dcrat | 10a1f07ae7909ed446196c9d85dfa242a57b3d513dbb279269366b8fdde28b00

Analysis

max time kernel
147s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2024 07:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_10a1f07ae7909ed446196c9d85dfa242a57b3d513dbb279269366b8fdde28b00.exe
Size

1.3MB
MD5

5d9107a1eff6f4582bd485d0b52c490b
SHA1

a25d87c0ad8f7b126d79649e89173c2945df2b13
SHA256

10a1f07ae7909ed446196c9d85dfa242a57b3d513dbb279269366b8fdde28b00
SHA512

1fbf99c841cc2976e67ab23bb3163c84ccb536b818b5338311aa3beb43a463aaa3d1e91d8e6c97fc5706cdbe919c4696d074d22c9f1f96b1038ba6eee4df61f8
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 39 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4792	1432	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4960	1432	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1196	1432	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3532	1432	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3664	1432	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4084	1432	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4484	1432	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4292	1432	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3356	1432	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	1432	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	700	1432	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3400	1432	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	464	1432	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5004	1432	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4884	1432	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3180	1432	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4392	1432	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2272	1432	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4504	1432	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1572	1432	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1308	1432	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4172	1432	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3460	1432	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4568	1432	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2516	1432	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2844	1432	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2456	1432	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2928	1432	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1852	1432	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3492	1432	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4980	1432	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	428	1432	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2336	1432	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	368	1432	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3780	1432	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4008	1432	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	408	1432	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3960	1432	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2368	1432	schtasks.exe	86

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x0007000000023cb6-10.dat	dcrat
behavioral2/memory/3644-13-0x0000000000950000-0x0000000000A60000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 14 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3316	powershell.exe
3608	powershell.exe
2680	powershell.exe
1932	powershell.exe
4112	powershell.exe
3136	powershell.exe
2384	powershell.exe
3680	powershell.exe
5024	powershell.exe
392	powershell.exe
1316	powershell.exe
688	powershell.exe
3616	powershell.exe
3016	powershell.exe

Checks computer location settings 2 TTPs 17 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	JaffaCakes118_10a1f07ae7909ed446196c9d85dfa242a57b3d513dbb279269366b8fdde28b00.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	System.exe

Executes dropped EXE 16 IoCs

pid	Process
3644	DllCommonsvc.exe
1484	System.exe
3092	System.exe
968	System.exe
4292	System.exe
3024	System.exe
4896	System.exe
1932	System.exe
3880	System.exe
212	System.exe
4304	System.exe
4160	System.exe
772	System.exe
4496	System.exe
1476	System.exe
2604	System.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 15 IoCs

Web Service

T1102

flow	ioc
40	raw.githubusercontent.com
51	raw.githubusercontent.com
52	raw.githubusercontent.com
18	raw.githubusercontent.com
24	raw.githubusercontent.com
53	raw.githubusercontent.com
55	raw.githubusercontent.com
47	raw.githubusercontent.com
19	raw.githubusercontent.com
23	raw.githubusercontent.com
38	raw.githubusercontent.com
43	raw.githubusercontent.com
39	raw.githubusercontent.com
44	raw.githubusercontent.com
54	raw.githubusercontent.com

