dcrat | 1a2168b06845d49bb7795286dde7bbe052b15dc19cacafa3cf0188f5ac2d1b80

Analysis

max time kernel
146s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2024 06:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_1a2168b06845d49bb7795286dde7bbe052b15dc19cacafa3cf0188f5ac2d1b80.exe
Size

1.3MB
MD5

41359465ffcf4cf42b56797e9cfe2b19
SHA1

699753485526fbb1d0b0e84c961a6202bd254a84
SHA256

1a2168b06845d49bb7795286dde7bbe052b15dc19cacafa3cf0188f5ac2d1b80
SHA512

1b66e6984a4850671b84e36dcec0878d500f9c3eb7c6b104207bcdad8e0ae27ed966340ed63531323e9ca29c8afb88eab3de06c884d059ac764328ef99052404
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 42 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2444	744	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	740	744	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1396	744	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3660	744	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2400	744	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1480	744	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2180	744	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	400	744	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1520	744	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	112	744	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2568	744	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1080	744	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3652	744	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1536	744	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4452	744	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1436	744	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2840	744	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2016	744	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2832	744	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2328	744	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2904	744	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3088	744	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4920	744	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3876	744	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	744	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2712	744	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2708	744	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	748	744	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4504	744	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4388	744	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1688	744	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4872	744	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	972	744	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4168	744	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4916	744	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3864	744	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1356	744	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2808	744	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4592	744	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1568	744	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4200	744	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4180	744	schtasks.exe	86

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x0007000000023c9c-10.dat	dcrat
behavioral2/memory/3988-13-0x00000000005B0000-0x00000000006C0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 15 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
884	powershell.exe
1588	powershell.exe
4812	powershell.exe
1240	powershell.exe
4408	powershell.exe
2320	powershell.exe
3172	powershell.exe
852	powershell.exe
2888	powershell.exe
3400	powershell.exe
1008	powershell.exe
4708	powershell.exe
912	powershell.exe
2040	powershell.exe
3724	powershell.exe

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	JaffaCakes118_1a2168b06845d49bb7795286dde7bbe052b15dc19cacafa3cf0188f5ac2d1b80.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	unsecapp.exe

Executes dropped EXE 13 IoCs

pid	Process
3988	DllCommonsvc.exe
2692	unsecapp.exe
4852	unsecapp.exe
4144	unsecapp.exe
4592	unsecapp.exe
636	unsecapp.exe
3420	unsecapp.exe
4800	unsecapp.exe
1536	unsecapp.exe
856	unsecapp.exe
4864	unsecapp.exe
1032	unsecapp.exe
2000	unsecapp.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 13 IoCs

Web Service

T1102

flow	ioc
44	raw.githubusercontent.com
45	raw.githubusercontent.com
52	raw.githubusercontent.com
53	raw.githubusercontent.com
54	raw.githubusercontent.com
22	raw.githubusercontent.com
35	raw.githubusercontent.com
39	raw.githubusercontent.com
40	raw.githubusercontent.com
46	raw.githubusercontent.com
51	raw.githubusercontent.com
55	raw.githubusercontent.com
23	raw.githubusercontent.com

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Portable Devices\cc11b995f2a76d	DllCommonsvc.exe
File created	C:\Program Files\dotnet\shared\unsecapp.exe	DllCommonsvc.exe
File created	C:\Program Files\dotnet\shared\29c1c3cc0f7685	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\fontdrvhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\5b884080fd4f94	DllCommonsvc.exe
File created	C:\Program Files\Windows Portable Devices\winlogon.exe	DllCommonsvc.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\BitLockerDiscoveryVolumeContents\SearchApp.exe	DllCommonsvc.exe
File created	C:\Windows\BitLockerDiscoveryVolumeContents\38384e6a620884	DllCommonsvc.exe
File created	C:\Windows\PolicyDefinitions\es-ES\csrss.exe	DllCommonsvc.exe
File created	C:\Windows\PolicyDefinitions\es-ES\886983d96e3d3e	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_1a2168b06845d49bb7795286dde7bbe052b15dc19cacafa3cf0188f5ac2d1b80.exe

