker_cw5n1h2txyewy\microsoft.system.package.metadata\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\providercommon\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\providercommon\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 5 /tr "'C:\providercommon\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Mail\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Mail\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Windows\ja-JP\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\ja-JP\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Windows\ja-JP\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 12 /tr "'C:\providercommon\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\providercommon\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\providercommon\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 12 /tr "'C:\Program Files\WindowsPowerShell\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 8 /tr "'C:\Program Files\WindowsPowerShell\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\System.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d42b6da621e8df5674e26b799c8e2aa

SHA1
ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

SHA256
5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

SHA512
53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e448fe0d240184c6597a31d3be2ced58

SHA1
372b8d8c19246d3e38cd3ba123cc0f56070f03cd

SHA256
c660f0db85a1e7f0f68db19868979bf50bd541531babf77a701e1b1ce5e6a391

SHA512
0b7f7eae7700d32b18eee3677cb7f89b46ace717fa7e6b501d6c47d54f15dff7e12b49f5a7d36a6ffe4c16165c7d55162db4f3621db545b6af638035752beab4

Download Submit
C:\Users\Admin\AppData\Local\Temp\3HNGHapxv4.bat

Filesize
197B

MD5
95e1b7c94d7494e03b1a42615dfc54cf

SHA1
6beb746af135fcdd4f2a09235a570b1ddd63f4a0

SHA256
c4e1e2c576ecbeeb60ed9dc1251cd5270a8118ed00258587db5e8de0fc954adb

SHA512
e4a412d58d1b3a4cde5a9706bc42f331a7b4eab999d306a4650601e166f83890b9bd351d6947d5c181168c40f3e9a9f603d86d2c50bb212a7671638018e9fbdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\42uKfvaRom.bat

Filesize
197B

MD5
90962c6aaa1339fdf79d25727f8abcf1

SHA1
2bef9ebe7368e191edcbca86d729dabcc848c1ba

SHA256
78e8c4d8b0289efd97d89a7dd90dfa7d797b8eaf90958e3175fcbb1542be6609

SHA512
7e8f717bebdbcd4ed1d59d2730070d366de7270ba574b8dcbdc2a135d3622406d2e19c5ef44301c19c6690c77904091f83ef558f0b45ee35a9d2775168cdae5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\5DPJyftqFq.bat

Filesize
197B

MD5
4d544357d370520a620c65bde0312794

SHA1
38e7569a534eb5a6cd69baa9587e409cb7cf8439

SHA256
793bf17f3e6ca9581aba34ed7d207c2134a83ef503daf23dd22ed4d99cb833ad

SHA512
c07442f5375e5bec5c89f002804d35981dc253e2d339483e462a0f61c6e62aceeea7ac764f100a696e79740b027449650b25da96d88edbe1f6650754165780cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\KqyXtY4PgZ.bat

Filesize
197B

MD5
eae9905321786e277f91258fd07631bd

SHA1
bd76fdf503acd0bc91f2de8ea018052e51758347

SHA256
eb1e34354ff30cbb6a8e14685e51578692e946468499d673f1352e1fd7638cbf

SHA512
b198acf99d42b558017cc064e2dd2aca4a6b3ed175281efa9d8a7eabf2a80455322fa3dccd2ed1d11e79bd0b16724788ca6a5513fcb5546e2c111cd21a57f7b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mv8e4zbUuN.bat

Filesize
197B

MD5
f388dee0af9bc4dd038e95e5dde4db1b

SHA1
44cb9d083f824253e32a8a3df48cbe08eb7ac0ca

SHA256
5e782bcb73382b5ab2ad36ebfbebbd27fe23f5dd3dff68235bbc63bf3553aa70

SHA512
ef602382f25edac1d5d5d0d5c723a0736b6d52f24d260ab55319587b7ebbeea59213e7377fc072022ec83fc43258e89ad3d9518653c9c447b4f98f352069f10d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pi2dGiCBJ7.bat

Filesize
197B

MD5
516819af4cfbf55a8e9aabb347c6e98e

SHA1
0d6f3adcf28627bfb5afaedf23c3ab659df24348

SHA256
a22c55d7bc6d98820766369165cee794ced63f186300adfa678bf9ba663d32ca

SHA512
e143ffbadc47b6272319f7ece851f1e6df07e17259f66d9835ac9eee3990a62fd93ec5470ff220172bf56ee3ad9f6ee82846e920ec4dfb29292d52744faacd98

Download Submit
C:\Users\Admin\AppData\Local\Temp\RnBkS9jGYw.bat

Filesize
197B

MD5
e638de97d66d7c7d44ce91430b936104

SHA1
c03f0779a48a591b4acdd69ed477088f6cffd3c0

SHA256
6857a5bc02b0c46a3e4dc2730e3cc1b8926b858d7733e1057d1bda864c3148bd

SHA512
8c5e91421c003828dd0a87f4eeeb64ed977f083f2e627f68cf9a05c02b86a2e69929880df63f153ee02b3f8c06485caea5552ba244507aba06735f82861ec277

