dcrat | 90069138984d18e1858771b00970bde889517e6d4fa8e921afef6ed64585eebc

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2024 06:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_90069138984d18e1858771b00970bde889517e6d4fa8e921afef6ed64585eebc.exe
Size

1.3MB
MD5

b5947c3bc5fcd3c71e22b064b7905d72
SHA1

ea57da4692da415bcf2d916128bd872ab049d5d0
SHA256

90069138984d18e1858771b00970bde889517e6d4fa8e921afef6ed64585eebc
SHA512

65373fb64de699e432affd39907a2a9c1465687c23ab10036ed8280f11fda807eab01a9dc55514fc7a17c2946676194aea7c991027e4a2cf5bee66dada2df345
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 45 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	376	3436	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4364	3436	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1920	3436	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	872	3436	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	868	3436	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4524	3436	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4820	3436	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1364	3436	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	400	3436	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3232	3436	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3208	3436	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2128	3436	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2052	3436	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4500	3436	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	748	3436	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1968	3436	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2900	3436	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1932	3436	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4784	3436	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3252	3436	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4128	3436	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3216	3436	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1368	3436	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3256	3436	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1708	3436	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2840	3436	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2652	3436	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	3436	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1004	3436	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2960	3436	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3996	3436	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3424	3436	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1992	3436	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4932	3436	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4480	3436	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1976	3436	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1404	3436	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3464	3436	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2084	3436	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1328	3436	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4484	3436	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4652	3436	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1900	3436	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2612	3436	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3744	3436	schtasks.exe	86

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x000a000000023b7e-10.dat	dcrat
behavioral2/memory/3028-13-0x00000000002A0000-0x00000000003B0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 16 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3560	powershell.exe
4584	powershell.exe
3528	powershell.exe
3736	powershell.exe
2424	powershell.exe
3764	powershell.exe
1152	powershell.exe
2544	powershell.exe
4824	powershell.exe
4700	powershell.exe
4460	powershell.exe
1056	powershell.exe
4004	powershell.exe
3712	powershell.exe
4848	powershell.exe
1964	powershell.exe

Checks computer location settings 2 TTPs 14 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	JaffaCakes118_90069138984d18e1858771b00970bde889517e6d4fa8e921afef6ed64585eebc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	dwm.exe

Executes dropped EXE 13 IoCs

pid	Process
3028	DllCommonsvc.exe
4544	dwm.exe
3728	dwm.exe
4824	dwm.exe
3148	dwm.exe
4340	dwm.exe
2316	dwm.exe
3264	dwm.exe
2008	dwm.exe
3940	dwm.exe
3764	dwm.exe
4812	dwm.exe
4800	dwm.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs

Web Service

T1102

flow	ioc
17	raw.githubusercontent.com
50	raw.githubusercontent.com
42	raw.githubusercontent.com
43	raw.githubusercontent.com
49	raw.githubusercontent.com
51	raw.githubusercontent.com
16	raw.githubusercontent.com
23	raw.githubusercontent.com
37	raw.githubusercontent.com
38	raw.githubusercontent.com
52	raw.githubusercontent.com
53	raw.githubusercontent.com