Modifies registry class 14 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	JaffaCakes118_1a2168b06845d49bb7795286dde7bbe052b15dc19cacafa3cf0188f5ac2d1b80.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4168	schtasks.exe
1568	schtasks.exe
2444	schtasks.exe
1480	schtasks.exe
1520	schtasks.exe
1436	schtasks.exe
2712	schtasks.exe
972	schtasks.exe
4200	schtasks.exe
4180	schtasks.exe
112	schtasks.exe
1536	schtasks.exe
2840	schtasks.exe
2016	schtasks.exe
3876	schtasks.exe
748	schtasks.exe
1396	schtasks.exe
2400	schtasks.exe
2876	schtasks.exe
1688	schtasks.exe
4916	schtasks.exe
400	schtasks.exe
4452	schtasks.exe
4592	schtasks.exe
2904	schtasks.exe
740	schtasks.exe
3652	schtasks.exe
2832	schtasks.exe
2328	schtasks.exe
4920	schtasks.exe
3660	schtasks.exe
2180	schtasks.exe
2568	schtasks.exe
3088	schtasks.exe
4388	schtasks.exe
3864	schtasks.exe
1080	schtasks.exe
2708	schtasks.exe
4504	schtasks.exe
4872	schtasks.exe
1356	schtasks.exe
2808	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3988	DllCommonsvc.exe
3988	DllCommonsvc.exe
3988	DllCommonsvc.exe
3988	DllCommonsvc.exe
3988	DllCommonsvc.exe
3988	DllCommonsvc.exe
3988	DllCommonsvc.exe
1008	powershell.exe
1008	powershell.exe
1240	powershell.exe
1240	powershell.exe
2320	powershell.exe
2320	powershell.exe
4812	powershell.exe
4812	powershell.exe
912	powershell.exe
912	powershell.exe
3172	powershell.exe
3172	powershell.exe
3724	powershell.exe
3724	powershell.exe
4708	powershell.exe
4708	powershell.exe
3400	powershell.exe
3400	powershell.exe
884	powershell.exe
884	powershell.exe
852	powershell.exe
852	powershell.exe
2040	powershell.exe
2040	powershell.exe
2888	powershell.exe
2888	powershell.exe
4408	powershell.exe
4408	powershell.exe
1588	powershell.exe
1588	powershell.exe
1240	powershell.exe
2040	powershell.exe
3172	powershell.exe
1008	powershell.exe
3400	powershell.exe
1588	powershell.exe
912	powershell.exe
2320	powershell.exe
4812	powershell.exe
4708	powershell.exe
852	powershell.exe
3724	powershell.exe
2888	powershell.exe
884	powershell.exe
4408	powershell.exe
2692	unsecapp.exe
4852	unsecapp.exe
4144	unsecapp.exe
4592	unsecapp.exe
636	unsecapp.exe
3420	unsecapp.exe
4800	unsecapp.exe
1536	unsecapp.exe
856	unsecapp.exe
4864	unsecapp.exe
1032	unsecapp.exe
2000	unsecapp.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

