dcrat | 31b9116701861663524d4850eeb6f1c856363b7263fcf27566983a789aa51a75

Analysis

max time kernel
145s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2024 06:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_31b9116701861663524d4850eeb6f1c856363b7263fcf27566983a789aa51a75.exe
Size

1.3MB
MD5

ad134c9d0e2b1cbf8287bbfaba5c476f
SHA1

6a4710a002517b0a048059f7172c575c22292991
SHA256

31b9116701861663524d4850eeb6f1c856363b7263fcf27566983a789aa51a75
SHA512

e4033d9e0d2b1ae8ac083f806e0d6156c384c40d8c1eaedf58b9b838a763a1421476bdd3795381b68a77c728ba2b36b010130b710542752baf71db032f5b2a84
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 39 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1980	1776	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3432	1776	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1588	1776	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2680	1776	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4160	1776	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1256	1776	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1344	1776	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	564	1776	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	248	1776	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4232	1776	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	208	1776	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1056	1776	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1908	1776	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1204	1776	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1904	1776	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2416	1776	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1040	1776	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2256	1776	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4360	1776	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5056	1776	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3772	1776	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	756	1776	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4020	1776	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1092	1776	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1520	1776	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3016	1776	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3944	1776	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5096	1776	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3796	1776	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4668	1776	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1128	1776	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3068	1776	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4316	1776	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4296	1776	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1940	1776	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5116	1776	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3808	1776	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2548	1776	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5072	1776	schtasks.exe	86

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x0007000000023cc4-10.dat	dcrat
behavioral2/memory/732-13-0x00000000007A0000-0x00000000008B0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 15 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4848	powershell.exe
5088	powershell.exe
2644	powershell.exe
2940	powershell.exe
4612	powershell.exe
3500	powershell.exe
3760	powershell.exe
4484	powershell.exe
3744	powershell.exe
2544	powershell.exe
3228	powershell.exe
1088	powershell.exe
1152	powershell.exe
3660	powershell.exe
3636	powershell.exe

Checks computer location settings 2 TTPs 16 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	JaffaCakes118_31b9116701861663524d4850eeb6f1c856363b7263fcf27566983a789aa51a75.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	dllhost.exe

Executes dropped EXE 14 IoCs

pid	Process
732	DllCommonsvc.exe
1512	DllCommonsvc.exe
3352	dllhost.exe
660	dllhost.exe
2516	dllhost.exe
1604	dllhost.exe
4324	dllhost.exe
4888	dllhost.exe
872	dllhost.exe
1860	dllhost.exe
4068	dllhost.exe
4920	dllhost.exe
2940	dllhost.exe
4940	dllhost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 13 IoCs

Web Service

T1102

flow	ioc
52	raw.githubusercontent.com
16	raw.githubusercontent.com
17	raw.githubusercontent.com
37	raw.githubusercontent.com
39	raw.githubusercontent.com
44	raw.githubusercontent.com
45	raw.githubusercontent.com
36	raw.githubusercontent.com
38	raw.githubusercontent.com
43	raw.githubusercontent.com
53	raw.githubusercontent.com
54	raw.githubusercontent.com
55	raw.githubusercontent.com

