dcrat | 2418a86531fbebb6ccb73fb2651d266eca738eaa3544fe8680e14204930174a8

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2024 05:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_2418a86531fbebb6ccb73fb2651d266eca738eaa3544fe8680e14204930174a8.exe
Size

1.3MB
MD5

81e13a3fe22212e4761baddff0abd752
SHA1

2d90a5802ce3268455186b6955b239ea965b7b1a
SHA256

2418a86531fbebb6ccb73fb2651d266eca738eaa3544fe8680e14204930174a8
SHA512

48fc6b13fd09c6a2167594ec293495ef1a7dd354d7c371fb0842f1c80962c53c35a9d82d56b244ad0954f266a4fb191b7306d6bb1a78a2ec1c3d891dd85c42a0
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 39 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1964	392	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3532	392	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3896	392	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4028	392	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2824	392	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2448	392	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2608	392	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2260	392	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4480	392	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3440	392	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5012	392	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1304	392	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	392	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3800	392	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3664	392	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3332	392	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2352	392	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4516	392	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4228	392	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2740	392	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3356	392	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4268	392	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3068	392	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	628	392	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1872	392	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4184	392	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1860	392	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1312	392	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3236	392	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4896	392	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1732	392	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	412	392	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4308	392	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3456	392	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1660	392	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1040	392	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3012	392	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3908	392	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	856	392	schtasks.exe	88

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x000a000000023b64-10.dat	dcrat
behavioral2/memory/3192-13-0x0000000000C40000-0x0000000000D50000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 14 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2684	powershell.exe
952	powershell.exe
4280	powershell.exe
1424	powershell.exe
4808	powershell.exe
4624	powershell.exe
4980	powershell.exe
3680	powershell.exe
968	powershell.exe
4116	powershell.exe
1416	powershell.exe
2228	powershell.exe
1388	powershell.exe
2272	powershell.exe

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	JaffaCakes118_2418a86531fbebb6ccb73fb2651d266eca738eaa3544fe8680e14204930174a8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe

Executes dropped EXE 14 IoCs

pid	Process
3192	DllCommonsvc.exe
4540	SppExtComObj.exe
3680	SppExtComObj.exe
2820	SppExtComObj.exe
2684	SppExtComObj.exe
4352	SppExtComObj.exe
4708	SppExtComObj.exe
2880	SppExtComObj.exe
1420	SppExtComObj.exe
2468	SppExtComObj.exe
1556	SppExtComObj.exe
1384	SppExtComObj.exe
1444	SppExtComObj.exe
1836	SppExtComObj.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 13 IoCs

Web Service

T1102

flow	ioc
31	raw.githubusercontent.com
41	raw.githubusercontent.com
45	raw.githubusercontent.com
53	raw.githubusercontent.com
54	raw.githubusercontent.com
56	raw.githubusercontent.com
23	raw.githubusercontent.com
24	raw.githubusercontent.com
40	raw.githubusercontent.com
46	raw.githubusercontent.com
48	raw.githubusercontent.com
52	raw.githubusercontent.com
55	raw.githubusercontent.com

