dcrat | ca4a46c6b90ad3c6eef529b2573eec195ca981c05b42f20b1d56b5fc2512e572

Analysis

max time kernel
148s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22/12/2024, 09:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_ca4a46c6b90ad3c6eef529b2573eec195ca981c05b42f20b1d56b5fc2512e572.exe
Size

1.3MB
MD5

4a544f26f00032a9dc87386aa8f60ebf
SHA1

11a1a7d6a4e955e802233a1d560a157e9f1f25ee
SHA256

ca4a46c6b90ad3c6eef529b2573eec195ca981c05b42f20b1d56b5fc2512e572
SHA512

7e706bb09914bb24181e9e216ea99018c4eadcc62fb53d03f196bdf04b16efd7883b9ba681e03b3740d6c3496707be15575faffb9daa835ba20afac268df321c
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 36 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4704	904	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2320	904	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1972	904	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5004	904	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5080	904	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	756	904	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3860	904	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1388	904	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1476	904	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4800	904	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4696	904	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2776	904	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	544	904	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3772	904	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1132	904	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3616	904	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4744	904	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	228	904	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	548	904	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2308	904	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3764	904	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2752	904	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2412	904	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1112	904	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4976	904	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2072	904	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	452	904	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4056	904	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	720	904	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3200	904	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3636	904	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2368	904	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2008	904	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2156	904	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	380	904	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4556	904	schtasks.exe	92

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x0007000000023c73-10.dat	dcrat
behavioral2/memory/2448-13-0x00000000000B0000-0x00000000001C0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 13 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4952	powershell.exe
4412	powershell.exe
2560	powershell.exe
2880	powershell.exe
4200	powershell.exe
2124	powershell.exe
3580	powershell.exe
1824	powershell.exe
4140	powershell.exe
4300	powershell.exe
3880	powershell.exe
4384	powershell.exe
1128	powershell.exe

Checks computer location settings 2 TTPs 16 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	JaffaCakes118_ca4a46c6b90ad3c6eef529b2573eec195ca981c05b42f20b1d56b5fc2512e572.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	System.exe

Executes dropped EXE 15 IoCs

pid	Process
2448	DllCommonsvc.exe
2356	System.exe
3680	System.exe
808	System.exe
2368	System.exe
3692	System.exe
2904	System.exe
4576	System.exe
3704	System.exe
2216	System.exe
5076	System.exe
3840	System.exe
3928	System.exe
2260	System.exe
3052	System.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 14 IoCs

Web Service

T1102

flow	ioc
26	raw.githubusercontent.com
40	raw.githubusercontent.com
45	raw.githubusercontent.com
53	raw.githubusercontent.com
54	raw.githubusercontent.com
20	raw.githubusercontent.com
44	raw.githubusercontent.com
52	raw.githubusercontent.com
56	raw.githubusercontent.com
39	raw.githubusercontent.com
41	raw.githubusercontent.com
55	raw.githubusercontent.com
57	raw.githubusercontent.com
19	raw.githubusercontent.com

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\host\fxr\RuntimeBroker.exe	DllCommonsvc.exe
File created	C:\Program Files\dotnet\host\fxr\9e8d7a4ca61bd9	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Mail\OfficeClickToRun.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Mail\e6c9b481da804f	DllCommonsvc.exe
File created	C:\Program Files\Windows Multimedia Platform\System.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Multimedia Platform\27d1bcfc3c54e0	DllCommonsvc.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\addins\spoolsv.exe	DllCommonsvc.exe
File opened for modification	C:\Windows\addins\spoolsv.exe	DllCommonsvc.exe
File created	C:\Windows\addins\f3b6ecef712a24	DllCommonsvc.exe
File created	C:\Windows\Tasks\dwm.exe	DllCommonsvc.exe
File created	C:\Windows\Tasks\6cb0b6c459d5d3	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_ca4a46c6b90ad3c6eef529b2573eec195ca981c05b42f20b1d56b5fc2512e572.exe