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files\Windows NT\TableTextService\en-US\spoolsv.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\en-US\spoolsv.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows NT\TableTextService\en-US\f3b6ecef712a24	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Portable Devices\SearchApp.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Portable Devices\38384e6a620884	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\en-US\RuntimeBroker.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\en-US\9e8d7a4ca61bd9	DllCommonsvc.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\addins\dllhost.exe	DllCommonsvc.exe
File opened for modification	C:\Windows\addins\dllhost.exe	DllCommonsvc.exe
File created	C:\Windows\addins\5940a34987c991	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_31b9116701861663524d4850eeb6f1c856363b7263fcf27566983a789aa51a75.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	JaffaCakes118_31b9116701861663524d4850eeb6f1c856363b7263fcf27566983a789aa51a75.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	dllhost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1056	schtasks.exe
4360	schtasks.exe
4668	schtasks.exe
2256	schtasks.exe
3772	schtasks.exe
756	schtasks.exe
4160	schtasks.exe
1256	schtasks.exe
1344	schtasks.exe
564	schtasks.exe
208	schtasks.exe
5116	schtasks.exe
3808	schtasks.exe
1092	schtasks.exe
3944	schtasks.exe
3796	schtasks.exe
1128	schtasks.exe
4296	schtasks.exe
4232	schtasks.exe
1204	schtasks.exe
1904	schtasks.exe
5096	schtasks.exe
1980	schtasks.exe
3432	schtasks.exe
1520	schtasks.exe
2548	schtasks.exe
248	schtasks.exe
4020	schtasks.exe
3068	schtasks.exe
4316	schtasks.exe
1588	schtasks.exe
2416	schtasks.exe
3016	schtasks.exe
1940	schtasks.exe
1908	schtasks.exe
1040	schtasks.exe
5072	schtasks.exe
2680	schtasks.exe
5056	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
732	DllCommonsvc.exe
732	DllCommonsvc.exe
732	DllCommonsvc.exe
732	DllCommonsvc.exe
732	DllCommonsvc.exe
732	DllCommonsvc.exe
732	DllCommonsvc.exe
732	DllCommonsvc.exe
732	DllCommonsvc.exe
3500	powershell.exe
5088	powershell.exe
4612	powershell.exe
4848	powershell.exe
3500	powershell.exe
5088	powershell.exe
4612	powershell.exe
4848	powershell.exe
1512	DllCommonsvc.exe
1512	DllCommonsvc.exe
1512	DllCommonsvc.exe
1512	DllCommonsvc.exe
1512	DllCommonsvc.exe
1512	DllCommonsvc.exe
1512	DllCommonsvc.exe
1512	DllCommonsvc.exe
1512	DllCommonsvc.exe
1512	DllCommonsvc.exe
1512	DllCommonsvc.exe
1512	DllCommonsvc.exe
1512	DllCommonsvc.exe
1512	DllCommonsvc.exe
1512	DllCommonsvc.exe
1512	DllCommonsvc.exe
1512	DllCommonsvc.exe
1512	DllCommonsvc.exe
1512	DllCommonsvc.exe
1512	DllCommonsvc.exe
1512	DllCommonsvc.exe
1512	DllCommonsvc.exe
1512	DllCommonsvc.exe
3660	powershell.exe
3660	powershell.exe
1088	powershell.exe
1088	powershell.exe
3228	powershell.exe
3228	powershell.exe
3636	powershell.exe
3636	powershell.exe
3744	powershell.exe
3744	powershell.exe
2544	powershell.exe
2544	powershell.exe
2940	powershell.exe
2940	powershell.exe
3760	powershell.exe
3760	powershell.exe
4484	powershell.exe
4484	powershell.exe
1152	powershell.exe
1152	powershell.exe
2644	powershell.exe
2644	powershell.exe
4484	powershell.exe
3636	powershell.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