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\Internet Explorer\dwm.exe	DllCommonsvc.exe
File created	C:\Program Files\Internet Explorer\6cb0b6c459d5d3	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Defender\fr-FR\SppExtComObj.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Defender\fr-FR\e1ef82546f0b02	DllCommonsvc.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File created	C:\Windows\de-DE\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Windows\ImmersiveControlPanel\de-DE\RuntimeBroker.exe	DllCommonsvc.exe
File created	C:\Windows\SoftwareDistribution\PostRebootEventCache.V2\csrss.exe	DllCommonsvc.exe
File created	C:\Windows\SoftwareDistribution\PostRebootEventCache.V2\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Windows\CbsTemp\fontdrvhost.exe	DllCommonsvc.exe
File created	C:\Windows\CbsTemp\5b884080fd4f94	DllCommonsvc.exe
File created	C:\Windows\de-DE\csrss.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_2418a86531fbebb6ccb73fb2651d266eca738eaa3544fe8680e14204930174a8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 14 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	JaffaCakes118_2418a86531fbebb6ccb73fb2651d266eca738eaa3544fe8680e14204930174a8.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	SppExtComObj.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
412	schtasks.exe
3664	schtasks.exe
628	schtasks.exe
4896	schtasks.exe
3456	schtasks.exe
1660	schtasks.exe
1040	schtasks.exe
3012	schtasks.exe
3440	schtasks.exe
3356	schtasks.exe
1872	schtasks.exe
4228	schtasks.exe
2740	schtasks.exe
4480	schtasks.exe
2724	schtasks.exe
3800	schtasks.exe
3236	schtasks.exe
2824	schtasks.exe
5012	schtasks.exe
1860	schtasks.exe
2352	schtasks.exe
4184	schtasks.exe
856	schtasks.exe
1964	schtasks.exe
4268	schtasks.exe
3908	schtasks.exe
2260	schtasks.exe
3332	schtasks.exe
4516	schtasks.exe
3068	schtasks.exe
1732	schtasks.exe
3532	schtasks.exe
3896	schtasks.exe
2448	schtasks.exe
4308	schtasks.exe
1312	schtasks.exe
4028	schtasks.exe
2608	schtasks.exe
1304	schtasks.exe

Suspicious behavior: EnumeratesProcesses 56 IoCs

pid	Process
3192	DllCommonsvc.exe
1388	powershell.exe
1388	powershell.exe
1416	powershell.exe
1416	powershell.exe
4624	powershell.exe
4624	powershell.exe
4808	powershell.exe
4808	powershell.exe
3680	powershell.exe
3680	powershell.exe
2272	powershell.exe
2272	powershell.exe
1424	powershell.exe
1424	powershell.exe
2228	powershell.exe
2228	powershell.exe
2684	powershell.exe
2684	powershell.exe
952	powershell.exe
952	powershell.exe
4980	powershell.exe
4980	powershell.exe
968	powershell.exe
968	powershell.exe
4280	powershell.exe
4280	powershell.exe
4116	powershell.exe
4116	powershell.exe
2684	powershell.exe
1416	powershell.exe
952	powershell.exe
1388	powershell.exe
4980	powershell.exe
2272	powershell.exe
3680	powershell.exe
4808	powershell.exe
4624	powershell.exe
1424	powershell.exe
2228	powershell.exe
968	powershell.exe
4116	powershell.exe
4280	powershell.exe
4540	SppExtComObj.exe
3680	SppExtComObj.exe
2820	SppExtComObj.exe
2684	SppExtComObj.exe
4352	SppExtComObj.exe
4708	SppExtComObj.exe
2880	SppExtComObj.exe
1420	SppExtComObj.exe
2468	SppExtComObj.exe
1556	SppExtComObj.exe
1384	SppExtComObj.exe
1444	SppExtComObj.exe
1836	SppExtComObj.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