Modifies registry class 14 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	JaffaCakes118_ca4a46c6b90ad3c6eef529b2573eec195ca981c05b42f20b1d56b5fc2512e572.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	System.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
228	schtasks.exe
3764	schtasks.exe
1112	schtasks.exe
452	schtasks.exe
3636	schtasks.exe
2008	schtasks.exe
2156	schtasks.exe
2320	schtasks.exe
5004	schtasks.exe
5080	schtasks.exe
3860	schtasks.exe
720	schtasks.exe
4800	schtasks.exe
2368	schtasks.exe
380	schtasks.exe
3772	schtasks.exe
3200	schtasks.exe
756	schtasks.exe
2776	schtasks.exe
3616	schtasks.exe
4744	schtasks.exe
4696	schtasks.exe
548	schtasks.exe
4976	schtasks.exe
2072	schtasks.exe
4556	schtasks.exe
4704	schtasks.exe
1388	schtasks.exe
1476	schtasks.exe
544	schtasks.exe
1132	schtasks.exe
2308	schtasks.exe
4056	schtasks.exe
1972	schtasks.exe
2752	schtasks.exe
2412	schtasks.exe

Suspicious behavior: EnumeratesProcesses 63 IoCs

pid	Process
2448	DllCommonsvc.exe
2448	DllCommonsvc.exe
2448	DllCommonsvc.exe
2448	DllCommonsvc.exe
2448	DllCommonsvc.exe
2448	DllCommonsvc.exe
2448	DllCommonsvc.exe
2448	DllCommonsvc.exe
2448	DllCommonsvc.exe
4140	powershell.exe
4140	powershell.exe
4412	powershell.exe
4412	powershell.exe
3580	powershell.exe
3580	powershell.exe
4300	powershell.exe
4300	powershell.exe
4384	powershell.exe
4384	powershell.exe
2124	powershell.exe
2124	powershell.exe
2880	powershell.exe
2880	powershell.exe
4200	powershell.exe
4200	powershell.exe
1128	powershell.exe
1128	powershell.exe
1824	powershell.exe
1824	powershell.exe
4952	powershell.exe
4952	powershell.exe
3880	powershell.exe
3880	powershell.exe
2560	powershell.exe
2560	powershell.exe
4200	powershell.exe
2356	System.exe
2356	System.exe
4140	powershell.exe
3880	powershell.exe
4300	powershell.exe
2124	powershell.exe
1824	powershell.exe
3580	powershell.exe
1128	powershell.exe
4952	powershell.exe
4384	powershell.exe
2880	powershell.exe
4412	powershell.exe
2560	powershell.exe
3680	System.exe
808	System.exe
2368	System.exe
3692	System.exe
2904	System.exe
4576	System.exe
3704	System.exe
2216	System.exe
5076	System.exe
3840	System.exe
3928	System.exe
2260	System.exe
3052	System.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