description	pid	Process
Token: SeDebugPrivilege	732	DllCommonsvc.exe
Token: SeDebugPrivilege	3500	powershell.exe
Token: SeDebugPrivilege	5088	powershell.exe
Token: SeDebugPrivilege	4612	powershell.exe
Token: SeDebugPrivilege	4848	powershell.exe
Token: SeDebugPrivilege	1512	DllCommonsvc.exe
Token: SeDebugPrivilege	3660	powershell.exe
Token: SeDebugPrivilege	1088	powershell.exe
Token: SeDebugPrivilege	3228	powershell.exe
Token: SeDebugPrivilege	3636	powershell.exe
Token: SeDebugPrivilege	3744	powershell.exe
Token: SeDebugPrivilege	2544	powershell.exe
Token: SeDebugPrivilege	2940	powershell.exe
Token: SeDebugPrivilege	3760	powershell.exe
Token: SeDebugPrivilege	4484	powershell.exe
Token: SeDebugPrivilege	2644	powershell.exe
Token: SeDebugPrivilege	1152	powershell.exe
Token: SeDebugPrivilege	3352	dllhost.exe
Token: SeDebugPrivilege	660	dllhost.exe
Token: SeDebugPrivilege	2516	dllhost.exe
Token: SeDebugPrivilege	1604	dllhost.exe
Token: SeDebugPrivilege	4324	dllhost.exe
Token: SeDebugPrivilege	4888	dllhost.exe
Token: SeDebugPrivilege	872	dllhost.exe
Token: SeDebugPrivilege	1860	dllhost.exe
Token: SeDebugPrivilege	4068	dllhost.exe
Token: SeDebugPrivilege	4920	dllhost.exe
Token: SeDebugPrivilege	2940	dllhost.exe
Token: SeDebugPrivilege	4940	dllhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5072 wrote to memory of 4976	5072	JaffaCakes118_31b9116701861663524d4850eeb6f1c856363b7263fcf27566983a789aa51a75.exe	82
PID 5072 wrote to memory of 4976	5072	JaffaCakes118_31b9116701861663524d4850eeb6f1c856363b7263fcf27566983a789aa51a75.exe	82
PID 5072 wrote to memory of 4976	5072	JaffaCakes118_31b9116701861663524d4850eeb6f1c856363b7263fcf27566983a789aa51a75.exe	82
PID 4976 wrote to memory of 4984	4976	WScript.exe	83
PID 4976 wrote to memory of 4984	4976	WScript.exe	83
PID 4976 wrote to memory of 4984	4976	WScript.exe	83
PID 4984 wrote to memory of 732	4984	cmd.exe	85
PID 4984 wrote to memory of 732	4984	cmd.exe	85
PID 732 wrote to memory of 4848	732	DllCommonsvc.exe	96
PID 732 wrote to memory of 4848	732	DllCommonsvc.exe	96
PID 732 wrote to memory of 5088	732	DllCommonsvc.exe	97
PID 732 wrote to memory of 5088	732	DllCommonsvc.exe	97
PID 732 wrote to memory of 4612	732	DllCommonsvc.exe	98
PID 732 wrote to memory of 4612	732	DllCommonsvc.exe	98
PID 732 wrote to memory of 3500	732	DllCommonsvc.exe	99
PID 732 wrote to memory of 3500	732	DllCommonsvc.exe	99
PID 732 wrote to memory of 4584	732	DllCommonsvc.exe	104
PID 732 wrote to memory of 4584	732	DllCommonsvc.exe	104
PID 4584 wrote to memory of 4968	4584	cmd.exe	106
PID 4584 wrote to memory of 4968	4584	cmd.exe	106
PID 4584 wrote to memory of 1512	4584	cmd.exe	107
PID 4584 wrote to memory of 1512	4584	cmd.exe	107
PID 1512 wrote to memory of 1088	1512	DllCommonsvc.exe	138
PID 1512 wrote to memory of 1088	1512	DllCommonsvc.exe	138
PID 1512 wrote to memory of 4484	1512	DllCommonsvc.exe	139
PID 1512 wrote to memory of 4484	1512	DllCommonsvc.exe	139
PID 1512 wrote to memory of 3228	1512	DllCommonsvc.exe	140
PID 1512 wrote to memory of 3228	1512	DllCommonsvc.exe	140
PID 1512 wrote to memory of 2940	1512	DllCommonsvc.exe	141
PID 1512 wrote to memory of 2940	1512	DllCommonsvc.exe	141
PID 1512 wrote to memory of 2544	1512	DllCommonsvc.exe	142
PID 1512 wrote to memory of 2544	1512	DllCommonsvc.exe	142
PID 1512 wrote to memory of 3760	1512	DllCommonsvc.exe	143
PID 1512 wrote to memory of 3760	1512	DllCommonsvc.exe	143
PID 1512 wrote to memory of 3636	1512	DllCommonsvc.exe	144
PID 1512 wrote to memory of 3636	1512	DllCommonsvc.exe	144
PID 1512 wrote to memory of 3660	1512	DllCommonsvc.exe	145
PID 1512 wrote to memory of 3660	1512	DllCommonsvc.exe	145
PID 1512 wrote to memory of 3744	1512	DllCommonsvc.exe	146
PID 1512 wrote to memory of 3744	1512	DllCommonsvc.exe	146
PID 1512 wrote to memory of 1152	1512	DllCommonsvc.exe	147
PID 1512 wrote to memory of 1152	1512	DllCommonsvc.exe	147
PID 1512 wrote to memory of 2644	1512	DllCommonsvc.exe	148
PID 1512 wrote to memory of 2644	1512	DllCommonsvc.exe	148
PID 1512 wrote to memory of 2536	1512	DllCommonsvc.exe	160
PID 1512 wrote to memory of 2536	1512	DllCommonsvc.exe	160
PID 2536 wrote to memory of 4732	2536	cmd.exe	162
PID 2536 wrote to memory of 4732	2536	cmd.exe	162
PID 2536 wrote to memory of 3352	2536	cmd.exe	166
PID 2536 wrote to memory of 3352	2536	cmd.exe	166
PID 3352 wrote to memory of 1860	3352	dllhost.exe	169
PID 3352 wrote to memory of 1860	3352	dllhost.exe	169
PID 1860 wrote to memory of 1228	1860	cmd.exe	172
PID 1860 wrote to memory of 1228	1860	cmd.exe	172
PID 1860 wrote to memory of 660	1860	cmd.exe	173
PID 1860 wrote to memory of 660	1860	cmd.exe	173
PID 660 wrote to memory of 1800	660	dllhost.exe	176
PID 660 wrote to memory of 1800	660	dllhost.exe	176
PID 1800 wrote to memory of 4328	1800	cmd.exe	178
PID 1800 wrote to memory of 4328	1800	cmd.exe	178
PID 1800 wrote to memory of 2516	1800	cmd.exe	179
PID 1800 wrote to memory of 2516	1800	cmd.exe	179
PID 2516 wrote to memory of 2340	2516	dllhost.exe	180
PID 2516 wrote to memory of 2340	2516	dllhost.exe	180