description	pid	Process
Token: SeDebugPrivilege	3192	DllCommonsvc.exe
Token: SeDebugPrivilege	1388	powershell.exe
Token: SeDebugPrivilege	952	powershell.exe
Token: SeDebugPrivilege	1416	powershell.exe
Token: SeDebugPrivilege	4624	powershell.exe
Token: SeDebugPrivilege	4808	powershell.exe
Token: SeDebugPrivilege	4980	powershell.exe
Token: SeDebugPrivilege	3680	powershell.exe
Token: SeDebugPrivilege	2272	powershell.exe
Token: SeDebugPrivilege	1424	powershell.exe
Token: SeDebugPrivilege	2228	powershell.exe
Token: SeDebugPrivilege	2684	powershell.exe
Token: SeDebugPrivilege	4280	powershell.exe
Token: SeDebugPrivilege	968	powershell.exe
Token: SeDebugPrivilege	4116	powershell.exe
Token: SeDebugPrivilege	4540	SppExtComObj.exe
Token: SeDebugPrivilege	3680	SppExtComObj.exe
Token: SeDebugPrivilege	2820	SppExtComObj.exe
Token: SeDebugPrivilege	2684	SppExtComObj.exe
Token: SeDebugPrivilege	4352	SppExtComObj.exe
Token: SeDebugPrivilege	4708	SppExtComObj.exe
Token: SeDebugPrivilege	2880	SppExtComObj.exe
Token: SeDebugPrivilege	1420	SppExtComObj.exe
Token: SeDebugPrivilege	2468	SppExtComObj.exe
Token: SeDebugPrivilege	1556	SppExtComObj.exe
Token: SeDebugPrivilege	1384	SppExtComObj.exe
Token: SeDebugPrivilege	1444	SppExtComObj.exe
Token: SeDebugPrivilege	1836	SppExtComObj.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1148 wrote to memory of 3900	1148	JaffaCakes118_2418a86531fbebb6ccb73fb2651d266eca738eaa3544fe8680e14204930174a8.exe	83
PID 1148 wrote to memory of 3900	1148	JaffaCakes118_2418a86531fbebb6ccb73fb2651d266eca738eaa3544fe8680e14204930174a8.exe	83
PID 1148 wrote to memory of 3900	1148	JaffaCakes118_2418a86531fbebb6ccb73fb2651d266eca738eaa3544fe8680e14204930174a8.exe	83
PID 3900 wrote to memory of 2488	3900	WScript.exe	85
PID 3900 wrote to memory of 2488	3900	WScript.exe	85
PID 3900 wrote to memory of 2488	3900	WScript.exe	85
PID 2488 wrote to memory of 3192	2488	cmd.exe	87
PID 2488 wrote to memory of 3192	2488	cmd.exe	87
PID 3192 wrote to memory of 4116	3192	DllCommonsvc.exe	129
PID 3192 wrote to memory of 4116	3192	DllCommonsvc.exe	129
PID 3192 wrote to memory of 4280	3192	DllCommonsvc.exe	130
PID 3192 wrote to memory of 4280	3192	DllCommonsvc.exe	130
PID 3192 wrote to memory of 1424	3192	DllCommonsvc.exe	131
PID 3192 wrote to memory of 1424	3192	DllCommonsvc.exe	131
PID 3192 wrote to memory of 4980	3192	DllCommonsvc.exe	132
PID 3192 wrote to memory of 4980	3192	DllCommonsvc.exe	132
PID 3192 wrote to memory of 4808	3192	DllCommonsvc.exe	133
PID 3192 wrote to memory of 4808	3192	DllCommonsvc.exe	133
PID 3192 wrote to memory of 2684	3192	DllCommonsvc.exe	134
PID 3192 wrote to memory of 2684	3192	DllCommonsvc.exe	134
PID 3192 wrote to memory of 3680	3192	DllCommonsvc.exe	135
PID 3192 wrote to memory of 3680	3192	DllCommonsvc.exe	135
PID 3192 wrote to memory of 1416	3192	DllCommonsvc.exe	136
PID 3192 wrote to memory of 1416	3192	DllCommonsvc.exe	136
PID 3192 wrote to memory of 2228	3192	DllCommonsvc.exe	137
PID 3192 wrote to memory of 2228	3192	DllCommonsvc.exe	137
PID 3192 wrote to memory of 1388	3192	DllCommonsvc.exe	138
PID 3192 wrote to memory of 1388	3192	DllCommonsvc.exe	138
PID 3192 wrote to memory of 2272	3192	DllCommonsvc.exe	139
PID 3192 wrote to memory of 2272	3192	DllCommonsvc.exe	139
PID 3192 wrote to memory of 4624	3192	DllCommonsvc.exe	140
PID 3192 wrote to memory of 4624	3192	DllCommonsvc.exe	140
PID 3192 wrote to memory of 952	3192	DllCommonsvc.exe	141
PID 3192 wrote to memory of 952	3192	DllCommonsvc.exe	141
PID 3192 wrote to memory of 968	3192	DllCommonsvc.exe	142
PID 3192 wrote to memory of 968	3192	DllCommonsvc.exe	142
PID 3192 wrote to memory of 1556	3192	DllCommonsvc.exe	156
PID 3192 wrote to memory of 1556	3192	DllCommonsvc.exe	156
PID 1556 wrote to memory of 4056	1556	cmd.exe	159
PID 1556 wrote to memory of 4056	1556	cmd.exe	159
PID 1556 wrote to memory of 4540	1556	cmd.exe	166
PID 1556 wrote to memory of 4540	1556	cmd.exe	166
PID 4540 wrote to memory of 3048	4540	SppExtComObj.exe	174
PID 4540 wrote to memory of 3048	4540	SppExtComObj.exe	174
PID 3048 wrote to memory of 2856	3048	cmd.exe	176
PID 3048 wrote to memory of 2856	3048	cmd.exe	176
PID 3048 wrote to memory of 3680	3048	cmd.exe	178
PID 3048 wrote to memory of 3680	3048	cmd.exe	178
PID 3680 wrote to memory of 4740	3680	SppExtComObj.exe	182
PID 3680 wrote to memory of 4740	3680	SppExtComObj.exe	182
PID 4740 wrote to memory of 3596	4740	cmd.exe	184
PID 4740 wrote to memory of 3596	4740	cmd.exe	184
PID 4740 wrote to memory of 2820	4740	cmd.exe	187
PID 4740 wrote to memory of 2820	4740	cmd.exe	187
PID 2820 wrote to memory of 3768	2820	SppExtComObj.exe	189
PID 2820 wrote to memory of 3768	2820	SppExtComObj.exe	189
PID 3768 wrote to memory of 628	3768	cmd.exe	191
PID 3768 wrote to memory of 628	3768	cmd.exe	191
PID 3768 wrote to memory of 2684	3768	cmd.exe	193
PID 3768 wrote to memory of 2684	3768	cmd.exe	193
PID 2684 wrote to memory of 1556	2684	SppExtComObj.exe	195
PID 2684 wrote to memory of 1556	2684	SppExtComObj.exe	195
PID 1556 wrote to memory of 3396	1556	cmd.exe	197
PID 1556 wrote to memory of 3396	1556	cmd.exe	197