Drops file in Program Files directory 17 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Photo Viewer\fr-FR\SearchApp.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\fr-FR\38384e6a620884	DllCommonsvc.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dllhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\unsecapp.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\RuntimeBroker.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\9e8d7a4ca61bd9	DllCommonsvc.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\OfficeClickToRun.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\29c1c3cc0f7685	DllCommonsvc.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\5940a34987c991	DllCommonsvc.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\e6c9b481da804f	DllCommonsvc.exe
File created	C:\Program Files\Windows Security\BrowserCore\5b884080fd4f94	DllCommonsvc.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\fr-FR\SearchApp.exe	DllCommonsvc.exe
File created	C:\Program Files\Reference Assemblies\services.exe	DllCommonsvc.exe
File created	C:\Program Files\Reference Assemblies\c5b4cb5e9653cc	DllCommonsvc.exe
File created	C:\Program Files\Windows Security\BrowserCore\fontdrvhost.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_10a1f07ae7909ed446196c9d85dfa242a57b3d513dbb279269366b8fdde28b00.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	JaffaCakes118_10a1f07ae7909ed446196c9d85dfa242a57b3d513dbb279269366b8fdde28b00.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	System.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4484	schtasks.exe
464	schtasks.exe
4504	schtasks.exe
2928	schtasks.exe
3780	schtasks.exe
4960	schtasks.exe
2272	schtasks.exe
1572	schtasks.exe
3460	schtasks.exe
3664	schtasks.exe
4884	schtasks.exe
2516	schtasks.exe
4980	schtasks.exe
2336	schtasks.exe
368	schtasks.exe
2368	schtasks.exe
4792	schtasks.exe
1196	schtasks.exe
3532	schtasks.exe
2876	schtasks.exe
3400	schtasks.exe
1308	schtasks.exe
2456	schtasks.exe
4084	schtasks.exe
4292	schtasks.exe
3356	schtasks.exe
700	schtasks.exe
1852	schtasks.exe
2844	schtasks.exe
3492	schtasks.exe
428	schtasks.exe
408	schtasks.exe
5004	schtasks.exe
3180	schtasks.exe
4392	schtasks.exe
4172	schtasks.exe
4568	schtasks.exe
4008	schtasks.exe
3960	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3644	DllCommonsvc.exe
3644	DllCommonsvc.exe
3644	DllCommonsvc.exe
3644	DllCommonsvc.exe
3644	DllCommonsvc.exe
3644	DllCommonsvc.exe
3644	DllCommonsvc.exe
3644	DllCommonsvc.exe
3644	DllCommonsvc.exe
3616	powershell.exe
3616	powershell.exe
3608	powershell.exe
3608	powershell.exe
3016	powershell.exe
3016	powershell.exe
3136	powershell.exe
3136	powershell.exe
688	powershell.exe
688	powershell.exe
5024	powershell.exe
5024	powershell.exe
3316	powershell.exe
3316	powershell.exe
3680	powershell.exe
3680	powershell.exe
2384	powershell.exe
2384	powershell.exe
1932	powershell.exe
1932	powershell.exe
2680	powershell.exe
2680	powershell.exe
4112	powershell.exe
4112	powershell.exe
392	powershell.exe
392	powershell.exe
1316	powershell.exe
1316	powershell.exe
392	powershell.exe
2680	powershell.exe
1484	System.exe
1484	System.exe
3608	powershell.exe
3616	powershell.exe
5024	powershell.exe
3016	powershell.exe
3316	powershell.exe
2384	powershell.exe
3136	powershell.exe
4112	powershell.exe
688	powershell.exe
3680	powershell.exe
1932	powershell.exe
1316	powershell.exe
3092	System.exe
968	System.exe
4292	System.exe
3024	System.exe
4896	System.exe
1932	System.exe
3880	System.exe
212	System.exe
4304	System.exe
4160	System.exe
772	System.exe