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_31b9116701861663524d4850eeb6f1c856363b7263fcf27566983a789aa51a75.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_31b9116701861663524d4850eeb6f1c856363b7263fcf27566983a789aa51a75.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5072
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4976
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4984
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:732
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4848
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\addins\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5088
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4612
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\Registry.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3500
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IXqu0w2tHm.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4584
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:4968
      - C:\providercommon\DllCommonsvc.exe
        
        "C:\providercommon\DllCommonsvc.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Program Files directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1512
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1088
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\TableTextService\en-US\spoolsv.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4484
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\SearchApp.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3228
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\sppsvc.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2940
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\OfficeClickToRun.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2544
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\System.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3760
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Idle.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3636
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dllhost.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3660
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\SendTo\services.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3744
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Favorites\Links\unsecapp.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1152
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\en-US\RuntimeBroker.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2644
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XmSJjqInuW.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2536
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:4732
        
        C:\Recovery\WindowsRE\dllhost.exe
        
        "C:\Recovery\WindowsRE\dllhost.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3352
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1F0LTC0kP2.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1860
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:1228
        
        C:\Recovery\WindowsRE\dllhost.exe
        
        "C:\Recovery\WindowsRE\dllhost.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:660
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\djCrJd6RmA.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:1800
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:4328
        
        C:\Recovery\WindowsRE\dllhost.exe
        
        "C:\Recovery\WindowsRE\dllhost.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2516
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xEoBbgPmrR.bat"
        13⤵
        
        PID:2340
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:772
        
        C:\Recovery\WindowsRE\dllhost.exe
        
        "C:\Recovery\WindowsRE\dllhost.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1604
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1F0LTC0kP2.bat"
        15⤵
        
        PID:1344
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:4420
        
        C:\Recovery\WindowsRE\dllhost.exe
        
        "C:\Recovery\WindowsRE\dllhost.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4324
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kOAwrWovpT.bat"
        17⤵
        
        PID:2644
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:1640
        
        C:\Recovery\WindowsRE\dllhost.exe
        
        "C:\Recovery\WindowsRE\dllhost.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4888
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Pi2dGiCBJ7.bat"
        19⤵
        
        PID:4604
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2344
        
        C:\Recovery\WindowsRE\dllhost.exe
        
        "C:\Recovery\WindowsRE\dllhost.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:872
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\C0VS1u4WCC.bat"
        21⤵
        
        PID:4952
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:3952
        
        C:\Recovery\WindowsRE\dllhost.exe
        
        "C:\Recovery\WindowsRE\dllhost.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1860
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vIn8vbLsXf.bat"
        23⤵
        
        PID:884
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:3852
        
        C:\Recovery\WindowsRE\dllhost.exe
        
        "C:\Recovery\WindowsRE\dllhost.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4068
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OrAhl4fNEA.bat"
        25⤵
        
        PID:3636
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:244
        
        C:\Recovery\WindowsRE\dllhost.exe
        
        "C:\Recovery\WindowsRE\dllhost.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4920
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Kz6bOuYaab.bat"
        27⤵
        