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2418a86531fbebb6ccb73fb2651d266eca738eaa3544fe8680e14204930174a8.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2418a86531fbebb6ccb73fb2651d266eca738eaa3544fe8680e14204930174a8.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1148
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3900
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2488
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3192
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4116
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\AppData\Local\TextInputHost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4280
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\fr-FR\SppExtComObj.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1424
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4980
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4808
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\RuntimeBroker.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2684
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\CbsTemp\fontdrvhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3680
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1416
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\de-DE\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2228
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\unsecapp.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1388
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2272
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4624
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\taskhostw.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:952
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SoftwareDistribution\PostRebootEventCache.V2\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:968
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\siHyKw9Q8z.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1556
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:4056
      - C:\Program Files (x86)\Windows Defender\fr-FR\SppExtComObj.exe
        
        "C:\Program Files (x86)\Windows Defender\fr-FR\SppExtComObj.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4540
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1CKPPXbanu.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:3048
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2856
        
        C:\Program Files (x86)\Windows Defender\fr-FR\SppExtComObj.exe
        
        "C:\Program Files (x86)\Windows Defender\fr-FR\SppExtComObj.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3680
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\p6CE4ikEee.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:4740
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:3596
        
        C:\Program Files (x86)\Windows Defender\fr-FR\SppExtComObj.exe
        
        "C:\Program Files (x86)\Windows Defender\fr-FR\SppExtComObj.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2820
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AvSbArq942.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:3768
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:628
        
        C:\Program Files (x86)\Windows Defender\fr-FR\SppExtComObj.exe
        
        "C:\Program Files (x86)\Windows Defender\fr-FR\SppExtComObj.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2684
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xEvQv3iUx6.bat"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:1556
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:3396
        
        C:\Program Files (x86)\Windows Defender\fr-FR\SppExtComObj.exe
        
        "C:\Program Files (x86)\Windows Defender\fr-FR\SppExtComObj.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4352
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UQ4uSu8U9J.bat"
        15⤵
        