Suspicious use of AdjustPrivilegeToken 30 IoCs

description	pid	Process
Token: SeDebugPrivilege	3644	DllCommonsvc.exe
Token: SeDebugPrivilege	3616	powershell.exe
Token: SeDebugPrivilege	3608	powershell.exe
Token: SeDebugPrivilege	5024	powershell.exe
Token: SeDebugPrivilege	392	powershell.exe
Token: SeDebugPrivilege	3316	powershell.exe
Token: SeDebugPrivilege	3016	powershell.exe
Token: SeDebugPrivilege	3136	powershell.exe
Token: SeDebugPrivilege	688	powershell.exe
Token: SeDebugPrivilege	3680	powershell.exe
Token: SeDebugPrivilege	2384	powershell.exe
Token: SeDebugPrivilege	1932	powershell.exe
Token: SeDebugPrivilege	2680	powershell.exe
Token: SeDebugPrivilege	4112	powershell.exe
Token: SeDebugPrivilege	1316	powershell.exe
Token: SeDebugPrivilege	1484	System.exe
Token: SeDebugPrivilege	3092	System.exe
Token: SeDebugPrivilege	968	System.exe
Token: SeDebugPrivilege	4292	System.exe
Token: SeDebugPrivilege	3024	System.exe
Token: SeDebugPrivilege	4896	System.exe
Token: SeDebugPrivilege	1932	System.exe
Token: SeDebugPrivilege	3880	System.exe
Token: SeDebugPrivilege	212	System.exe
Token: SeDebugPrivilege	4304	System.exe
Token: SeDebugPrivilege	4160	System.exe
Token: SeDebugPrivilege	772	System.exe
Token: SeDebugPrivilege	4496	System.exe
Token: SeDebugPrivilege	1476	System.exe
Token: SeDebugPrivilege	2604	System.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 816 wrote to memory of 976	816	JaffaCakes118_10a1f07ae7909ed446196c9d85dfa242a57b3d513dbb279269366b8fdde28b00.exe	82
PID 816 wrote to memory of 976	816	JaffaCakes118_10a1f07ae7909ed446196c9d85dfa242a57b3d513dbb279269366b8fdde28b00.exe	82
PID 816 wrote to memory of 976	816	JaffaCakes118_10a1f07ae7909ed446196c9d85dfa242a57b3d513dbb279269366b8fdde28b00.exe	82
PID 976 wrote to memory of 1140	976	WScript.exe	83
PID 976 wrote to memory of 1140	976	WScript.exe	83
PID 976 wrote to memory of 1140	976	WScript.exe	83
PID 1140 wrote to memory of 3644	1140	cmd.exe	85
PID 1140 wrote to memory of 3644	1140	cmd.exe	85
PID 3644 wrote to memory of 2384	3644	DllCommonsvc.exe	126
PID 3644 wrote to memory of 2384	3644	DllCommonsvc.exe	126
PID 3644 wrote to memory of 1316	3644	DllCommonsvc.exe	127
PID 3644 wrote to memory of 1316	3644	DllCommonsvc.exe	127
PID 3644 wrote to memory of 5024	3644	DllCommonsvc.exe	128
PID 3644 wrote to memory of 5024	3644	DllCommonsvc.exe	128
PID 3644 wrote to memory of 392	3644	DllCommonsvc.exe	129
PID 3644 wrote to memory of 392	3644	DllCommonsvc.exe	129
PID 3644 wrote to memory of 3316	3644	DllCommonsvc.exe	130
PID 3644 wrote to memory of 3316	3644	DllCommonsvc.exe	130
PID 3644 wrote to memory of 3608	3644	DllCommonsvc.exe	131
PID 3644 wrote to memory of 3608	3644	DllCommonsvc.exe	131
PID 3644 wrote to memory of 3680	3644	DllCommonsvc.exe	132
PID 3644 wrote to memory of 3680	3644	DllCommonsvc.exe	132
PID 3644 wrote to memory of 2680	3644	DllCommonsvc.exe	133
PID 3644 wrote to memory of 2680	3644	DllCommonsvc.exe	133
PID 3644 wrote to memory of 3016	3644	DllCommonsvc.exe	134
PID 3644 wrote to memory of 3016	3644	DllCommonsvc.exe	134
PID 3644 wrote to memory of 1932	3644	DllCommonsvc.exe	135
PID 3644 wrote to memory of 1932	3644	DllCommonsvc.exe	135
PID 3644 wrote to memory of 4112	3644	DllCommonsvc.exe	136
PID 3644 wrote to memory of 4112	3644	DllCommonsvc.exe	136
PID 3644 wrote to memory of 3136	3644	DllCommonsvc.exe	137
PID 3644 wrote to memory of 3136	3644	DllCommonsvc.exe	137
PID 3644 wrote to memory of 688	3644	DllCommonsvc.exe	138
PID 3644 wrote to memory of 688	3644	DllCommonsvc.exe	138
PID 3644 wrote to memory of 3616	3644	DllCommonsvc.exe	139
PID 3644 wrote to memory of 3616	3644	DllCommonsvc.exe	139
PID 3644 wrote to memory of 1484	3644	DllCommonsvc.exe	154
PID 3644 wrote to memory of 1484	3644	DllCommonsvc.exe	154
PID 1484 wrote to memory of 3160	1484	System.exe	161
PID 1484 wrote to memory of 3160	1484	System.exe	161
PID 3160 wrote to memory of 2952	3160	cmd.exe	163
PID 3160 wrote to memory of 2952	3160	cmd.exe	163
PID 3160 wrote to memory of 3092	3160	cmd.exe	164
PID 3160 wrote to memory of 3092	3160	cmd.exe	164
PID 3092 wrote to memory of 1248	3092	System.exe	165
PID 3092 wrote to memory of 1248	3092	System.exe	165
PID 1248 wrote to memory of 4428	1248	cmd.exe	167
PID 1248 wrote to memory of 4428	1248	cmd.exe	167
PID 1248 wrote to memory of 968	1248	cmd.exe	168
PID 1248 wrote to memory of 968	1248	cmd.exe	168
PID 968 wrote to memory of 2304	968	System.exe	170
PID 968 wrote to memory of 2304	968	System.exe	170
PID 2304 wrote to memory of 3616	2304	cmd.exe	172
PID 2304 wrote to memory of 3616	2304	cmd.exe	172
PID 2304 wrote to memory of 4292	2304	cmd.exe	173
PID 2304 wrote to memory of 4292	2304	cmd.exe	173
PID 4292 wrote to memory of 5020	4292	System.exe	175
PID 4292 wrote to memory of 5020	4292	System.exe	175
PID 5020 wrote to memory of 4172	5020	cmd.exe	177
PID 5020 wrote to memory of 4172	5020	cmd.exe	177
PID 5020 wrote to memory of 3024	5020	cmd.exe	178
PID 5020 wrote to memory of 3024	5020	cmd.exe	178
PID 3024 wrote to memory of 2120	3024	System.exe	179
PID 3024 wrote to memory of 2120	3024	System.exe	179