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files\VideoLAN\VLC\locale\SearchApp.exe	DllCommonsvc.exe
File created	C:\Program Files\VideoLAN\VLC\locale\38384e6a620884	DllCommonsvc.exe
File created	C:\Program Files\Windows Photo Viewer\fr-FR\RuntimeBroker.exe	DllCommonsvc.exe
File created	C:\Program Files\Crashpad\attachments\f3b6ecef712a24	DllCommonsvc.exe
File created	C:\Program Files\ModifiableWindowsApps\dllhost.exe	DllCommonsvc.exe
File created	C:\Program Files\Crashpad\attachments\spoolsv.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\cmd.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Photo Viewer\fr-FR\9e8d7a4ca61bd9	DllCommonsvc.exe
File created	C:\Program Files\Windows Media Player\Skins\Idle.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Media Player\Skins\6ccacd8608530f	DllCommonsvc.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File created	C:\Windows\TAPI\dwm.exe	DllCommonsvc.exe
File opened for modification	C:\Windows\TAPI\dwm.exe	DllCommonsvc.exe
File created	C:\Windows\TAPI\6cb0b6c459d5d3	DllCommonsvc.exe
File created	C:\Windows\Vss\Writers\Application\RuntimeBroker.exe	DllCommonsvc.exe
File created	C:\Windows\Vss\Writers\Application\9e8d7a4ca61bd9	DllCommonsvc.exe
File created	C:\Windows\Vss\Writers\dwm.exe	DllCommonsvc.exe
File created	C:\Windows\Vss\Writers\6cb0b6c459d5d3	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_90069138984d18e1858771b00970bde889517e6d4fa8e921afef6ed64585eebc.exe

Modifies registry class 13 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	JaffaCakes118_90069138984d18e1858771b00970bde889517e6d4fa8e921afef6ed64585eebc.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	dwm.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1920	schtasks.exe
1364	schtasks.exe
2900	schtasks.exe
3232	schtasks.exe
2960	schtasks.exe
3744	schtasks.exe
400	schtasks.exe
2128	schtasks.exe
1368	schtasks.exe
2840	schtasks.exe
2876	schtasks.exe
1976	schtasks.exe
3464	schtasks.exe
868	schtasks.exe
4820	schtasks.exe
748	schtasks.exe
1968	schtasks.exe
1992	schtasks.exe
4480	schtasks.exe
3208	schtasks.exe
4500	schtasks.exe
1932	schtasks.exe
4128	schtasks.exe
1004	schtasks.exe
1328	schtasks.exe
1900	schtasks.exe
1708	schtasks.exe
4932	schtasks.exe
1404	schtasks.exe
2084	schtasks.exe
4364	schtasks.exe
2052	schtasks.exe
4784	schtasks.exe
3216	schtasks.exe
3256	schtasks.exe
2652	schtasks.exe
3996	schtasks.exe
2612	schtasks.exe
376	schtasks.exe
872	schtasks.exe
4524	schtasks.exe
3252	schtasks.exe
3424	schtasks.exe
4484	schtasks.exe
4652	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3028	DllCommonsvc.exe
3028	DllCommonsvc.exe
3028	DllCommonsvc.exe
3028	DllCommonsvc.exe
3028	DllCommonsvc.exe
3028	DllCommonsvc.exe
3028	DllCommonsvc.exe
3028	DllCommonsvc.exe
3028	DllCommonsvc.exe
3028	DllCommonsvc.exe
3028	DllCommonsvc.exe
3028	DllCommonsvc.exe
3028	DllCommonsvc.exe
3028	DllCommonsvc.exe
2424	powershell.exe
2424	powershell.exe
3764	powershell.exe
3764	powershell.exe
4848	powershell.exe
4848	powershell.exe
1964	powershell.exe
1964	powershell.exe
3736	powershell.exe
3736	powershell.exe
3560	powershell.exe
3560	powershell.exe
4004	powershell.exe
4004	powershell.exe
4700	powershell.exe
4700	powershell.exe
2544	powershell.exe
2544	powershell.exe
1152	powershell.exe
1152	powershell.exe
4824	powershell.exe
4824	powershell.exe
4584	powershell.exe
4584	powershell.exe
1056	powershell.exe
1056	powershell.exe
4460	powershell.exe
4460	powershell.exe
3528	powershell.exe
3528	powershell.exe
3712	powershell.exe
3712	powershell.exe
3528	powershell.exe
4584	powershell.exe
4824	powershell.exe
2424	powershell.exe
4848	powershell.exe
1964	powershell.exe
3736	powershell.exe
2544	powershell.exe
1056	powershell.exe
4700	powershell.exe
4004	powershell.exe
3560	powershell.exe
3764	powershell.exe
1152	powershell.exe
4460	powershell.exe
3712	powershell.exe
4544	dwm.exe
3728	dwm.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