description	pid	Process
Token: SeDebugPrivilege	2448	DllCommonsvc.exe
Token: SeDebugPrivilege	4140	powershell.exe
Token: SeDebugPrivilege	2124	powershell.exe
Token: SeDebugPrivilege	4412	powershell.exe
Token: SeDebugPrivilege	3580	powershell.exe
Token: SeDebugPrivilege	4300	powershell.exe
Token: SeDebugPrivilege	4384	powershell.exe
Token: SeDebugPrivilege	2880	powershell.exe
Token: SeDebugPrivilege	4200	powershell.exe
Token: SeDebugPrivilege	1824	powershell.exe
Token: SeDebugPrivilege	1128	powershell.exe
Token: SeDebugPrivilege	2560	powershell.exe
Token: SeDebugPrivilege	3880	powershell.exe
Token: SeDebugPrivilege	4952	powershell.exe
Token: SeDebugPrivilege	2356	System.exe
Token: SeDebugPrivilege	3680	System.exe
Token: SeDebugPrivilege	808	System.exe
Token: SeDebugPrivilege	2368	System.exe
Token: SeDebugPrivilege	3692	System.exe
Token: SeDebugPrivilege	2904	System.exe
Token: SeDebugPrivilege	4576	System.exe
Token: SeDebugPrivilege	3704	System.exe
Token: SeDebugPrivilege	2216	System.exe
Token: SeDebugPrivilege	5076	System.exe
Token: SeDebugPrivilege	3840	System.exe
Token: SeDebugPrivilege	3928	System.exe
Token: SeDebugPrivilege	2260	System.exe
Token: SeDebugPrivilege	3052	System.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2576 wrote to memory of 4688	2576	JaffaCakes118_ca4a46c6b90ad3c6eef529b2573eec195ca981c05b42f20b1d56b5fc2512e572.exe	83
PID 2576 wrote to memory of 4688	2576	JaffaCakes118_ca4a46c6b90ad3c6eef529b2573eec195ca981c05b42f20b1d56b5fc2512e572.exe	83
PID 2576 wrote to memory of 4688	2576	JaffaCakes118_ca4a46c6b90ad3c6eef529b2573eec195ca981c05b42f20b1d56b5fc2512e572.exe	83
PID 4688 wrote to memory of 2088	4688	WScript.exe	87
PID 4688 wrote to memory of 2088	4688	WScript.exe	87
PID 4688 wrote to memory of 2088	4688	WScript.exe	87
PID 2088 wrote to memory of 2448	2088	cmd.exe	89
PID 2088 wrote to memory of 2448	2088	cmd.exe	89
PID 2448 wrote to memory of 4412	2448	DllCommonsvc.exe	129
PID 2448 wrote to memory of 4412	2448	DllCommonsvc.exe	129
PID 2448 wrote to memory of 1824	2448	DllCommonsvc.exe	130
PID 2448 wrote to memory of 1824	2448	DllCommonsvc.exe	130
PID 2448 wrote to memory of 4140	2448	DllCommonsvc.exe	131
PID 2448 wrote to memory of 4140	2448	DllCommonsvc.exe	131
PID 2448 wrote to memory of 4300	2448	DllCommonsvc.exe	132
PID 2448 wrote to memory of 4300	2448	DllCommonsvc.exe	132
PID 2448 wrote to memory of 2560	2448	DllCommonsvc.exe	133
PID 2448 wrote to memory of 2560	2448	DllCommonsvc.exe	133
PID 2448 wrote to memory of 3880	2448	DllCommonsvc.exe	134
PID 2448 wrote to memory of 3880	2448	DllCommonsvc.exe	134
PID 2448 wrote to memory of 2880	2448	DllCommonsvc.exe	135
PID 2448 wrote to memory of 2880	2448	DllCommonsvc.exe	135
PID 2448 wrote to memory of 4200	2448	DllCommonsvc.exe	136
PID 2448 wrote to memory of 4200	2448	DllCommonsvc.exe	136
PID 2448 wrote to memory of 4384	2448	DllCommonsvc.exe	137
PID 2448 wrote to memory of 4384	2448	DllCommonsvc.exe	137
PID 2448 wrote to memory of 2124	2448	DllCommonsvc.exe	138
PID 2448 wrote to memory of 2124	2448	DllCommonsvc.exe	138
PID 2448 wrote to memory of 3580	2448	DllCommonsvc.exe	139
PID 2448 wrote to memory of 3580	2448	DllCommonsvc.exe	139
PID 2448 wrote to memory of 4952	2448	DllCommonsvc.exe	140
PID 2448 wrote to memory of 4952	2448	DllCommonsvc.exe	140
PID 2448 wrote to memory of 1128	2448	DllCommonsvc.exe	141
PID 2448 wrote to memory of 1128	2448	DllCommonsvc.exe	141
PID 2448 wrote to memory of 2356	2448	DllCommonsvc.exe	155
PID 2448 wrote to memory of 2356	2448	DllCommonsvc.exe	155
PID 2356 wrote to memory of 3764	2356	System.exe	163
PID 2356 wrote to memory of 3764	2356	System.exe	163
PID 3764 wrote to memory of 3488	3764	cmd.exe	165
PID 3764 wrote to memory of 3488	3764	cmd.exe	165
PID 3764 wrote to memory of 3680	3764	cmd.exe	167
PID 3764 wrote to memory of 3680	3764	cmd.exe	167
PID 3680 wrote to memory of 840	3680	System.exe	169
PID 3680 wrote to memory of 840	3680	System.exe	169
PID 840 wrote to memory of 1028	840	cmd.exe	171
PID 840 wrote to memory of 1028	840	cmd.exe	171
PID 840 wrote to memory of 808	840	cmd.exe	176
PID 840 wrote to memory of 808	840	cmd.exe	176
PID 808 wrote to memory of 3772	808	System.exe	178
PID 808 wrote to memory of 3772	808	System.exe	178
PID 3772 wrote to memory of 2460	3772	cmd.exe	180
PID 3772 wrote to memory of 2460	3772	cmd.exe	180
PID 3772 wrote to memory of 2368	3772	cmd.exe	182
PID 3772 wrote to memory of 2368	3772	cmd.exe	182
PID 2368 wrote to memory of 3248	2368	System.exe	184
PID 2368 wrote to memory of 3248	2368	System.exe	184
PID 3692 wrote to memory of 1468	3692	System.exe	190
PID 3692 wrote to memory of 1468	3692	System.exe	190
PID 1468 wrote to memory of 2556	1468	cmd.exe	192
PID 1468 wrote to memory of 2556	1468	cmd.exe	192
PID 1468 wrote to memory of 2904	1468	cmd.exe	195
PID 1468 wrote to memory of 2904	1468	cmd.exe	195
PID 2904 wrote to memory of 2840	2904	System.exe	197
PID 2904 wrote to memory of 2840	2904	System.exe	197