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_10a1f07ae7909ed446196c9d85dfa242a57b3d513dbb279269366b8fdde28b00.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_10a1f07ae7909ed446196c9d85dfa242a57b3d513dbb279269366b8fdde28b00.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:816
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:976
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1140
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3644
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2384
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\SearchApp.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1316
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\Gadgets\unsecapp.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5024
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\OfficeClickToRun.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:392
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3316
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3608
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\taskhostw.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3680
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\RuntimeBroker.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2680
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3016
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1932
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Security\BrowserCore\fontdrvhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4112
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\RuntimeBroker.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3136
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:688
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\Gadgets\OfficeClickToRun.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3616
    - - C:\providercommon\System.exe
        
        "C:\providercommon\System.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1484
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VhvmsyECnd.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3160
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2952
        
        C:\providercommon\System.exe
        
        "C:\providercommon\System.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3092
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mQe7zIwqSA.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1248
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:4428
        
        C:\providercommon\System.exe
        
        "C:\providercommon\System.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:968
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mQe7zIwqSA.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:2304
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:3616
        
        C:\providercommon\System.exe
        
        "C:\providercommon\System.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4292
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Myoa8e0eVV.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:5020
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:4172
        
        C:\providercommon\System.exe
        
        "C:\providercommon\System.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3024
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hYa1c8p3ob.bat"
        14⤵
        
        PID:2120
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:1116
        
        C:\providercommon\System.exe
        
        "C:\providercommon\System.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4896
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sSDDfDN1Wn.bat"
        16⤵
        
        PID:2516
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:636
        
        C:\providercommon\System.exe
        
        "C:\providercommon\System.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1932
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MsSi1KDKJG.bat"
        18⤵
        
        PID:700
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:820
        
        C:\providercommon\System.exe
        
        "C:\providercommon\System.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3880
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wKGJ2NUoAL.bat"
        20⤵
        
        PID:4460
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2344
        
        C:\providercommon\System.exe
        
        "C:\providercommon\System.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:212
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mQe7zIwqSA.bat"
        22⤵
        
        PID:4996
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2424
        
        C:\providercommon\System.exe
        
        "C:\providercommon\System.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4304
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Oupdpj3XpI.bat"
        24⤵
        
        PID:4220
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:3344
        
        C:\providercommon\System.exe
        
        "C:\providercommon\System.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4160
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uOEGMIRuqZ.bat"
        26⤵
        
        PID:3212
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:2676
        
        C:\providercommon\System.exe
        
        "C:\providercommon\System.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:772
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat"
        28⤵
        
        PID:4804
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        29⤵
        
        PID:740
        
        C:\providercommon\System.exe
        
        "C:\providercommon\System.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4496
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\z7AIE64VZ5.bat"
        30⤵
        
        PID:2848
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        31⤵
        
        PID:5004
        
        C:\providercommon\System.exe
        
        "C:\providercommon\System.exe"
        31⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1476
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LnIbptgF5R.bat"
        32⤵
        
