dcrat | 9c87a4e4b890356a83fbf7b4cab03b996ad90496788c203503dfc344aa9b0930

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2024 10:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_9c87a4e4b890356a83fbf7b4cab03b996ad90496788c203503dfc344aa9b0930.exe
Size

1.3MB
MD5

a5fc4e2cb2da56316afe676b08b1a1c2
SHA1

78d03dd64addcd58990263dd9a4ed40234fff44d
SHA256

9c87a4e4b890356a83fbf7b4cab03b996ad90496788c203503dfc344aa9b0930
SHA512

f82f8b829511949bd9c3016172e65e99dfd3e3bc3c2ba63712c1c4edb8ba10e57cd3711f01a4bdb3e625f73dcd53e8a6e524a385c7fb705d2e9c48bc9e7674aa
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 33 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3508	516	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3344	516	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2556	516	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3520	516	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1468	516	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4412	516	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	868	516	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4712	516	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4988	516	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1652	516	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3636	516	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3536	516	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3540	516	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4388	516	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2628	516	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2060	516	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	624	516	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3316	516	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	732	516	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2740	516	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1516	516	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2596	516	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3060	516	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4176	516	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3680	516	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2044	516	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5020	516	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1708	516	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4348	516	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4476	516	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3924	516	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1108	516	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3376	516	schtasks.exe	92

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x000a000000023b97-10.dat	dcrat
behavioral2/memory/4736-13-0x00000000006D0000-0x00000000007E0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2600	powershell.exe
3672	powershell.exe
3780	powershell.exe
3188	powershell.exe
392	powershell.exe
3548	powershell.exe
4432	powershell.exe
1572	powershell.exe
4352	powershell.exe
220	powershell.exe
1396	powershell.exe
4980	powershell.exe

Checks computer location settings 2 TTPs 17 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	JaffaCakes118_9c87a4e4b890356a83fbf7b4cab03b996ad90496788c203503dfc344aa9b0930.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe

Executes dropped EXE 16 IoCs

pid	Process
4736	DllCommonsvc.exe
4256	RuntimeBroker.exe
3316	RuntimeBroker.exe
3680	RuntimeBroker.exe
1396	RuntimeBroker.exe
4152	RuntimeBroker.exe
2024	RuntimeBroker.exe
2628	RuntimeBroker.exe
1880	RuntimeBroker.exe
1772	RuntimeBroker.exe
1020	RuntimeBroker.exe
2720	RuntimeBroker.exe
4624	RuntimeBroker.exe
2924	RuntimeBroker.exe
3476	RuntimeBroker.exe
1600	RuntimeBroker.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 15 IoCs

Web Service

T1102

flow	ioc
25	raw.githubusercontent.com
49	raw.githubusercontent.com
55	raw.githubusercontent.com
26	raw.githubusercontent.com
43	raw.githubusercontent.com
48	raw.githubusercontent.com
56	raw.githubusercontent.com
34	raw.githubusercontent.com
46	raw.githubusercontent.com
53	raw.githubusercontent.com
57	raw.githubusercontent.com
58	raw.githubusercontent.com
42	raw.githubusercontent.com
47	raw.githubusercontent.com
59	raw.githubusercontent.com