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ca4a46c6b90ad3c6eef529b2573eec195ca981c05b42f20b1d56b5fc2512e572.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ca4a46c6b90ad3c6eef529b2573eec195ca981c05b42f20b1d56b5fc2512e572.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2576
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4688
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2088
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2448
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4412
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\addins\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1824
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Tasks\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4140
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4300
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\fontdrvhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2560
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\OfficeClickToRun.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3880
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Multimedia Platform\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2880
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4200
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\SearchApp.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4384
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\dotnet\host\fxr\RuntimeBroker.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2124
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3580
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4952
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Desktop\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1128
    - - C:\Program Files\Windows Multimedia Platform\System.exe
        
        "C:\Program Files\Windows Multimedia Platform\System.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2356
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KwQfKFARzT.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3764
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:3488
        
        C:\Program Files\Windows Multimedia Platform\System.exe
        
        "C:\Program Files\Windows Multimedia Platform\System.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3680
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VhvmsyECnd.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:840
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:1028
        
        C:\Program Files\Windows Multimedia Platform\System.exe
        
        "C:\Program Files\Windows Multimedia Platform\System.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:808
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gTQuRhIyam.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:3772
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2460
        
        C:\Program Files\Windows Multimedia Platform\System.exe
        
        "C:\Program Files\Windows Multimedia Platform\System.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2368
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zGIMjSYhT8.bat"
        12⤵
        
        PID:3248
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:2488
        
        C:\Program Files\Windows Multimedia Platform\System.exe
        
        "C:\Program Files\Windows Multimedia Platform\System.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3692
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Zi7wkUpBKE.bat"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:1468
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2556
        
        C:\Program Files\Windows Multimedia Platform\System.exe
        
        "C:\Program Files\Windows Multimedia Platform\System.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2904
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nGW3UwTeX7.bat"
        16⤵
        
        PID:2840
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:1820
        
        C:\Program Files\Windows Multimedia Platform\System.exe
        
        "C:\Program Files\Windows Multimedia Platform\System.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4576
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TmtjCtAJTq.bat"
        18⤵
        
        PID:2056
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:1856
        
        C:\Program Files\Windows Multimedia Platform\System.exe
        
        "C:\Program Files\Windows Multimedia Platform\System.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3704
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\be8zRZs4e0.bat"
        20⤵
        
        PID:2272
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:3772
        
        C:\Program Files\Windows Multimedia Platform\System.exe
        
        "C:\Program Files\Windows Multimedia Platform\System.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2216
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oLfAgN0jmw.bat"
        22⤵
        