description	pid	Process
Token: SeDebugPrivilege	3988	DllCommonsvc.exe
Token: SeDebugPrivilege	1008	powershell.exe
Token: SeDebugPrivilege	1240	powershell.exe
Token: SeDebugPrivilege	2320	powershell.exe
Token: SeDebugPrivilege	4812	powershell.exe
Token: SeDebugPrivilege	912	powershell.exe
Token: SeDebugPrivilege	2040	powershell.exe
Token: SeDebugPrivilege	3172	powershell.exe
Token: SeDebugPrivilege	3724	powershell.exe
Token: SeDebugPrivilege	4708	powershell.exe
Token: SeDebugPrivilege	3400	powershell.exe
Token: SeDebugPrivilege	884	powershell.exe
Token: SeDebugPrivilege	1588	powershell.exe
Token: SeDebugPrivilege	852	powershell.exe
Token: SeDebugPrivilege	2888	powershell.exe
Token: SeDebugPrivilege	4408	powershell.exe
Token: SeDebugPrivilege	2692	unsecapp.exe
Token: SeDebugPrivilege	4852	unsecapp.exe
Token: SeDebugPrivilege	4144	unsecapp.exe
Token: SeDebugPrivilege	4592	unsecapp.exe
Token: SeDebugPrivilege	636	unsecapp.exe
Token: SeDebugPrivilege	3420	unsecapp.exe
Token: SeDebugPrivilege	4800	unsecapp.exe
Token: SeDebugPrivilege	1536	unsecapp.exe
Token: SeDebugPrivilege	856	unsecapp.exe
Token: SeDebugPrivilege	4864	unsecapp.exe
Token: SeDebugPrivilege	1032	unsecapp.exe
Token: SeDebugPrivilege	2000	unsecapp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4744 wrote to memory of 3504	4744	JaffaCakes118_1a2168b06845d49bb7795286dde7bbe052b15dc19cacafa3cf0188f5ac2d1b80.exe	82
PID 4744 wrote to memory of 3504	4744	JaffaCakes118_1a2168b06845d49bb7795286dde7bbe052b15dc19cacafa3cf0188f5ac2d1b80.exe	82
PID 4744 wrote to memory of 3504	4744	JaffaCakes118_1a2168b06845d49bb7795286dde7bbe052b15dc19cacafa3cf0188f5ac2d1b80.exe	82
PID 3504 wrote to memory of 1000	3504	WScript.exe	83
PID 3504 wrote to memory of 1000	3504	WScript.exe	83
PID 3504 wrote to memory of 1000	3504	WScript.exe	83
PID 1000 wrote to memory of 3988	1000	cmd.exe	85
PID 1000 wrote to memory of 3988	1000	cmd.exe	85
PID 3988 wrote to memory of 4812	3988	DllCommonsvc.exe	129
PID 3988 wrote to memory of 4812	3988	DllCommonsvc.exe	129
PID 3988 wrote to memory of 1240	3988	DllCommonsvc.exe	130
PID 3988 wrote to memory of 1240	3988	DllCommonsvc.exe	130
PID 3988 wrote to memory of 852	3988	DllCommonsvc.exe	131
PID 3988 wrote to memory of 852	3988	DllCommonsvc.exe	131
PID 3988 wrote to memory of 4408	3988	DllCommonsvc.exe	132
PID 3988 wrote to memory of 4408	3988	DllCommonsvc.exe	132
PID 3988 wrote to memory of 4708	3988	DllCommonsvc.exe	133
PID 3988 wrote to memory of 4708	3988	DllCommonsvc.exe	133
PID 3988 wrote to memory of 2888	3988	DllCommonsvc.exe	134
PID 3988 wrote to memory of 2888	3988	DllCommonsvc.exe	134
PID 3988 wrote to memory of 884	3988	DllCommonsvc.exe	135
PID 3988 wrote to memory of 884	3988	DllCommonsvc.exe	135
PID 3988 wrote to memory of 3172	3988	DllCommonsvc.exe	136
PID 3988 wrote to memory of 3172	3988	DllCommonsvc.exe	136
PID 3988 wrote to memory of 2320	3988	DllCommonsvc.exe	137
PID 3988 wrote to memory of 2320	3988	DllCommonsvc.exe	137
PID 3988 wrote to memory of 1008	3988	DllCommonsvc.exe	138
PID 3988 wrote to memory of 1008	3988	DllCommonsvc.exe	138
PID 3988 wrote to memory of 1588	3988	DllCommonsvc.exe	139
PID 3988 wrote to memory of 1588	3988	DllCommonsvc.exe	139
PID 3988 wrote to memory of 3724	3988	DllCommonsvc.exe	140
PID 3988 wrote to memory of 3724	3988	DllCommonsvc.exe	140
PID 3988 wrote to memory of 2040	3988	DllCommonsvc.exe	148
PID 3988 wrote to memory of 2040	3988	DllCommonsvc.exe	148
PID 3988 wrote to memory of 912	3988	DllCommonsvc.exe	149
PID 3988 wrote to memory of 912	3988	DllCommonsvc.exe	149
PID 3988 wrote to memory of 3400	3988	DllCommonsvc.exe	150
PID 3988 wrote to memory of 3400	3988	DllCommonsvc.exe	150
PID 3988 wrote to memory of 3204	3988	DllCommonsvc.exe	158
PID 3988 wrote to memory of 3204	3988	DllCommonsvc.exe	158
PID 3204 wrote to memory of 1980	3204	cmd.exe	161
PID 3204 wrote to memory of 1980	3204	cmd.exe	161
PID 3204 wrote to memory of 2692	3204	cmd.exe	165
PID 3204 wrote to memory of 2692	3204	cmd.exe	165
PID 2692 wrote to memory of 1676	2692	unsecapp.exe	169
PID 2692 wrote to memory of 1676	2692	unsecapp.exe	169
PID 1676 wrote to memory of 1172	1676	cmd.exe	171
PID 1676 wrote to memory of 1172	1676	cmd.exe	171
PID 1676 wrote to memory of 4852	1676	cmd.exe	172
PID 1676 wrote to memory of 4852	1676	cmd.exe	172
PID 4852 wrote to memory of 2788	4852	unsecapp.exe	174
PID 4852 wrote to memory of 2788	4852	unsecapp.exe	174
PID 2788 wrote to memory of 5004	2788	cmd.exe	177
PID 2788 wrote to memory of 5004	2788	cmd.exe	177
PID 2788 wrote to memory of 4144	2788	cmd.exe	178
PID 2788 wrote to memory of 4144	2788	cmd.exe	178
PID 4144 wrote to memory of 2568	4144	unsecapp.exe	179
PID 4144 wrote to memory of 2568	4144	unsecapp.exe	179
PID 2568 wrote to memory of 2176	2568	cmd.exe	181
PID 2568 wrote to memory of 2176	2568	cmd.exe	181
PID 2568 wrote to memory of 4592	2568	cmd.exe	182
PID 2568 wrote to memory of 4592	2568	cmd.exe	182
PID 4592 wrote to memory of 5060	4592	unsecapp.exe	183
PID 4592 wrote to memory of 5060	4592	unsecapp.exe	183