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\System\services.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\services.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Common Files\System\c5b4cb5e9653cc	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_9c87a4e4b890356a83fbf7b4cab03b996ad90496788c203503dfc344aa9b0930.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Modifies registry class 16 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	JaffaCakes118_9c87a4e4b890356a83fbf7b4cab03b996ad90496788c203503dfc344aa9b0930.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	RuntimeBroker.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 33 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3376	schtasks.exe
3520	schtasks.exe
1468	schtasks.exe
4176	schtasks.exe
4348	schtasks.exe
2740	schtasks.exe
1516	schtasks.exe
5020	schtasks.exe
1108	schtasks.exe
3344	schtasks.exe
2060	schtasks.exe
3316	schtasks.exe
4476	schtasks.exe
4712	schtasks.exe
3536	schtasks.exe
2044	schtasks.exe
1708	schtasks.exe
3508	schtasks.exe
4388	schtasks.exe
624	schtasks.exe
3924	schtasks.exe
2556	schtasks.exe
4412	schtasks.exe
3540	schtasks.exe
3060	schtasks.exe
3680	schtasks.exe
2628	schtasks.exe
732	schtasks.exe
2596	schtasks.exe
868	schtasks.exe
4988	schtasks.exe
1652	schtasks.exe
3636	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4736	DllCommonsvc.exe
4736	DllCommonsvc.exe
4736	DllCommonsvc.exe
4736	DllCommonsvc.exe
4736	DllCommonsvc.exe
4736	DllCommonsvc.exe
4736	DllCommonsvc.exe
4736	DllCommonsvc.exe
4736	DllCommonsvc.exe
4736	DllCommonsvc.exe
4736	DllCommonsvc.exe
4736	DllCommonsvc.exe
4736	DllCommonsvc.exe
4736	DllCommonsvc.exe
4736	DllCommonsvc.exe
3548	powershell.exe
3548	powershell.exe
3672	powershell.exe
3672	powershell.exe
220	powershell.exe
220	powershell.exe
1396	powershell.exe
1396	powershell.exe
1572	powershell.exe
1572	powershell.exe
4432	powershell.exe
4432	powershell.exe
2600	powershell.exe
2600	powershell.exe
3188	powershell.exe
3188	powershell.exe
392	powershell.exe
392	powershell.exe
4980	powershell.exe
4980	powershell.exe
3780	powershell.exe
3780	powershell.exe
4352	powershell.exe
4352	powershell.exe
3188	powershell.exe
3548	powershell.exe
3672	powershell.exe
220	powershell.exe
4980	powershell.exe
4432	powershell.exe
4352	powershell.exe
2600	powershell.exe
3780	powershell.exe
392	powershell.exe
1572	powershell.exe
1396	powershell.exe
4256	RuntimeBroker.exe
3316	RuntimeBroker.exe
3680	RuntimeBroker.exe
1396	RuntimeBroker.exe
4152	RuntimeBroker.exe
2024	RuntimeBroker.exe
2628	RuntimeBroker.exe
1880	RuntimeBroker.exe
1772	RuntimeBroker.exe
1020	RuntimeBroker.exe
2720	RuntimeBroker.exe
4624	RuntimeBroker.exe
2924	RuntimeBroker.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