        PID:4956
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:352
        
        C:\Program Files\Windows Multimedia Platform\System.exe
        
        "C:\Program Files\Windows Multimedia Platform\System.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5076
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IrGY9odMle.bat"
        24⤵
        
        PID:3760
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:4984
        
        C:\Program Files\Windows Multimedia Platform\System.exe
        
        "C:\Program Files\Windows Multimedia Platform\System.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3840
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\D9KWG0zl28.bat"
        26⤵
        
        PID:2072
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:4460
        
        C:\Program Files\Windows Multimedia Platform\System.exe
        
        "C:\Program Files\Windows Multimedia Platform\System.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3928
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8xeM6k5O3T.bat"
        28⤵
        
        PID:4412
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        29⤵
        
        PID:4476
        
        C:\Program Files\Windows Multimedia Platform\System.exe
        
        "C:\Program Files\Windows Multimedia Platform\System.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2260
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pCY6B1XXru.bat"
        30⤵
        
        PID:4256
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        31⤵
        
        PID:2648
        
        C:\Program Files\Windows Multimedia Platform\System.exe
        
        "C:\Program Files\Windows Multimedia Platform\System.exe"
        31⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Windows\addins\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\addins\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Windows\addins\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Windows\Tasks\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\Tasks\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Windows\Tasks\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\providercommon\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Mail\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Mail\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Multimedia Platform\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Multimedia Platform\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\providercommon\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files\dotnet\host\fxr\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\dotnet\host\fxr\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Program Files\dotnet\host\fxr\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Desktop\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Users\Public\Desktop\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Desktop\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\System.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e243a38635ff9a06c87c2a61a2200656

SHA1
ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

SHA256
af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

SHA512
4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a5e1f1efff867a822c6a57ee928dd66

SHA1
b017854d8a1deb05f1447e9dd6002902fb66bf6b

SHA256
8222fe869b025493591ca2ffbabe089c2e682449e77b754fc864ba62d64ee957

SHA512
25fc0fd6a71595c44efe34d281c4bc4924ac82f76b9f697497d0019fa2c8e0cadf58f92ae4272f00b1ef1e97dfd93bd740a9e7f7d9dc93cb1cadbde5f93d1782

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
aaaac7c68d2b7997ed502c26fd9f65c2

SHA1
7c5a3731300d672bf53c43e2f9e951c745f7fbdf

SHA256
8724dc2c3c8e8f17aeefae44a23741b1ea3b43c490fbc52fd61575ffe1cd82bb

SHA512
c526febd9430413b48bed976edd9a795793ad1f06c8ff4f6b768b4ad63f4d2f06b9da72d4fcfa7cb9530a64e2dc3554f5ad97fd0ab60129701d175f2724ef1ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\8xeM6k5O3T.bat

Filesize
220B

MD5
c3211c5f47df9f48ad4f45f0e4cac365

SHA1
901ba8322f09b58d90db9b1e6b085200a0f493ca

SHA256
a49325a692d97b3ee99e4fd096557f49525bb5ea1d9f72fb7e50da915173f3ee

SHA512
bf3e96b1a34c8cfd2e257107d3b3d8f4c816d128858672f8db231f1c4527295e821f83faf1ee718a8b1705e2d5f262616fe9c4303ccb00eb70a67e8ad6adc60a

Download Submit
C:\Users\Admin\AppData\Local\Temp\D9KWG0zl28.bat

Filesize
220B

MD5
499be5e29c7d0a77362dd540371f84da

SHA1
9b22fb3799d6be354050a23f15a27bd89241146f

SHA256
4acb412c9f1138effd63116dbff90d5ccbf507a3cd5ae4e864d58167c5a79c47

SHA512
1b9eed755e58b7fdc6493c16f7a04a0901c8c92d999b8e95a996341989c08faef95d68ae710b2d653db17de91199a8d094238c4583a83c1bc95a6def7fd935a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IrGY9odMle.bat