        PID:4512
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:4100
        
        C:\Program Files (x86)\Windows Defender\fr-FR\SppExtComObj.exe
        
        "C:\Program Files (x86)\Windows Defender\fr-FR\SppExtComObj.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4708
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\be8zRZs4e0.bat"
        17⤵
        
        PID:2564
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:1520
        
        C:\Program Files (x86)\Windows Defender\fr-FR\SppExtComObj.exe
        
        "C:\Program Files (x86)\Windows Defender\fr-FR\SppExtComObj.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2880
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CrTeqwt2Oo.bat"
        19⤵
        
        PID:4640
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:5088
        
        C:\Program Files (x86)\Windows Defender\fr-FR\SppExtComObj.exe
        
        "C:\Program Files (x86)\Windows Defender\fr-FR\SppExtComObj.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1420
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1CKPPXbanu.bat"
        21⤵
        
        PID:3536
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:3768
        
        C:\Program Files (x86)\Windows Defender\fr-FR\SppExtComObj.exe
        
        "C:\Program Files (x86)\Windows Defender\fr-FR\SppExtComObj.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2468
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Nl6pt1R060.bat"
        23⤵
        
        PID:384
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:4764
        
        C:\Program Files (x86)\Windows Defender\fr-FR\SppExtComObj.exe
        
        "C:\Program Files (x86)\Windows Defender\fr-FR\SppExtComObj.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1556
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4yEObGBIDe.bat"
        25⤵
        
        PID:768
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:2128
        
        C:\Program Files (x86)\Windows Defender\fr-FR\SppExtComObj.exe
        
        "C:\Program Files (x86)\Windows Defender\fr-FR\SppExtComObj.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1384
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gWC6ojzqIZ.bat"
        27⤵
        
        PID:3068
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        28⤵
        
        PID:2496
        
        C:\Program Files (x86)\Windows Defender\fr-FR\SppExtComObj.exe
        
        "C:\Program Files (x86)\Windows Defender\fr-FR\SppExtComObj.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1444
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Gy1gqmGK9f.bat"
        29⤵
        
        PID:3400
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        30⤵
        
        PID:4816
        
        C:\Program Files (x86)\Windows Defender\fr-FR\SppExtComObj.exe
        
        "C:\Program Files (x86)\Windows Defender\fr-FR\SppExtComObj.exe"
        30⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 8 /tr "'C:\Users\Default\AppData\Local\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Users\Default\AppData\Local\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 11 /tr "'C:\Users\Default\AppData\Local\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\providercommon\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\providercommon\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\providercommon\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Windows\CbsTemp\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\CbsTemp\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Windows\CbsTemp\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Program Files\Internet Explorer\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files\Internet Explorer\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Windows\de-DE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\de-DE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Windows\de-DE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\providercommon\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 10 /tr "'C:\providercommon\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\providercommon\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 14 /tr "'C:\providercommon\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Windows\SoftwareDistribution\PostRebootEventCache.V2\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\SoftwareDistribution\PostRebootEventCache.V2\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Windows\SoftwareDistribution\PostRebootEventCache.V2\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SppExtComObj.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
f4038903775bd49192beef39594c3614

SHA1
db4d190d86ea4a231ce6b5408860220a1020077f

SHA256
97a71179aa74dbcd1c58694ee6d2fa7faa432312db4f803611ac478d9c0256ec

SHA512
059cf3c5afc9cc7eace9a6a9ae05db5ad1f7620e6def9885a317c377eb6cfe2056e4f3aa03c7a2035d21a332626d292116594303d97c5c82b8c5b0eedcbb9332

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Temp\1CKPPXbanu.bat

Filesize
227B

MD5
a0563c0f8a6ddbe034b0edde205911ae

SHA1
58cb91ca329271b0d53477f70c6b0935878ff336

SHA256
221f5cf7d43572011db5a0e28fdd84545abd8a53dedc3f5bb47f2cd8c52a27a2

SHA512
d64a53e0be18706d9bfb6b63b80815daef5fff206f96ecaf422f02e0c525db56eedebe9f62ff3d0fb1d7b274fd1b69e48b2f818c4c2008250b48b651d596f6da