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1a2168b06845d49bb7795286dde7bbe052b15dc19cacafa3cf0188f5ac2d1b80.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1a2168b06845d49bb7795286dde7bbe052b15dc19cacafa3cf0188f5ac2d1b80.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4744
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3504
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1000
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3988
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4812
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1240
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PolicyDefinitions\es-ES\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:852
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4408
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sysmon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4708
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\RuntimeBroker.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2888
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:884
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3172
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\fontdrvhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2320
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\BitLockerDiscoveryVolumeContents\SearchApp.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1008
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\dotnet\shared\unsecapp.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1588
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\My Documents\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3724
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2040
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\fontdrvhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:912
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3400
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ny75fS7Phx.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3204
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1980
      - C:\Program Files\dotnet\shared\unsecapp.exe
        
        "C:\Program Files\dotnet\shared\unsecapp.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2692
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EH4KCibIlQ.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1676
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:1172
        
        C:\Program Files\dotnet\shared\unsecapp.exe
        
        "C:\Program Files\dotnet\shared\unsecapp.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4852
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\O1BWw2qr2X.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2788
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:5004
        
        C:\Program Files\dotnet\shared\unsecapp.exe
        
        "C:\Program Files\dotnet\shared\unsecapp.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4144
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zKs2Tjd9zb.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:2568
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2176
        
        C:\Program Files\dotnet\shared\unsecapp.exe
        
        "C:\Program Files\dotnet\shared\unsecapp.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4592
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tbw0avzYF4.bat"
        13⤵
        
        PID:5060
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:3444
        
        C:\Program Files\dotnet\shared\unsecapp.exe
        
        "C:\Program Files\dotnet\shared\unsecapp.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:636
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\biigBqxW9T.bat"
        15⤵
        