        PID:5092
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        33⤵
        
        PID:3492
        
        C:\providercommon\System.exe
        
        "C:\providercommon\System.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\providercommon\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\providercommon\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 7 /tr "'C:\providercommon\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\providercommon\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Program Files\Reference Assemblies\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files\Reference Assemblies\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Security\BrowserCore\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Security\BrowserCore\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Sidebar\Gadgets\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Gadgets\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Sidebar\Gadgets\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\System.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Temp\LnIbptgF5R.bat

Filesize
193B

MD5
375071136ae8bc57c2b441408e1d39b2

SHA1
15897535ae1cf0403108447ed4fd5b18b206f293

SHA256
f9f8e7bee91f16ce92de9cc7f434f3fe0c5c58db35c70c08b5ac0366d61bebb8

SHA512
91935edff833d0b3f770bac939f819c366fb03f8b566d3b1bbadeef107c5e63f2e8ed7dc5bdf37c98a779e58d037df88834863a82ab7f8120623bc3188a5c75a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MsSi1KDKJG.bat

Filesize
193B

MD5
0f592fa2f4c2362d8dce6417ba10f5dd

SHA1
34ba91a49daac7b4917a9e8cf7fe62c2f0264a0c

SHA256
09c53a719b58a89e6194061e0fc62b5bb78ef423e38ab422cda60440031b908d

SHA512
bba963e2f728b9de80d764b9aafb0931befc4c60bea5d2ca3c742d0a04b6e87692e7b92afec23fb7d033f243fc4d58d1899bb5904b33e33ed8a5b41841f7ebe8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Myoa8e0eVV.bat

Filesize
193B

MD5
234cd1d993eb3052c88b72e7bc9176fe

SHA1
c46e5401e7b01c768684bb17a7aad2354f64ffca

SHA256
52ef80050cb41c391c00edd1c7514aafb9fe00e64a2288c44e7d1935dc01ed63

SHA512
807227f9efa5e4de40594c1db3aebc7b53a7a511c02626c53aedf72f3e23ed65a0c275f7eecec764fddc12f87e4ac19cffd13ca4ba613fcda79e04ed94ecf56d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Oupdpj3XpI.bat

Filesize
193B

MD5
cccc4397259ecfc97d25c868e2c157da

SHA1
74acd8622c46c05708ff103dfa49a6ee76be53d7

SHA256
8747bb4356d8b63716d5d23ffa81faeba3c91dc4a315ce35ffce18dc957f0e53

SHA512
f5f4927ef427ef2b2b2be8bee2f76dd35bf88a1d291c37bbfb40e546fb26f01b5db574d0a89c3defe390217f4ad203c9bc853ea64d9efbefae77138a34c0ae5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\VhvmsyECnd.bat

Filesize
193B

MD5
c482efeb98bbfc094b87dd04a8086707

SHA1
2b603f575b010e18fba50ba2c963f023bba2a6fe

SHA256
ee4cbd517c7e0c3605a91a47e3b2a0b3e8d2a25a05896b7fe20454ddcd00820f

SHA512
7b33cfeca93e1320b9b3002ed6890531780a65ecf69eb2df291bc361b10bce30e778f0d05d392ea6ed6529959c6b55da90bdff966f50a1630025ad8ae3f54fc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat

Filesize
193B

MD5
13afaf72d9a4a138f1afed9ad99666f8

SHA1
13f2b287d59501456c219b950ef8607e4409eff6

SHA256
15470731f8053e873e64786a83c3df521c12382013eabbc9a198a017afad6d91

SHA512
7fd8a978ef8480fc8a5b1d2d1ed72d32099a14b6370e05497485932a3a7aba112ce7c704fb849f05441d204ff45e678412535df22bd8e05f92fed07a64891e2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_utefpug3.wss.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\hYa1c8p3ob.bat

Filesize
193B

MD5
834c592b3c2c71f76ac397b651eaab5c

SHA1
7ec2e0de8707f0fd69d99a20fa36710b2583ef61

SHA256
2748d2b398a234a7a5790453528eab05be21fb27b901eed2c6945beb2db0837b

SHA512
6b1e97ee742826635401e501c23fd118c8827dbf74b86a5d7e428391c6a4debbe0ab854e07eed468d7f3abac0d42ce5bfc553528e2fa4091274d388a10560152