        PID:1948
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        28⤵
        
        PID:4816
        
        C:\Recovery\WindowsRE\dllhost.exe
        
        "C:\Recovery\WindowsRE\dllhost.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2940
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gQkyN2upze.bat"
        29⤵
        
        PID:2996
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        30⤵
        
        PID:2616
        
        C:\Recovery\WindowsRE\dllhost.exe
        
        "C:\Recovery\WindowsRE\dllhost.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4940
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\F82V1kRox2.bat"
        31⤵
        
        PID:4696
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        32⤵
        
        PID:4672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Windows\addins\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\addins\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Windows\addins\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\providercommon\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 11 /tr "'C:\providercommon\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\providercommon\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 10 /tr "'C:\providercommon\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows NT\TableTextService\en-US\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\en-US\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows NT\TableTextService\en-US\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Portable Devices\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Portable Devices\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\All Users\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Users\Default\SendTo\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Default\SendTo\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Users\Default\SendTo\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Favorites\Links\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Users\Admin\Favorites\Links\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Favorites\Links\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\DllCommonsvc.exe.log

Filesize
1KB

MD5
7f3c0ae41f0d9ae10a8985a2c327b8fb

SHA1
d58622bf6b5071beacf3b35bb505bde2000983e3

SHA256
519fceae4d0dd4d09edd1b81bcdfa8aeab4b59eee77a4cd4b6295ce8e591a900

SHA512
8a8fd17eef071f86e672cba0d8fc2cfed6118aff816100b9d7c06eb96443c04c04bc5692259c8d7ecb1563e877921939c61726605af4f969e3f586f0913ed125

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dllhost.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d3e8199b4634731cf0a0c26c1f14f588

SHA1
7f8fae27eb80055a436a6b5457978f32673d9ad4

SHA256
ef33f487f93c2977e92fb08d6bdcc9d48b5d1864c402f9d3fbf3e1b30e8b3b9a

SHA512
806a123100dbc1ca1b27bbad5b93c3a9a840dc795127af8523333a71259a8c5ef8aefccb83ef390f2644e013f138c4b7b63c584acccb197aada0c70c038032e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
68129b7b44f7d911681e600ff48965f0

SHA1
f60772afe1dbc2ab26e8058457f24832ffd51662

SHA256
4afb720885687a338f0af548692371f21be84912e1f95e914a99625445901ff0

SHA512
6d5223e91cba6a5fde5dfaa51beca12d48bcfc7f26764b88433777e2f9f82775d7abadfb588e40c48eb2b014560d8c02e9b17697148cfe206543c1c41cbf58a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
fe9b96bc4e29457b2d225a5412322a52

SHA1
551e29903e926b5d6c52a8f57cf10475ba790bd0

SHA256
e81b9bfd38a5199813d703d5caf75baa6f62847b2b9632302b5d6f10dd6cf997

SHA512
ff912526647f6266f37749dfdc3ed5fd37c35042ba481331434168704c827d128c22093ba73d7ad0cecde10365f0978fcd3f3e2af1a1c280cd2e592a62d5fa80

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
575c67abdb0b2c72de0d9dd38b94d791

SHA1
27783f259ffd096b21c02c70cb999bf860183124

SHA256
fdf985fb9c56b4462675c41f68555f8762dd7043b15750968208b88be87252bc

SHA512
61b23a15b52cf51b525993e8cfc0b9fd41d1bb28501c96a35f776bfa738390783ad266c2d0383a53770f3662dd118a45114d92afee63b4673e88008a6559b774

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
150616521d490e160cd33b97d678d206

SHA1
71594f5b97a4a61fe5f120eb10bcd6b73d7e6e78

SHA256
94595c05912cbb8380f7ed34499eb01fb91707a1ed1c02c02002a4361e889827

SHA512
7043dc4b336b1688205fbe762e731478ecaa0036c9f5e0434c79b8a6f8fa58b0705c8674fd6a047e6009edc52c37ce4e2ce81694e13b79a3e8183a32307f3815

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d42b6da621e8df5674e26b799c8e2aa