Filesize
220B

MD5
a53fb0337fd7a179dbca0a0de2f6f85a

SHA1
8323b5e6c7fb401f9c59378069c357645f074e4c

SHA256
97860d699dc8c884890aa0bd370f6bdb12e5397fe7a9191cbf1b1b37ae7d27b3

SHA512
d0adbd5adbbfc0c17603535fbd7f4c1c581354cdcb4c8182652a1e40e57849879ced74e5078f86aa295aee82d73570685bcbe1ab25f71027d28e267e7a655485

Download Submit
C:\Users\Admin\AppData\Local\Temp\KwQfKFARzT.bat

Filesize
220B

MD5
525ec99a5e34d211bc50cb9033dfd0c7

SHA1
05c0e5219125360bd6253151a7f559084485deb7

SHA256
0cfa43f637585901122abefb3c6ebcaf521a455a05766758965fe4c627bece49

SHA512
9f79c0c8a22f63fb5941a1adc44a36274b0db672be1aaee8f35e40c4ec2e0492577fccbb7df058d0f8f3e7beff315ba100dbeb6393e48007297541f7542158ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmtjCtAJTq.bat

Filesize
220B

MD5
ff60513dfb037a2db1b116862bc152cd

SHA1
4e5e9b7a5d7c05bd2f630a6dc21822c3f6d457e5

SHA256
92a441a81dbe7f624af9de7fae3ff90b5d890fad7fba22efd0cd9daa4391bd7d

SHA512
f76aac3ef5547f878231663b7a72056fa1297893bd7c33a24895dd9140ea028de1a5afb7d30985e2b92556b168a8bdb79cac688bc2bfaf5b3c751ad663a9a163

Download Submit
C:\Users\Admin\AppData\Local\Temp\VhvmsyECnd.bat

Filesize
220B

MD5
07d8350b7f72ffbd3245aec687889408

SHA1
bbfe64d7543ddcf9471c24ac187f61f584c9911c

SHA256
e1782dc7658c5ddc21fc2f84b0c86046fd21fed2009e22bed7f4ccae787983b8

SHA512
6c515b074f0b8f68abfb02c3b1e09fdc09d76e6c3293339d78429634f98c54ae1e0bd379a418f3b029d687948bb94f9ab2a7301a113fcf1e4a350b2b97f0d2ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zi7wkUpBKE.bat

Filesize
220B

MD5
013cbfcc7bcee8bba7fdfb13e1b272ba

SHA1
a5ee32abb454daff6ba865edbe2143fd71aa5f82

SHA256
20d231163916f4a3a1d404d4da6a176d51d8fb4cc37fde80b7622c3414f098ef

SHA512
af8d503f93299a829feb6dbd666a2ecd141d218f756da0b5cf59ab371078474b8a5abed991ee55fa91c5201c6c941aed1ef3849eba498ada85be3c1cbc54d97d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3iiopvio.fxb.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\be8zRZs4e0.bat

Filesize
220B

MD5
71a0c447fc2a5aa096a928c8254126d5

SHA1
077f79fc0f9a6d6c59e3d1b986cd7063c1240923

SHA256
d43ec35867173df724b77920a1d780f99dc6da9e3a6ff8008779e6a7aa4b3f48

SHA512
b546401f90f99632507bd596ac74403de496c8d8a0603bbed6327901360f01b8ea78c1aac11c88509bd35cecda1132031105cba79208784457f1825e4dba9872

Download Submit
C:\Users\Admin\AppData\Local\Temp\gTQuRhIyam.bat

Filesize
220B

MD5
db16ae4c2d49bd2608a676184ae4d61d

SHA1
59d47ac281a5e7427cda54028486e51f9078397f

SHA256
0d821d0fc71718b4e772116796bcdbd35cff6f61cc6379c973aaa87dab7228b3

SHA512
92d161c5aec6ed9b967ebe6f35d09bc8ba882e7891bb5bd4ff5956f36dfabfe5eac49e949904c37707b2daac86b90fe82d5763ccfa5d4e4c6438d509f77c81a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nGW3UwTeX7.bat