Download Submit
C:\Users\Admin\AppData\Local\Temp\mQe7zIwqSA.bat

Filesize
193B

MD5
3c9d970bd96d6a71152fefbad891fa95

SHA1
2705be9a5d19be146c69f7ac226bfb2ddd9634e5

SHA256
85220240334af1d577144a55b98f8b8c53cdf53fea57cca6df0602a469c2f880

SHA512
6e24640b6d8d62693f81bec4c75a5e41264f06770fe1ea8187c9255ec8b71f0f95a83c43d850cdf4ddf495e629a9ab9005141f5814f1248cad729110d1f0662b

Download Submit
C:\Users\Admin\AppData\Local\Temp\sSDDfDN1Wn.bat

Filesize
193B

MD5
d3dc02e1655f62801b66fcbddfd480a8

SHA1
033c5ad5835a4f5ef9464f9b0af93971f9f4428a

SHA256
4a09ac63f9fcdaebac0972edbed38209a694e93740f894d5c01246e600db3dce

SHA512
f1695a6a267f01cd3644efb8bcccad0e67afdbc46ece6312bfe272204f701a0930368bf7c3ee4d8872918b37c501533b1eead487f0da290ca516dab4b68e13c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\uOEGMIRuqZ.bat

Filesize
193B

MD5
085f5c7650067e703a9d5fcbf2982813

SHA1
52dcd55691d66c420292b0838e0f7793aa98a7a0

SHA256
b29bbc347ca89b884e7c68c2b92280fbb4d12431cb1d1644dc07c7a4fc0c6cf4

SHA512
a7d93a10eaf9e33d200d0eb5696610f3d12d67ecd16a407ed2055bc033c987edfed01b408d20f8c481bda5c8d467a000a66d73d111f68559e58491675634f1ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\wKGJ2NUoAL.bat

Filesize
193B

MD5
882c775292405c82293222feee1c7a68

SHA1
5562d5ec4ca8d19182a94025b1de5d6a5cb18c12

SHA256
22a1704e72c07c69cb983d14ec63b2fa4090c05f1c5ac2676738f467fb7557cd

SHA512
cc8deda89c8eb3b66955861ae7db980b32e7283eff2a64b442ee6214f1cadb31bf5393791a8161153b92f978e1250288277cae9d048786e1bfd7e4e307b93ce1

Download Submit
C:\Users\Admin\AppData\Local\Temp\z7AIE64VZ5.bat

Filesize
193B

MD5
93b25455aa1f5822500b86aa812eb77b

SHA1
9999f5a7ff2545752ea4cb1ff560cda9a75e0b39

SHA256
a195615689d74bac9ca58d504a579662e984045c32d610827a1d41317d06e182

SHA512
31536618c9749372c45b444b509e0198edc86f055900c661170a12867c607c832a8aaae9d6d0a32a295fc7cc549d3cf3d771b05c205c17ee7e5e79490fa0f869

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/212-264-0x0000000001510000-0x0000000001522000-memory.dmp

Filesize
72KB

Download
memory/1484-182-0x0000000001150000-0x0000000001162000-memory.dmp

Filesize
72KB

Download
memory/3024-239-0x0000000003200000-0x0000000003212000-memory.dmp

Filesize
72KB

Download
memory/3616-69-0x0000026B4AA80000-0x0000026B4AAA2000-memory.dmp

Filesize
136KB

Download
memory/3644-15-0x0000000002B70000-0x0000000002B7C000-memory.dmp

Filesize
48KB

Download
memory/3644-13-0x0000000000950000-0x0000000000A60000-memory.dmp

Filesize
1.1MB

Download
memory/3644-12-0x00007FFC2DE83000-0x00007FFC2DE85000-memory.dmp

Filesize
8KB

Download
memory/3644-14-0x00000000014B0000-0x00000000014C2000-memory.dmp

Filesize
72KB

Download
memory/3644-16-0x0000000002B90000-0x0000000002B9C000-memory.dmp

Filesize
48KB

Download
memory/3644-17-0x0000000002BA0000-0x0000000002BAC000-memory.dmp

Filesize
48KB

Download
memory/4160-277-0x0000000003050000-0x0000000003062000-memory.dmp

Filesize
72KB

Download
memory/4292-232-0x0000000002AB0000-0x0000000002AC2000-memory.dmp

Filesize
72KB

Download
memory/4496-290-0x00000000031C0000-0x00000000031D2000-memory.dmp

Filesize
72KB

Download