SHA1
ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

SHA256
5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

SHA512
53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

Download Submit
C:\Users\Admin\AppData\Local\Temp\1F0LTC0kP2.bat

Filesize
198B

MD5
cbf6099334df7e5544804983c9f528dc

SHA1
5dacac7a5a86114bb534b6d608eacef2e9f8d793

SHA256
c5218557b34dec2bef1529be1b38ddd10091210879d782f9701642341b1fa142

SHA512
bbeb9a171ed3d34dd111dafd4642673f1ea48a6409068a4be087d7d9aa0ad8bf7559eb9ea9160a328323ad285020607803d316ea5f6bc0ae22c4cafe463c6b81

Download Submit
C:\Users\Admin\AppData\Local\Temp\C0VS1u4WCC.bat

Filesize
198B

MD5
c52928bc4b9fb833c5c87b17ce431c49

SHA1
964654e9631449c507e61a72606a08d2e2de3cf6

SHA256
50d2e4ba90a7b557be5897cfbc2c4b6b81335050c8557bdb3df8d497e6367b2f

SHA512
2bb73d1a8dd3e3cc7b92cdc2bbad4923a665b4c2f206557d950d6f5affa35b10a65cc63de15cb532747673d07f09e93d3d56e4c334f18b088d75c829048fa631

Download Submit
C:\Users\Admin\AppData\Local\Temp\F82V1kRox2.bat

Filesize
198B

MD5
47d691377e95dd893428fe916410296b

SHA1
7ae1784b1fead8959742ac77baf8f761b61d2894

SHA256
a92f0f3f5862b19aef9a20688bd006018fa7394271f5ea8141736c9f70d6807d

SHA512
46729fb5f3c78ef3c6dd2f4c233fecf97c0fc30e81b1ff96a79b0b72bf7e9c4d8f918b177c1d4b7616c478aadbeaae2270155991a20b46b6a423cee588e1980b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXqu0w2tHm.bat

Filesize
199B

MD5
1f9b16466f42aa1e7c6115f3c8f3f085

SHA1
532926de99c16b2859df43eae218470e62e83751

SHA256
114a9061e9de4e5d17034235fd692aaf026c3a2376eda48084ce8cd1f94ccb7a

SHA512
b12d5ed467f4e1056ce37cbb8e816845731aa0ba3f6e873ef97c5149200b39cdba7e6701761b2a716625f699e21d3639fcda1c5e67bc3c443f2db64a69833616

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kz6bOuYaab.bat

Filesize
198B

MD5
eb1b22b48ab31bac59195ae3506c1b41

SHA1
d3eca208187dbbfe0aa7b2f75bc33b307aa1cf45

SHA256
49d9815941c1aa3e31b0f23922160290789a261191cf8391ee757bbada8391d9

SHA512
2a234da5a34e125b6050e84f162597e1981cf2a092d7050670a397003a9f58f52c90b44d3068a1ccbff4b417892f7313e51a7042f8924220cbc53a7b40b7c6e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\OrAhl4fNEA.bat

Filesize
198B

MD5
52bd14e7e392b7fec7d943b6c173be63

SHA1
0f821995cdc641adb2d5d3728cce3d0aeb59c04d

SHA256
8095917afa09c8aa1de5e0f893ffa724f977b494313fd7e3af3babb424f51161

SHA512
2dd0a5465353cb6ce47fe0ecdc1f32413b6570d146b16a52f9004187870f6511c51938946c53bcfe7aa85bfeb974421fbe18bd1183aadac23eb0d3de66b17b98

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pi2dGiCBJ7.bat

Filesize
198B

MD5
a7fabb1e0f00cb0b204ec00cb7c5dc6b

SHA1
176bb64751022aa894325769dc896ac07b3fe161

SHA256
20894c1e6c03fbc5a733ea2c2443203c76d0110f70377e85e1a264d8b19f285d

SHA512
a1cb797ee2fbdd9bb9f1e29139ab467103c70cb0dc1c0080c0c031dbc5f59b218f882b4614cfb13b979d4dee27812b434065941ebab80e6a9c15d39f5674babc

Download Submit
C:\Users\Admin\AppData\Local\Temp\XmSJjqInuW.bat

Filesize
198B

MD5
6586645f98cc1fe4e63bf72e36b7b53f

SHA1
1550c83749b0c05b8f2af53bc276de0ba8a7917a

SHA256
ef23ddffa9a8ee905ab1d1791c98fac106b774c7d654e1708c864317bf704d7b

SHA512
2a1d1d5383860b14f11237f388a0c24007118b088e58704b542f3df83cd81ef8c868b8b1c661110691fa91e28130319881e25f457b10cbe5fa1f013c680198b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_avw2jypb.ltk.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\djCrJd6RmA.bat