description	pid	Process
Token: SeDebugPrivilege	3028	DllCommonsvc.exe
Token: SeDebugPrivilege	2424	powershell.exe
Token: SeDebugPrivilege	3764	powershell.exe
Token: SeDebugPrivilege	4848	powershell.exe
Token: SeDebugPrivilege	1964	powershell.exe
Token: SeDebugPrivilege	3736	powershell.exe
Token: SeDebugPrivilege	3560	powershell.exe
Token: SeDebugPrivilege	4004	powershell.exe
Token: SeDebugPrivilege	4700	powershell.exe
Token: SeDebugPrivilege	2544	powershell.exe
Token: SeDebugPrivilege	1152	powershell.exe
Token: SeDebugPrivilege	4824	powershell.exe
Token: SeDebugPrivilege	4584	powershell.exe
Token: SeDebugPrivilege	1056	powershell.exe
Token: SeDebugPrivilege	4460	powershell.exe
Token: SeDebugPrivilege	3528	powershell.exe
Token: SeDebugPrivilege	3712	powershell.exe
Token: SeDebugPrivilege	4544	dwm.exe
Token: SeDebugPrivilege	3728	dwm.exe
Token: SeDebugPrivilege	4824	dwm.exe
Token: SeDebugPrivilege	3148	dwm.exe
Token: SeDebugPrivilege	4340	dwm.exe
Token: SeDebugPrivilege	2316	dwm.exe
Token: SeDebugPrivilege	3264	dwm.exe
Token: SeDebugPrivilege	2008	dwm.exe
Token: SeDebugPrivilege	3940	dwm.exe
Token: SeDebugPrivilege	3764	dwm.exe
Token: SeDebugPrivilege	4812	dwm.exe
Token: SeDebugPrivilege	4800	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3220 wrote to memory of 1196	3220	JaffaCakes118_90069138984d18e1858771b00970bde889517e6d4fa8e921afef6ed64585eebc.exe	82
PID 3220 wrote to memory of 1196	3220	JaffaCakes118_90069138984d18e1858771b00970bde889517e6d4fa8e921afef6ed64585eebc.exe	82
PID 3220 wrote to memory of 1196	3220	JaffaCakes118_90069138984d18e1858771b00970bde889517e6d4fa8e921afef6ed64585eebc.exe	82
PID 1196 wrote to memory of 5116	1196	WScript.exe	83
PID 1196 wrote to memory of 5116	1196	WScript.exe	83
PID 1196 wrote to memory of 5116	1196	WScript.exe	83
PID 5116 wrote to memory of 3028	5116	cmd.exe	85
PID 5116 wrote to memory of 3028	5116	cmd.exe	85
PID 3028 wrote to memory of 1056	3028	DllCommonsvc.exe	132
PID 3028 wrote to memory of 1056	3028	DllCommonsvc.exe	132
PID 3028 wrote to memory of 2424	3028	DllCommonsvc.exe	133
PID 3028 wrote to memory of 2424	3028	DllCommonsvc.exe	133
PID 3028 wrote to memory of 1152	3028	DllCommonsvc.exe	134
PID 3028 wrote to memory of 1152	3028	DllCommonsvc.exe	134
PID 3028 wrote to memory of 3736	3028	DllCommonsvc.exe	135
PID 3028 wrote to memory of 3736	3028	DllCommonsvc.exe	135
PID 3028 wrote to memory of 4460	3028	DllCommonsvc.exe	137
PID 3028 wrote to memory of 4460	3028	DllCommonsvc.exe	137