Download Submit
C:\Users\Admin\AppData\Local\Temp\4yEObGBIDe.bat

Filesize
227B

MD5
d9965ba05ca2ea788a8d82ec54d51b89

SHA1
ae76ab78df9c937a8d91af1b6377b7d66c8fbffb

SHA256
74ed6476ad4b395ef1de6deba198629e29595fb8e0533fad79eafdc3f84a4f7a

SHA512
743ac572c75a88750b3d38b703d317500995c44954017e3672abfe53c5b98ecb01709413f8e82b8839a334025aa9f9e84050b13355879dfb1e0feae585374254

Download Submit
C:\Users\Admin\AppData\Local\Temp\AvSbArq942.bat

Filesize
227B

MD5
dfc857200f311edc634b0857aa127287

SHA1
16e5fa50a5c62bd0baebd3a85a4754dc4d654acd

SHA256
3030f16a7e5613d9a8e51e65e349499f211e2a72d9063916e9e51562e64d0b2d

SHA512
6c00ba6372617c784bb6802411f0ff7a1852b0c02f3b30cb1160f14eb2d9f0b4707050560fbae5b1b0e2d8af40d90af2d518cb901faf81f5139f0fe00df1e9ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\CrTeqwt2Oo.bat

Filesize
227B

MD5
5f4911e90fdfa3b9445596acb23e25c5

SHA1
39adf0bb82659cc2b60ceb46b1a679a94aafb2b9

SHA256
51ce2cdb607e551aab535b9f08414c2efd79b8b6947bd18abc367ffb209293da

SHA512
ef4dd8550c82863cf988eddea3822f630df009edda97bc1721f4faa7b03d1350691c06abbd7b68082b3e9b4aa4783eef8acd3164e5991bf55b78006d8acb18d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gy1gqmGK9f.bat

Filesize
227B

MD5
8421908e053c47cb6a80c535bfdb69e3

SHA1
090904da2680cb48c048228f8ad327799b73e1f2

SHA256
6059b7fe997739e72a6f9d393d59fa80b8811627214f578e8a9d521da1452e7e

SHA512
b3e82cf846712162e3b305c99b97f14f7e8920dba5c5163a213232707883549b3d9385fe4b80d0213fd943f4d610227029ef7687ebdd2f80a21ca5a392c02b27

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nl6pt1R060.bat

Filesize
227B

MD5
da521f55a394155483b374c2407d2b62

SHA1
7cc1e145e4675a2fff63b145a9a80c2a791d0f16

SHA256
2e2a85f1fe3a37496cd290a4689971ac4f8a2e25667e2eb8081fa1aee04e7abd

SHA512
401141794769ed0527b272665e874b2c577c1153249fcf65eabe526e1039a7f94eb56e869b90c6cb720a9af35edd14a5999b32c5e5eb15f1243f1a5a85cc1988

Download Submit
C:\Users\Admin\AppData\Local\Temp\UQ4uSu8U9J.bat

Filesize
227B

MD5
48e12b5becd27e7d291e7b0b007957ce

SHA1
c776297b8eef28b6df9ff30aaf62dc0e5e562325

SHA256
0c6633f425758a07d278ecb7c261124870bae372586a6c2afc76b3a93e3bbd07

SHA512
54f3e4d75323c33bf49d601e5497b7c6aeda9d3e28c7049620e8f3b7c2dc839d33c21f3945103903488005bb1a74bea500af91159c8167e4f66f1f4b28402004

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0vus2on5.tou.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\be8zRZs4e0.bat

Filesize
227B

MD5
8fef3654426e9278705ea9726547ff1a

SHA1
ae689e134ac42b2f158c2c7e788d3843ca654eb2

SHA256
097da28c8b9654e0c6a7038f9295240779d03218d5c55835156be3b048a6b243

SHA512
b290d480071ef37016ac4a119bf57b66bb5ab6695279e3096a3b1edb1d2adaeeddd5fdc0aed2a797d24e29e1d8a58e6241c72c79a6faf0f53861e79e32f04539