Filesize
198B

MD5
723c067581c797ec399b35cf2542cc21

SHA1
c61bd2d9b9367d34f8014ae268a2e44eb2e34515

SHA256
93f8a7b0208049a2090d3d4a1bc1e047dbecf0972b24d3ebfa31e5b043e63b8d

SHA512
9f82deabc2563dce2caa0ca1d29f3c39560ecd785c1d8ab95487de35d4398f2a0ba41d0ef24a56d654b89228d0269c7037e478a3f0d1760f6cfcb85e7566a2d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\gQkyN2upze.bat

Filesize
198B

MD5
b41ae320faab32138755fde6ce30d1a4

SHA1
c04a10fbf0b2187452a9ee4204263b32ded9d190

SHA256
ab7f87503b7e5478286f1bc7dbbe02e84ba08e8e41f1b26880186d2b4c24c9de

SHA512
77452dab81176accbd903878d0e7bd1eaf91369a39af5e57edb456335fdb5aef8afe9a4912db4d3eb68c8521b8314afcd6bb8a72404dc3c34f67584d3808516f

Download Submit
C:\Users\Admin\AppData\Local\Temp\kOAwrWovpT.bat

Filesize
198B

MD5
f6ae5ea33fc51ad93fd5fd99c1696523

SHA1
60b503bec5af57da1fe0781aeff13b8df1824255

SHA256
5b73362ebb58d3e433511cc4720efd06cc10adc76f2c1df1677030d4ccd43db1

SHA512
e3cc9ea41499bf187dda846721a3c33615b6069e8aad52f212eb6d6ea4255fe54ce6e0e7d1deb5bcd89d491a7669497d299df98eff8593ef6e2d6797ce30d446

Download Submit
C:\Users\Admin\AppData\Local\Temp\vIn8vbLsXf.bat

Filesize
198B

MD5
285661618e868baaba674e6549f3dd4a

SHA1
426f94bd0b156176532028a8f84e95bd48937edb

SHA256
6f834ff5771e3d38d7f88abb0664ce092898bf83a0831ce9f589e25c9b655281

SHA512
24ff147013c8396e29767bd2a521c3e642493128db323835e6a397ce048a7d83be5d13e6b69b5c24f1addb7e1a1dbb43348d452df5bb99162c7817cd96ed8d4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\xEoBbgPmrR.bat

Filesize
198B

MD5
4e917b82975ec9a253e2ca6ffb5ec267

SHA1
a7cbe938174a8147be6930cf3f143f9067f0ff0a

SHA256
224f8da670751369c0e6152ff80634875c9abd9252069d4f26d43fb5c909c885

SHA512
fba71c8aeb24e2cde16330cbbc11a9d44bb36e1f7047d12d5ea49ed737733f0ce4ac68cd5912531a4d22bedaf67763efd35b81384f21e2017cc503e55ba2d131

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/732-13-0x00000000007A0000-0x00000000008B0000-memory.dmp

Filesize
1.1MB

Download
memory/732-14-0x0000000002970000-0x0000000002982000-memory.dmp

Filesize
72KB

Download
memory/732-15-0x0000000002AD0000-0x0000000002ADC000-memory.dmp

Filesize
48KB

Download
memory/732-12-0x00007FFFE1093000-0x00007FFFE1095000-memory.dmp

Filesize
8KB

Download
memory/732-16-0x0000000002AE0000-0x0000000002AEC000-memory.dmp

Filesize
48KB

Download
memory/732-17-0x0000000002AF0000-0x0000000002AFC000-memory.dmp

Filesize
48KB

Download
memory/872-267-0x0000000002CC0000-0x0000000002CD2000-memory.dmp

Filesize
72KB

Download
memory/1512-78-0x0000000000A70000-0x0000000000A82000-memory.dmp

Filesize
72KB

Download
memory/1604-248-0x0000000001390000-0x00000000013A2000-memory.dmp

Filesize
72KB

Download
memory/3500-37-0x000002147CD30000-0x000002147CD52000-memory.dmp

Filesize
136KB

Download
memory/4940-298-0x0000000002840000-0x0000000002852000-memory.dmp

Filesize
72KB

Download