PID 3028 wrote to memory of 4848	3028	DllCommonsvc.exe	138
PID 3028 wrote to memory of 4848	3028	DllCommonsvc.exe	138
PID 3028 wrote to memory of 4700	3028	DllCommonsvc.exe	139
PID 3028 wrote to memory of 4700	3028	DllCommonsvc.exe	139
PID 3028 wrote to memory of 3528	3028	DllCommonsvc.exe	140
PID 3028 wrote to memory of 3528	3028	DllCommonsvc.exe	140
PID 3028 wrote to memory of 3764	3028	DllCommonsvc.exe	141
PID 3028 wrote to memory of 3764	3028	DllCommonsvc.exe	141
PID 3028 wrote to memory of 3560	3028	DllCommonsvc.exe	142
PID 3028 wrote to memory of 3560	3028	DllCommonsvc.exe	142
PID 3028 wrote to memory of 2544	3028	DllCommonsvc.exe	143
PID 3028 wrote to memory of 2544	3028	DllCommonsvc.exe	143
PID 3028 wrote to memory of 4824	3028	DllCommonsvc.exe	144
PID 3028 wrote to memory of 4824	3028	DllCommonsvc.exe	144
PID 3028 wrote to memory of 1964	3028	DllCommonsvc.exe	145
PID 3028 wrote to memory of 1964	3028	DllCommonsvc.exe	145
PID 3028 wrote to memory of 4584	3028	DllCommonsvc.exe	146
PID 3028 wrote to memory of 4584	3028	DllCommonsvc.exe	146
PID 3028 wrote to memory of 3712	3028	DllCommonsvc.exe	147
PID 3028 wrote to memory of 3712	3028	DllCommonsvc.exe	147
PID 3028 wrote to memory of 4004	3028	DllCommonsvc.exe	149
PID 3028 wrote to memory of 4004	3028	DllCommonsvc.exe	149
PID 3028 wrote to memory of 2088	3028	DllCommonsvc.exe	164
PID 3028 wrote to memory of 2088	3028	DllCommonsvc.exe	164
PID 2088 wrote to memory of 3216	2088	cmd.exe	166
PID 2088 wrote to memory of 3216	2088	cmd.exe	166
PID 2088 wrote to memory of 4544	2088	cmd.exe	167
PID 2088 wrote to memory of 4544	2088	cmd.exe	167
PID 4544 wrote to memory of 968	4544	dwm.exe	172
PID 4544 wrote to memory of 968	4544	dwm.exe	172
PID 968 wrote to memory of 4404	968	cmd.exe	174
PID 968 wrote to memory of 4404	968	cmd.exe	174
PID 968 wrote to memory of 3728	968	cmd.exe	177
PID 968 wrote to memory of 3728	968	cmd.exe	177
PID 3728 wrote to memory of 3512	3728	dwm.exe	179
PID 3728 wrote to memory of 3512	3728	dwm.exe	179
PID 3512 wrote to memory of 1496	3512	cmd.exe	181
PID 3512 wrote to memory of 1496	3512	cmd.exe	181
PID 3512 wrote to memory of 4824	3512	cmd.exe	183
PID 3512 wrote to memory of 4824	3512	cmd.exe	183
PID 4824 wrote to memory of 2376	4824	dwm.exe	184
PID 4824 wrote to memory of 2376	4824	dwm.exe	184
PID 2376 wrote to memory of 4988	2376	cmd.exe	186
PID 2376 wrote to memory of 4988	2376	cmd.exe	186
PID 2376 wrote to memory of 3148	2376	cmd.exe	187
PID 2376 wrote to memory of 3148	2376	cmd.exe	187