Download Submit
C:\Users\Admin\AppData\Local\Temp\gWC6ojzqIZ.bat

Filesize
227B

MD5
2c9d763fc7cdb9d284362e72abf450c7

SHA1
82a51d7f43f1aa364f69813d42b4894e31df4d97

SHA256
4c1be1fb9e3f8556a380bd531455924c46f717f6da9f3db74bc51a9bdea3acf2

SHA512
c56763112d9ef98ee254047e8f02d5d84a8317c44c2af0d2606c91aba852381072ad7acd01f5233f60165ce9ef9f65feb967f1c6f157ae43d19bd9fbd9d4db21

Download Submit
C:\Users\Admin\AppData\Local\Temp\p6CE4ikEee.bat

Filesize
227B

MD5
b6a38b7329e715b8f3e920984458cb94

SHA1
9e958387027152a3cf6a0f716635a919a4a74a4a

SHA256
0063b4da2de451af1250372c5dc15d8044fb5f047365403ab7bc2c2c087cff25

SHA512
fd54b18e03970161c1d577af474772c36da56720bbcec3c5f233ec1cb7cfb0bef3519717bc861c5f55b22bc66c6ffa9219f6c3f839fa8d69b08cfe42126f43c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\siHyKw9Q8z.bat

Filesize
227B

MD5
4e3433380ca91f6ca40fab11bae43b69

SHA1
d9d67fa97630e9ac4f68248510af83d48fae4bdf

SHA256
8ca3bd91a48437bf1abe1c2c8f0b9e11747480e2aa8ab609d088fcfc50b3bdb3

SHA512
8ae12e257b110b2c6f73b5cbee574d47a05cd8095c8455c5eb4f0731d0b70736201756017833924eae8d3667974de50065351adb37da7905e6d07d434501ff0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\xEvQv3iUx6.bat

Filesize
227B

MD5
fe7deae9e8f61a7ad6cbe4131a04df3c

SHA1
19df4f5585e5f6e3d3b11f0f987af9913e028d7f

SHA256
727477f207fbca921070cd1c8ee5e683565e6b292d2aae4cc55449196fba2391

SHA512
4fdcf1922415f5ff23418d16d2d75cf2d9e3a2589109bd7573fa87e1112a0272353c61e914a08fe9596a9f85274c613a91e781562f3b63b20e93b9f4c46a03fa

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/952-49-0x000001839A140000-0x000001839A162000-memory.dmp

Filesize
136KB

Download
memory/1444-282-0x0000000000920000-0x0000000000932000-memory.dmp

Filesize
72KB

Download
memory/1556-269-0x000000001B0E0000-0x000000001B0F2000-memory.dmp

Filesize
72KB

Download
memory/3192-17-0x00000000015E0000-0x00000000015EC000-memory.dmp

Filesize
48KB

Download
memory/3192-16-0x00000000015D0000-0x00000000015DC000-memory.dmp

Filesize
48KB

Download
memory/3192-15-0x00000000015F0000-0x00000000015FC000-memory.dmp

Filesize
48KB

Download
memory/3192-14-0x00000000015C0000-0x00000000015D2000-memory.dmp

Filesize
72KB

Download
memory/3192-13-0x0000000000C40000-0x0000000000D50000-memory.dmp

Filesize
1.1MB

Download
memory/3192-12-0x00007FFE57B93000-0x00007FFE57B95000-memory.dmp

Filesize
8KB

Download
memory/3680-218-0x00000000026D0000-0x00000000026E2000-memory.dmp

Filesize
72KB

Download
memory/4352-237-0x0000000000AD0000-0x0000000000AE2000-memory.dmp

Filesize
72KB

Download
memory/4540-209-0x0000000002540000-0x0000000002552000-memory.dmp

Filesize
72KB

Download
memory/4708-244-0x00000000027A0000-0x00000000027B2000-memory.dmp

Filesize
72KB

Download