        PID:2000
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:408
        
        C:\Program Files\dotnet\shared\unsecapp.exe
        
        "C:\Program Files\dotnet\shared\unsecapp.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3420
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3IH1xDWFpP.bat"
        17⤵
        
        PID:4192
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:624
        
        C:\Program Files\dotnet\shared\unsecapp.exe
        
        "C:\Program Files\dotnet\shared\unsecapp.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4800
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rfuxuqwfwI.bat"
        19⤵
        
        PID:4472
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:3056
        
        C:\Program Files\dotnet\shared\unsecapp.exe
        
        "C:\Program Files\dotnet\shared\unsecapp.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1536
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\axBdnWD1Gl.bat"
        21⤵
        
        PID:2452
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:4404
        
        C:\Program Files\dotnet\shared\unsecapp.exe
        
        "C:\Program Files\dotnet\shared\unsecapp.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:856
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\R8iYvsD9nO.bat"
        23⤵
        
        PID:1168
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:2176
        
        C:\Program Files\dotnet\shared\unsecapp.exe
        
        "C:\Program Files\dotnet\shared\unsecapp.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4864
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hc9iMPvVJ4.bat"
        25⤵
        
        PID:1592
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:1696
        
        C:\Program Files\dotnet\shared\unsecapp.exe
        
        "C:\Program Files\dotnet\shared\unsecapp.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1032
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Q3ZRkRg4YZ.bat"
        27⤵
        
        PID:1620
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        28⤵
        
        PID:1900
        
        C:\Program Files\dotnet\shared\unsecapp.exe
        
        "C:\Program Files\dotnet\shared\unsecapp.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2000
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AQ0EpYUV7r.bat"
        29⤵
        
        PID:1060
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        30⤵
        
        PID:1436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Windows\PolicyDefinitions\es-ES\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\PolicyDefinitions\es-ES\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Windows\PolicyDefinitions\es-ES\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 8 /tr "'C:\providercommon\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\providercommon\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 8 /tr "'C:\providercommon\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Users\Default\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Users\Default\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\providercommon\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\providercommon\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\providercommon\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\providercommon\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 9 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 13 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 5 /tr "'C:\Program Files\dotnet\shared\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files\dotnet\shared\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 13 /tr "'C:\Program Files\dotnet\shared\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\Default\My Documents\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\My Documents\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Users\Default\My Documents\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Portable Devices\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Portable Devices\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\unsecapp.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e243a38635ff9a06c87c2a61a2200656

SHA1
ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

SHA256
af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

SHA512
4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
32eb22918ace6c7c852e6547fee66953

SHA1
8608868448f9c6f0a42d06a8f833b5598236f159

SHA256
a1d8638e84347a9b06b2f3ad194e72eef4783d24d26feccb7a8e46b1d907eace

SHA512
9bb067f85829cdde4287e55dd1d1ba1645d59811560594a430e47166d907e30c4680bd7af1e380ca41240c4d4370ed371494f2151b6a8523ebe5bc7dabba6bb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\3IH1xDWFpP.bat

Filesize
208B

MD5
90def0117b27ffe23134859f4eb564c3

SHA1
8be3fe4c214a6ba05dd28fd9a5bd8a5204b6b815

SHA256
32e1647031b4fc7fb10650f2344dd39b64e6dab97156b5174bbed4672abfe0b5

SHA512
6860aec4ba7fc8306ca703ad53d64aaf27dce9c6375ef48debf7100af52a0be7d28ead789dcf1545c766e65cb79a557ccdbbd16cbb930ad88df04f5dec8d661d

Download Submit
C:\Users\Admin\AppData\Local\Temp\AQ0EpYUV7r.bat

Filesize
208B

MD5
456a67f81fdfb335456529c7dd7f7e57

SHA1
4d91aeb96bc5aaf550685be632c72e1f85c16d37

SHA256
9929d4d3e73db7c02353e376f9f79c7e6906acc7b5306d7b3915abc3767d2117

SHA512
8d5b6ac94b961a1683e6caf626e90fc5aab7b933a45a5eeb87d60f00027c6f8f126851c84da7d86b587bd027af1891161aaf975e357a21f8d857f0214d43d33d