description	pid	Process
Token: SeDebugPrivilege	4736	DllCommonsvc.exe
Token: SeDebugPrivilege	3672	powershell.exe
Token: SeDebugPrivilege	3548	powershell.exe
Token: SeDebugPrivilege	220	powershell.exe
Token: SeDebugPrivilege	4980	powershell.exe
Token: SeDebugPrivilege	1396	powershell.exe
Token: SeDebugPrivilege	2600	powershell.exe
Token: SeDebugPrivilege	1572	powershell.exe
Token: SeDebugPrivilege	4432	powershell.exe
Token: SeDebugPrivilege	3188	powershell.exe
Token: SeDebugPrivilege	392	powershell.exe
Token: SeDebugPrivilege	3780	powershell.exe
Token: SeDebugPrivilege	4352	powershell.exe
Token: SeDebugPrivilege	4256	RuntimeBroker.exe
Token: SeDebugPrivilege	3316	RuntimeBroker.exe
Token: SeDebugPrivilege	3680	RuntimeBroker.exe
Token: SeDebugPrivilege	1396	RuntimeBroker.exe
Token: SeDebugPrivilege	4152	RuntimeBroker.exe
Token: SeDebugPrivilege	2024	RuntimeBroker.exe
Token: SeDebugPrivilege	2628	RuntimeBroker.exe
Token: SeDebugPrivilege	1880	RuntimeBroker.exe
Token: SeDebugPrivilege	1772	RuntimeBroker.exe
Token: SeDebugPrivilege	1020	RuntimeBroker.exe
Token: SeDebugPrivilege	2720	RuntimeBroker.exe
Token: SeDebugPrivilege	4624	RuntimeBroker.exe
Token: SeDebugPrivilege	2924	RuntimeBroker.exe
Token: SeDebugPrivilege	3476	RuntimeBroker.exe
Token: SeDebugPrivilege	1600	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1688 wrote to memory of 2256	1688	JaffaCakes118_9c87a4e4b890356a83fbf7b4cab03b996ad90496788c203503dfc344aa9b0930.exe	84
PID 1688 wrote to memory of 2256	1688	JaffaCakes118_9c87a4e4b890356a83fbf7b4cab03b996ad90496788c203503dfc344aa9b0930.exe	84
PID 1688 wrote to memory of 2256	1688	JaffaCakes118_9c87a4e4b890356a83fbf7b4cab03b996ad90496788c203503dfc344aa9b0930.exe	84
PID 2256 wrote to memory of 1624	2256	WScript.exe	87
PID 2256 wrote to memory of 1624	2256	WScript.exe	87
PID 2256 wrote to memory of 1624	2256	WScript.exe	87
PID 1624 wrote to memory of 4736	1624	cmd.exe	89
PID 1624 wrote to memory of 4736	1624	cmd.exe	89
PID 4736 wrote to memory of 4352	4736	DllCommonsvc.exe	126
PID 4736 wrote to memory of 4352	4736	DllCommonsvc.exe	126
PID 4736 wrote to memory of 3780	4736	DllCommonsvc.exe	127
PID 4736 wrote to memory of 3780	4736	DllCommonsvc.exe	127
PID 4736 wrote to memory of 3188	4736	DllCommonsvc.exe	128
PID 4736 wrote to memory of 3188	4736	DllCommonsvc.exe	128
PID 4736 wrote to memory of 392	4736	DllCommonsvc.exe	129
PID 4736 wrote to memory of 392	4736	DllCommonsvc.exe	129
PID 4736 wrote to memory of 220	4736	DllCommonsvc.exe	130
PID 4736 wrote to memory of 220	4736	DllCommonsvc.exe	130
PID 4736 wrote to memory of 3672	4736	DllCommonsvc.exe	131
PID 4736 wrote to memory of 3672	4736	DllCommonsvc.exe	131
PID 4736 wrote to memory of 3548	4736	DllCommonsvc.exe	132
PID 4736 wrote to memory of 3548	4736	DllCommonsvc.exe	132
PID 4736 wrote to memory of 4980	4736	DllCommonsvc.exe	133
PID 4736 wrote to memory of 4980	4736	DllCommonsvc.exe	133
PID 4736 wrote to memory of 2600	4736	DllCommonsvc.exe	134
PID 4736 wrote to memory of 2600	4736	DllCommonsvc.exe	134
PID 4736 wrote to memory of 1396	4736	DllCommonsvc.exe	135
PID 4736 wrote to memory of 1396	4736	DllCommonsvc.exe	135
PID 4736 wrote to memory of 1572	4736	DllCommonsvc.exe	136
PID 4736 wrote to memory of 1572	4736	DllCommonsvc.exe	136
PID 4736 wrote to memory of 4432	4736	DllCommonsvc.exe	137
PID 4736 wrote to memory of 4432	4736	DllCommonsvc.exe	137
PID 4736 wrote to memory of 2624	4736	DllCommonsvc.exe	150
PID 4736 wrote to memory of 2624	4736	DllCommonsvc.exe	150
PID 2624 wrote to memory of 4228	2624	cmd.exe	152
PID 2624 wrote to memory of 4228	2624	cmd.exe	152
PID 2624 wrote to memory of 4256	2624	cmd.exe	159
PID 2624 wrote to memory of 4256	2624	cmd.exe	159
PID 4256 wrote to memory of 1380	4256	RuntimeBroker.exe	161
PID 4256 wrote to memory of 1380	4256	RuntimeBroker.exe	161
PID 1380 wrote to memory of 4800	1380	cmd.exe	163
PID 1380 wrote to memory of 4800	1380	cmd.exe	163
PID 1380 wrote to memory of 3316	1380	cmd.exe	165
PID 1380 wrote to memory of 3316	1380	cmd.exe	165
PID 3316 wrote to memory of 2556	3316	RuntimeBroker.exe	169
PID 3316 wrote to memory of 2556	3316	RuntimeBroker.exe	169
PID 2556 wrote to memory of 4304	2556	cmd.exe	171
PID 2556 wrote to memory of 4304	2556	cmd.exe	171
PID 2556 wrote to memory of 3680	2556	cmd.exe	174
PID 2556 wrote to memory of 3680	2556	cmd.exe	174
PID 3680 wrote to memory of 2592	3680	RuntimeBroker.exe	176
PID 3680 wrote to memory of 2592	3680	RuntimeBroker.exe	176
PID 2592 wrote to memory of 2076	2592	cmd.exe	178
PID 2592 wrote to memory of 2076	2592	cmd.exe	178
PID 2592 wrote to memory of 1396	2592	cmd.exe	180
PID 2592 wrote to memory of 1396	2592	cmd.exe	180
PID 1396 wrote to memory of 5052	1396	RuntimeBroker.exe	182
PID 1396 wrote to memory of 5052	1396	RuntimeBroker.exe	182
PID 5052 wrote to memory of 3784	5052	cmd.exe	184
PID 5052 wrote to memory of 3784	5052	cmd.exe	184
PID 5052 wrote to memory of 4152	5052	cmd.exe	186
PID 5052 wrote to memory of 4152	5052	cmd.exe	186
PID 4152 wrote to memory of 4084	4152	RuntimeBroker.exe	189
PID 4152 wrote to memory of 4084	4152	RuntimeBroker.exe	189