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zlmto9DLwM.bat

Filesize
197B

MD5
6764c75e68d5c09f99e9379314b1f246

SHA1
522b5d3161bbf49905c039d918288129349a5824

SHA256
1b1fd44875843b8ba0dbbd5b66e21bba3fdb408bc9137213c9304f5b648ce9fa

SHA512
a060c376a2ffa49ee075c7d0882fbf4c12e5b764535c6b45f8b9144ea4f6db99d4bd4d5897115019dfdd6bc380ea4e4f011faeaee9fab787d538146c6d95f363

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_njrlogsj.rei.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\hbGxgnDDQj.bat

Filesize
197B

MD5
dac14e2b2b58c2831b511dfe21fb716e

SHA1
49269417e5a737507fd38a16e142f2a8325eecde

SHA256
df9571b13587e84a803fa2055adcd38cf23076e37dd03c2d31f13c8de807127c

SHA512
8458d11e911f8930d69826c790d01c02384d91634831e97fd4e80e02eb699d91a29a8e74c72a5e374448f4ebcf4d7cdc3e0e3ae5bb25d7b1cd3ddb236f3ff400

Download Submit
C:\Users\Admin\AppData\Local\Temp\kXH0MsH7jV.bat

Filesize
197B

MD5
19c36521e0c44e34d256f5874b2869fe

SHA1
b0a0418586689a3ef5ba9f1b39d894138bef8e32

SHA256
fecb6e36865535be9c550f95a9c09d5e89fa7cc40e65d56bd548b718223baa6a

SHA512
18cf532423d08e96f1ac5b16b5f90bddf896c334e6a80ca46fb858ea6b83ceb9c1384c76874a680f1b24ec7784f4818151db3a9ca9416f420264cdbcdb97d7cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\sWs9jrlB8v.bat

Filesize
197B

MD5
65afacc2b1d6541c838fbc1cfc4e9f93

SHA1
23039ce02821eea2fbfb9a17e8c1bdad6ab4bed1

SHA256
9a3af3cdd26250e46903d54735e523640b43a5118266d2a65877ea0b427a3675

SHA512
5c5b4d4028b186dd3dd2e706d4c55f19b5213d4e05b9f151c56813b6d084fdc75331754ffcea710519b7d57e4382ad70ad7279d206c96d802c91d0b024f0728b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tGPC7CVf0d.bat

Filesize
197B

MD5
c31288c384ba24066336b9124122eba0

SHA1
0bbf5ffb84ccc4a56fad1f9bbb8fa13e652768d6

SHA256
7f1d6f19f83216749cca4b33c3a0a816195732660c2398a1bfa8d0df1d9a854d

SHA512
33565c7b8c78e6294bda9ea35d4feb523bcade02355a21728b2669795d02af517bb1fb8f9fe8f8b4cde8d06e4e12943052ea78bbe539f8e4ebf1e75474fe5f38

Download Submit
C:\Users\Admin\AppData\Local\Temp\uSuCPwp4Rh.bat

Filesize
197B

MD5
957ceef1d0a374a40b9ecc4b7a9b2988

SHA1
4351d5f906d29f232c549a9820cadef165550ca2

SHA256
3f7c8c446c4588486d6b48ccd6199daf50b40314766e2fcda688782b0df3d8b5

SHA512
241c9acc7f28bc6bbc8a9f89ea24fed5f0a351d067fbd34a0fa60e28d460e894f8a19dda171acea87830788fc5e02ebb43531478bbc7f41f6864b8fc5290ba0e

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/872-244-0x00000000013E0000-0x00000000013F2000-memory.dmp

Filesize
72KB

Download
memory/1456-193-0x0000000002460000-0x0000000002472000-memory.dmp

Filesize
72KB

Download
memory/3360-237-0x0000000002E60000-0x0000000002E72000-memory.dmp

Filesize
72KB

Download
memory/3544-224-0x0000000002620000-0x0000000002632000-memory.dmp

Filesize
72KB

Download
memory/3544-12-0x00007FFB93C13000-0x00007FFB93C15000-memory.dmp

Filesize
8KB

Download
memory/3544-13-0x00000000003E0000-0x00000000004F0000-memory.dmp

Filesize
1.1MB

Download
memory/3544-14-0x0000000000D40000-0x0000000000D52000-memory.dmp

Filesize
72KB

Download
memory/3544-15-0x0000000000D50000-0x0000000000D5C000-memory.dmp

Filesize
48KB

Download
memory/3544-16-0x0000000000D60000-0x0000000000D6C000-memory.dmp

Filesize
48KB

Download
memory/3544-17-0x0000000002620000-0x000000000262C000-memory.dmp

Filesize
48KB

Download
memory/4316-269-0x0000000002B50000-0x0000000002B62000-memory.dmp

Filesize
72KB

Download
memory/5016-51-0x000001D8E14D0000-0x000001D8E14F2000-memory.dmp

Filesize
136KB

Download