Download Submit
C:\Users\Admin\AppData\Local\Temp\EH4KCibIlQ.bat

Filesize
208B

MD5
b7c207e692de18660c2c8a09c00db443

SHA1
460416e29ce13d2a56c53b4fee747603fbabfd57

SHA256
7909d34623bb9c516b77e9a52d70635c4268cb01287bfb96895c02b91ba10fb8

SHA512
89b9ddfa22b7173e3a7404d7955d0be49e3c8d9ea682c05287751e89f4ebda73a918e7b7f225b44ef7fb045b156c6689c9c29f7a4e44ffe6712e68b724901aec

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ny75fS7Phx.bat

Filesize
208B

MD5
3af87aa59daea91c7625b02a9debc170

SHA1
550bce2ec4746c63210de0adb993cc8173c6724d

SHA256
c2b673cf57798cb6e4fd6a01f307200807751c8405dc88e76c1fe771086ba637

SHA512
21a6703021e1b7af303a3681bbc8233a673473ff200ed8108cff7c3fa4ce40e01fa8f39cb1219e5142b21145b6d335c6bc0e856e45d3d5d54f34839b56f8f44d

Download Submit
C:\Users\Admin\AppData\Local\Temp\O1BWw2qr2X.bat

Filesize
208B

MD5
32dcdb9a275b23af968f4f8bf5ad8e45

SHA1
393feae04d9f70bfe070933e637397821e3ed81f

SHA256
8f717de54c5b562fbe12ccf275a03038a2d8298a49eaec57eff2159b2c57a212

SHA512
bfa4e5e253bf7da9e20519a1b640df90e4fea26d2ce1bb19f8578bd6123fc6d49917cad086b24be8c520895cc82cb3eef20f5e3558744c7a2b6ac3f0c65fbd13

Download Submit
C:\Users\Admin\AppData\Local\Temp\Q3ZRkRg4YZ.bat

Filesize
208B

MD5
ca5fd961f4a9fdc6e130e9a4a2e911ac

SHA1
f7a5c53beed2fb65b03e6f48eb54cac59e5f18df

SHA256
6b3580eeb816a4dc7de6207c3802483a1cc48fbcd7c92dacbe3ba07ee100c573

SHA512
b0a29ef126aa8d7eeb379960e6bf08c0dc0fbc82c90bb3976a1af9753cd0f92a0fd3742734e569044b9271aeb5006bef316a6287d58438a05147df01459190bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\R8iYvsD9nO.bat

Filesize
208B

MD5
54255a8a46c1cc88dd5d22e5c73bf44a

SHA1
07c005625d195aafe8c38e90490eb9ae9aa6bc94

SHA256
20d485b44f2ed619551c120e5904ea92b0117892976d0230782cc5328e70592b

SHA512
a5db5a23b5309229b90b78b36ee28cb0c8bdb32876f6512e9607ff4a44677851dd55c8b8180bc7e0571e54ba7470b27af7703ea88d106d353932786ea01ee03f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wc5h03za.k2r.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\axBdnWD1Gl.bat

Filesize
208B

MD5
63ec1db13a4fe7ac46224e4d3a9dacfc

SHA1
845b03e70fb7eaa33114f7054265f3761a599e63

SHA256
787a6ffafabe3b81fd73f68e35102cdbc7489764b4de4eecdb7d45ed5a5d6c8c

SHA512
f7691ff8c5fb7b5056ce389381550a362e00ff65b0e6a7cf37d90c6956b078b258db7701a85c603cd3218d7917d4e024e6c0e378c43f959ca6420159d925d2f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\biigBqxW9T.bat