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_90069138984d18e1858771b00970bde889517e6d4fa8e921afef6ed64585eebc.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_90069138984d18e1858771b00970bde889517e6d4fa8e921afef6ed64585eebc.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3220
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1196
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5116
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3028
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1056
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\TAPI\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2424
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\upfc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1152
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Vss\Writers\Application\RuntimeBroker.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3736
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\fontdrvhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4460
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\Skins\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4848
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Crashpad\attachments\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4700
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3528
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3764
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\taskhostw.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3560
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Vss\Writers\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2544
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\RuntimeBroker.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4824
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1964
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\RuntimeBroker.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4584
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\locale\SearchApp.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3712
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\fr-FR\RuntimeBroker.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4004
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wm0lFShfSi.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2088
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:3216
      - C:\Windows\Vss\Writers\dwm.exe
        
        "C:\Windows\Vss\Writers\dwm.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4544
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nokcDIWAC5.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:968
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:4404
        
        C:\Windows\Vss\Writers\dwm.exe
        
        "C:\Windows\Vss\Writers\dwm.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3728
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hlBWXN5z7R.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:3512
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:1496
        
        C:\Windows\Vss\Writers\dwm.exe
        
        "C:\Windows\Vss\Writers\dwm.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4824
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Z7DRyUOV59.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:2376
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:4988
        
        C:\Windows\Vss\Writers\dwm.exe
        
        "C:\Windows\Vss\Writers\dwm.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3148
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5ixwcMXCIg.bat"
        13⤵
        
        PID:1328
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:4396
        
        C:\Windows\Vss\Writers\dwm.exe
        
        "C:\Windows\Vss\Writers\dwm.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4340
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ktiZWDSHsI.bat"
        15⤵
        
        PID:4752
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:1412
        
        C:\Windows\Vss\Writers\dwm.exe
        
        "C:\Windows\Vss\Writers\dwm.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2316
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6Zqs8041Oe.bat"
        17⤵
        
        PID:5068
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2076
        
        C:\Windows\Vss\Writers\dwm.exe
        
        "C:\Windows\Vss\Writers\dwm.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3264
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\J91AFVPMIK.bat"
        19⤵
        
        PID:2444
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:3496
        
        C:\Windows\Vss\Writers\dwm.exe
        
        "C:\Windows\Vss\Writers\dwm.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2008
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\veDg5wW3gS.bat"
        21⤵
        
        PID:3896
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:1728
        
        C:\Windows\Vss\Writers\dwm.exe
        
        "C:\Windows\Vss\Writers\dwm.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3940
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XBBOHPKclM.bat"
        23⤵
        
        PID:1964
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:5088
        
        C:\Windows\Vss\Writers\dwm.exe
        
        "C:\Windows\Vss\Writers\dwm.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3764
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PCaGvPqXNx.bat"
        25⤵
        
        PID:4652
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:4288
        
        C:\Windows\Vss\Writers\dwm.exe
        
        "C:\Windows\Vss\Writers\dwm.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4812
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xjNnGM38uG.bat"
        27⤵
        
        PID:448
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        28⤵
        
        PID:3912
        
        C:\Windows\Vss\Writers\dwm.exe
        
        "C:\Windows\Vss\Writers\dwm.exe"
        28⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Windows\TAPI\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\TAPI\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Windows\TAPI\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Windows\Vss\Writers\Application\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\Vss\Writers\Application\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Windows\Vss\Writers\Application\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Media Player\Skins\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\Skins\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Media Player\Skins\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files\Crashpad\attachments\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Crashpad\attachments\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files\Crashpad\attachments\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\providercommon\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Windows\Vss\Writers\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\Vss\Writers\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Windows\Vss\Writers\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\providercommon\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\providercommon\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\providercommon\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 6 /tr "'C:\Program Files\VideoLAN\VLC\locale\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\locale\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 12 /tr "'C:\Program Files\VideoLAN\VLC\locale\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dwm.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e243a38635ff9a06c87c2a61a2200656

SHA1
ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

SHA256
af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

SHA512
4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
59d97011e091004eaffb9816aa0b9abd

SHA1
1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

SHA256
18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

SHA512
d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\5ixwcMXCIg.bat

Filesize
195B

MD5
89a02a67829e0e8e0e092a77adcb0db4

SHA1
837168b6fcbb2d57cf75bac6e2d6054451ed5368

SHA256
8d1ba1fab6514f58e0dd9b1c409dd0a07c767b94ce520a682802c81fef91abad

SHA512
4ba0c7853be21bed2d55e6faf5c02af082cf07a151ce37fde0d1a8190c99eda0b72ea6632948772120ebb3908a0f400303c10c2129b22b366b47eae0a6bd0175