Filesize
220B

MD5
e86600156664d9af72925399e01b87e3

SHA1
cb6f00c51bb33d5b18ac10865290101b5b9bceaa

SHA256
cce6f3e236186bd595ed33a8025f6f9d4c70de724164312cd776b1cb43965a21

SHA512
7f841040fc570d6ca870bff8c0b8211c0e46c0a88771ffedcf6d0f6120b2930bd1302c19d43aab177ed3e12a55df85ea3b1482a4bf863c845bf4226312893b90

Download Submit
C:\Users\Admin\AppData\Local\Temp\oLfAgN0jmw.bat

Filesize
220B

MD5
557949a9838071bcba21e0c39cd23030

SHA1
587a9b950177982b495b9ab16c1e7ea7e69b2a63

SHA256
f2e70a9c20221a0bdc34086ff392e314c3cb3daad63da7bb51f0bed38a6f5bba

SHA512
69cff67ffcabbb09e0a3ffe622265b093c73f5df0d989276631e0fc3ee2186c5d0ac6aa33da6bb55bf7c8c68dcaff57bf691991ad9998e1872b68c2978f107d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\pCY6B1XXru.bat

Filesize
220B

MD5
45869fec97f0f1e22ebd07df44e18ab1

SHA1
2b105baf9c4472fc1270ea8e6adf9176b1c077c9

SHA256
1b5dea871e50548ebfa27c375aa133f0037f63d63e4a485e4f458ee1467ce038

SHA512
2b8fd7723d60ab860443a19814e21c590ebe462cd679a1b246f97aafe492f56b3dc3a920139862da4561cf9636f9e700e373f237b84eb2df4b3e74eadc5de1de

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/808-214-0x0000000002FB0000-0x0000000002FC2000-memory.dmp

Filesize
72KB

Download
memory/2124-53-0x00000269D4860000-0x00000269D4882000-memory.dmp

Filesize
136KB

Download
memory/2216-259-0x000000001BC00000-0x000000001BDA9000-memory.dmp

Filesize
1.7MB

Download
memory/2260-282-0x00000000026B0000-0x00000000026C2000-memory.dmp

Filesize
72KB

Download
memory/2260-288-0x000000001C070000-0x000000001C1DA000-memory.dmp

Filesize
1.4MB

Download
memory/2356-202-0x000000001C710000-0x000000001C8B9000-memory.dmp

Filesize
1.7MB

Download
memory/2448-13-0x00000000000B0000-0x00000000001C0000-memory.dmp

Filesize
1.1MB

Download
memory/2448-14-0x0000000002390000-0x00000000023A2000-memory.dmp

Filesize
72KB

Download
memory/2448-12-0x00007FF8AB843000-0x00007FF8AB845000-memory.dmp

Filesize
8KB

Download
memory/2448-15-0x000000001ACE0000-0x000000001ACEC000-memory.dmp

Filesize
48KB

Download
memory/2448-17-0x000000001ACD0000-0x000000001ACDC000-memory.dmp

Filesize
48KB

Download
memory/2448-16-0x00000000023A0000-0x00000000023AC000-memory.dmp

Filesize
48KB

Download
memory/2904-232-0x0000000002800000-0x0000000002812000-memory.dmp

Filesize
72KB

Download
memory/3680-211-0x000000001C690000-0x000000001C731000-memory.dmp

Filesize
644KB

Download
memory/3680-210-0x000000001C4E0000-0x000000001C64A000-memory.dmp

Filesize
1.4MB

Download
memory/3680-205-0x00000000012D0000-0x00000000012E2000-memory.dmp

Filesize
72KB

Download
memory/3704-251-0x000000001CA40000-0x000000001CBAA000-memory.dmp

Filesize
1.4MB

Download
memory/3704-246-0x0000000003270000-0x0000000003282000-memory.dmp

Filesize
72KB

Download
memory/3840-273-0x000000001C550000-0x000000001C6BA000-memory.dmp

Filesize
1.4MB

Download
memory/3928-279-0x000000001C420000-0x000000001C58A000-memory.dmp

Filesize
1.4MB

Download
memory/4576-239-0x0000000002DB0000-0x0000000002DC2000-memory.dmp

Filesize
72KB

Download
memory/5076-265-0x000000001C600000-0x000000001C76A000-memory.dmp

Filesize
1.4MB

Download