Filesize
208B

MD5
50e1284a57c1bfcacac90023e4aa3468

SHA1
52188058f7c1b894f8d0c76032081dd1170a5008

SHA256
4edda66d8b92ed30ed7ffad8f1950404783f00f1bedeebef99936662300ec1ac

SHA512
0e1b109e59478b31b063f0f0735a9a2352a5fe52b2fe1f11b9c81865ce30acdaf20342b17f87a4337360da091a166916fa5f800e82cb426290324b4e7e196505

Download Submit
C:\Users\Admin\AppData\Local\Temp\hc9iMPvVJ4.bat

Filesize
208B

MD5
fe146f7e0e3eaa17f475d8dfcb309558

SHA1
9ebd68493a189259b7c32508a05adc928dd82aa7

SHA256
8c7bcb6098700f7468b29fc74d80675c046a99811951ca814a4c0dcb7957bab1

SHA512
617606a67b2279abde737e0aeb2d3a873ec842754a6372cc3fa50e4707addd55c51cb8e6b01bbe3e4c34f16b5eb083cb627a601e678583b9753bd9c7b1ec7431

Download Submit
C:\Users\Admin\AppData\Local\Temp\rfuxuqwfwI.bat

Filesize
208B

MD5
a30bc18696a523ee186ebdf1969652de

SHA1
4257c318680aa9bd3027153360611f1bd4161387

SHA256
29f8740b17957d02b83c4bc8806b57ec150739beed82adc98ad79c484e3872fb

SHA512
dce6e36e91221601177c4d25e04dc7f72f9c2103bcd4c22f579eb98bc029fd6bd81be3cb8e6d9d795488f53e2db46189dc175964a35eafb73be663b2ff994366

Download Submit
C:\Users\Admin\AppData\Local\Temp\tbw0avzYF4.bat

Filesize
208B

MD5
efc8c0388c93c7336e6d163cdeb27627

SHA1
ac08388c80493b0a5b7ccdc80758a32438522999

SHA256
f8120a7c2250285d708aa9d5308b0207cae43371c322e20e5b4312410408803d

SHA512
a56128f0dab10e4cf87acc74d324e8f45d7a488353a21e40526f8d6568ecf8ad54c56da61f0142e4f948759d1290891ec97d5046261a060d398693fb875541a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\zKs2Tjd9zb.bat

Filesize
208B

MD5
a52a0c4d286a7a6bd85818025229dcf2

SHA1
b711e0119145b77e3ca88a9befec26a899aeab39

SHA256
8e1c19887d4633d7c5f3195b24c078d555c8f8889ee989a2be00959ca9fd70ca

SHA512
71160f9527bbae6060787eb6052cb75ab9f941c615c029edaac21ba5ea6d32d7762b0d80235d0c7b22eb934c206e865cbb0d9eab159610373105e0f46dd8d337

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/1008-56-0x00000187B6680000-0x00000187B66A2000-memory.dmp

Filesize
136KB

Download
memory/2000-293-0x0000000000CB0000-0x0000000000CC2000-memory.dmp

Filesize
72KB

Download
memory/3420-254-0x0000000000F70000-0x0000000000F82000-memory.dmp

Filesize
72KB

Download
memory/3988-17-0x00000000027A0000-0x00000000027AC000-memory.dmp

Filesize
48KB

Download
memory/3988-16-0x0000000000F90000-0x0000000000F9C000-memory.dmp

Filesize
48KB

Download
memory/3988-15-0x00000000027B0000-0x00000000027BC000-memory.dmp

Filesize
48KB

Download
memory/3988-14-0x0000000000F80000-0x0000000000F92000-memory.dmp

Filesize
72KB

Download
memory/3988-13-0x00000000005B0000-0x00000000006C0000-memory.dmp

Filesize
1.1MB

Download
memory/3988-12-0x00007FF92F5F3000-0x00007FF92F5F5000-memory.dmp

Filesize
8KB

Download
memory/4800-261-0x00000000023E0000-0x00000000023F2000-memory.dmp

Filesize
72KB

Download
memory/4864-280-0x00000000025F0000-0x0000000002602000-memory.dmp

Filesize
72KB

Download