Download Submit
C:\Users\Admin\AppData\Local\Temp\6Zqs8041Oe.bat

Filesize
195B

MD5
6066097e5640800be7b9f6b3018df2f2

SHA1
ed549c6ce2193bf3b7100d3d8921becbce6c0ea3

SHA256
5250b4d27abff7a08eb34cdde9da4c1f7c9d20c445304494e0ab35f075b4acab

SHA512
9218be83d1f102963188ffde96129630954e78ef2bc1e0606b64840d5cfcf96dcfaee1a25dad0cd391e7b1bb97c146a0a93fffc57ea6424ebae226fd823a4abf

Download Submit
C:\Users\Admin\AppData\Local\Temp\J91AFVPMIK.bat

Filesize
195B

MD5
2709c712a3450c52ed2f840bb9838153

SHA1
72fe419f8ced8027d49fcb7b111c93b98c99afda

SHA256
56c99c4da7de3ed8a279eb4bc89aacdb823eeff36e06a9461f0d645cc0b576f0

SHA512
69373cfe4dfcbf7994b9e9bb3c0c59ceca3b4da5d0be992b8d3b1e2c0d20bc3943f453350c98f4d75807864dc9a3ac4b38aa5865e365859a700ff4d69831d0d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\PCaGvPqXNx.bat

Filesize
195B

MD5
199b478a63e61e038b11098fe949a95c

SHA1
03c6d8bc1df4c9d0844d99298d43376a1adf6cdf

SHA256
67f53bb2c0d666abdd16569345bb1ea51837220af1161913ea9dc22ee1f2f202

SHA512
532f13b6d5cb6a3a2c358a36b3a0775edf29418bba40fd8a57ed49824936114e37d161a2aea458452bc125f98f2324fa6b9f099a0da01a0bf491e5f88e8ae0f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\XBBOHPKclM.bat

Filesize
195B

MD5
dcc7efa6a38e57daf203656acab600ee

SHA1
070698472027a84a88dd28ffc8437858caf589c8

SHA256
a12203c743e500c0f568e92ee4b8172f67dded4758a03d39d3fa16778eb01e34

SHA512
a7dd33e4227cbaa487acc8c3e33fd30e27e041ba0e35deea001913506e01e9be31473533856a15cd34840ab0e6b42490206b0cb1aa01ca6b23461ae4cebeb297

Download Submit
C:\Users\Admin\AppData\Local\Temp\Z7DRyUOV59.bat

Filesize
195B

MD5
e793a0c7e487fcb6ee4ecc05dcd3015e

SHA1
349def61bcc8daea97ce823e78ead1c7f708c56f

SHA256
e034db52b63bafbd6a40a250ee2a4e6d5b73f29ab97aaad66b65c8e651fa98f8

SHA512
28e618f5256d42f109a02d361a75a953385a3c12f4df331576754d6b40020abc4220e312d3891c4a2c624d6e9a76b794ce01d982f8f8a7ecb9c48af9b8af3038

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_s5jycdpw.54a.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\hlBWXN5z7R.bat

Filesize
195B

MD5
11f949c84f07c9bba0f4c8c35817c305

SHA1
699bb6cea67e8d848129e9c01ff2f3f4ad483b48

SHA256
3a33f4d997f6aa7d42a70cd03fa3667cdcb468889a3601dfcc9ebabfd5da632d

SHA512
c943a22cd4b2226c80676c67154e31c7b7eae440bb508af0417273803a0504e3ff4c540f5851a97f36a8b268c6c979fa729878d565de543a118d1ce32240446f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ktiZWDSHsI.bat

Filesize
195B

MD5
9d81a011dadd464aa9f517a2212da13e

SHA1
0296dc5521b73b0bf7d4086015d89c372bc8a5a7

SHA256
ae379103b0b2ee8de5c0f15a61ed15a06c3b1c9fb81d74eb510192c771d255fc

SHA512
e0310ba9b8b5120b6c6c28144656abc3103bc51061c670ba4fd9e2f69fcdb485e8498af98d19aa03b81a65b5a343cbb9ba52ffafeaf610fdd44cc927661cf7b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nokcDIWAC5.bat

Filesize
195B

MD5
0d91b32d347253d88a6136aea88e4859

SHA1
bee94e5c61e02ba75fa46d495ff28aa7f51f6fed

SHA256
75737cc160597c94bb075f4d61b3559b1644a205c5a0ac1f24c6ce750e9386fd

SHA512
241069dbe115511db4897c0a8a0a2ea0ded69f2f095bf031efec6a29e2dfd5a747198de93e173d0c91d1f6b0bd1379ebd607894d66088f8f80bc53fa41bfca05

Download Submit
C:\Users\Admin\AppData\Local\Temp\veDg5wW3gS.bat

Filesize
195B

MD5
795ae4f412659975cb9441a074d2f9d9

SHA1
aa26b3a415dd66c9a2c320ae134d1bff2e3d59e5

SHA256
b177f33b8840bd2d145bbb9a7beaff50e97967a1e035ae209def66416a4c7596

SHA512
630ee03827e141058aa98de06fe0e842e2e8faab01a4d9b99ee0514b1952da98540e70b0bd6808b491a86cb04b4a85316ebf5b9275350af4dfbbb0bb33d97b78

Download Submit
C:\Users\Admin\AppData\Local\Temp\wm0lFShfSi.bat

Filesize
195B

MD5
9aaa900cc5d1454f8b0cf0ec54ce053f

SHA1
9b0b175645a6e296cea8a64f389439da92bb9534

SHA256
5e11c6191317015147fc9cb380502a7c9960631b819aacb3723d36879f609f77

SHA512
efcea81d9777b9b3b383b47d8edc9314930a885c314ea23732451cfdb2dc196096a4d05cd11d422b31957086d5ff94bc36bda87279d1a2eb424641c7998eb7ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\xjNnGM38uG.bat

Filesize
195B

MD5
89998f2848a567d5966a39e68d0f58e6

SHA1
b70236f7b8fded00b99a830814e761db2be91739

SHA256
ee5c14fccaee370f3d7db5140fe5a2d69f6820217a9301bb70c8bb53770380bd

SHA512
9cc485d1863bfe7449f07b8dff4d47005e4d3ecafd79ebde81cc02c2f93fde9bb558e82c48fc3e91bf2d16b6fb688ff63908cc7235e4e8bddc1fc776c12d201f

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/1964-63-0x00000205A8CE0000-0x00000205A8D02000-memory.dmp

Filesize
136KB

Download
memory/3028-14-0x000000001AEA0000-0x000000001AEB2000-memory.dmp

Filesize
72KB

Download
memory/3028-15-0x000000001AEC0000-0x000000001AECC000-memory.dmp

Filesize
48KB

Download
memory/3028-13-0x00000000002A0000-0x00000000003B0000-memory.dmp

Filesize
1.1MB

Download
memory/3028-12-0x00007FFEC5E13000-0x00007FFEC5E15000-memory.dmp

Filesize
8KB

Download
memory/3028-16-0x000000001AEB0000-0x000000001AEBC000-memory.dmp

Filesize
48KB

Download
memory/3028-17-0x000000001AED0000-0x000000001AEDC000-memory.dmp

Filesize
48KB

Download
memory/3728-243-0x0000000001490000-0x00000000014A2000-memory.dmp

Filesize
72KB

Download
memory/4800-305-0x0000000002600000-0x0000000002612000-memory.dmp

Filesize
72KB

Download
memory/4824-250-0x00000000022D0000-0x00000000022E2000-memory.dmp

Filesize
72KB

Download