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9c87a4e4b890356a83fbf7b4cab03b996ad90496788c203503dfc344aa9b0930.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9c87a4e4b890356a83fbf7b4cab03b996ad90496788c203503dfc344aa9b0930.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1688
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2256
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1624
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4736
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4352
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\System\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3780
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3188
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Videos\RuntimeBroker.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:392
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\OfficeClickToRun.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:220
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\WaaSMedicAgent.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3672
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Documents\My Videos\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3548
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\RuntimeBroker.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4980
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2600
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\unsecapp.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1396
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\upfc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1572
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Adobe\Setup\RuntimeBroker.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4432
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Xf1jqcOj5W.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2624
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:4228
      - C:\Users\Default\Videos\RuntimeBroker.exe
        
        "C:\Users\Default\Videos\RuntimeBroker.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4256
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KmPq9HzxB6.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1380
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:4800
        
        C:\Users\Default\Videos\RuntimeBroker.exe
        
        "C:\Users\Default\Videos\RuntimeBroker.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3316
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YUw1O57cI2.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2556
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:4304
        
        C:\Users\Default\Videos\RuntimeBroker.exe
        
        "C:\Users\Default\Videos\RuntimeBroker.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3680
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YUw1O57cI2.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:2592
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2076
        
        C:\Users\Default\Videos\RuntimeBroker.exe
        
        "C:\Users\Default\Videos\RuntimeBroker.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1396
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jFR8woBO6B.bat"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:5052
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:3784
        
        C:\Users\Default\Videos\RuntimeBroker.exe
        
        "C:\Users\Default\Videos\RuntimeBroker.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4152
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\y17QM3q8Rw.bat"
        15⤵
        
        PID:4084
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:940
        
        C:\Users\Default\Videos\RuntimeBroker.exe
        
        "C:\Users\Default\Videos\RuntimeBroker.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2024
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EqBdbgL5Ji.bat"
        17⤵
        
        PID:1156
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2176
        
        C:\Users\Default\Videos\RuntimeBroker.exe
        
        "C:\Users\Default\Videos\RuntimeBroker.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2628
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uLZJId2lFR.bat"
        19⤵
        
        PID:4980
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2976
        
        C:\Users\Default\Videos\RuntimeBroker.exe
        
        "C:\Users\Default\Videos\RuntimeBroker.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1880
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zDcPfnAXs0.bat"
        21⤵
        
        PID:3344
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:3872
        
        C:\Users\Default\Videos\RuntimeBroker.exe
        
        "C:\Users\Default\Videos\RuntimeBroker.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1772
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\60iZj2KDpL.bat"
        23⤵
        
        PID:4464
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:1268
        
        C:\Users\Default\Videos\RuntimeBroker.exe
        
        "C:\Users\Default\Videos\RuntimeBroker.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1020
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LdHmevWlG3.bat"
        25⤵
        
        PID:5064
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:4056
        
        C:\Users\Default\Videos\RuntimeBroker.exe
        
        "C:\Users\Default\Videos\RuntimeBroker.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2720
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YUw1O57cI2.bat"
        27⤵
        
        PID:4432
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        28⤵
        
        PID:3248
        
        C:\Users\Default\Videos\RuntimeBroker.exe
        
        "C:\Users\Default\Videos\RuntimeBroker.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4624
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YUw1O57cI2.bat"
        29⤵
        
        PID:1688
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        30⤵
        
        PID:1664
        
        C:\Users\Default\Videos\RuntimeBroker.exe
        
        "C:\Users\Default\Videos\RuntimeBroker.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2924
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JhFjyqSsxH.bat"
        31⤵
        
        PID:4308
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        32⤵
        
        PID:632
        
        C:\Users\Default\Videos\RuntimeBroker.exe
        
        "C:\Users\Default\Videos\RuntimeBroker.exe"
        32⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3476
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MpmmxgpAh8.bat"
        33⤵
        
        PID:4228
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        34⤵
        
        PID:1908
        
        C:\Users\Default\Videos\RuntimeBroker.exe
        
        "C:\Users\Default\Videos\RuntimeBroker.exe"
        34⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Common Files\System\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\System\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Common Files\System\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Videos\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default\Videos\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Videos\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 14 /tr "'C:\providercommon\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\providercommon\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 11 /tr "'C:\providercommon\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 9 /tr "'C:\providercommon\WaaSMedicAgent.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\providercommon\WaaSMedicAgent.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 8 /tr "'C:\providercommon\WaaSMedicAgent.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Documents\My Videos\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Admin\Documents\My Videos\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Documents\My Videos\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\providercommon\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\providercommon\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\providercommon\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Users\Admin\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Adobe\Setup\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\All Users\Adobe\Setup\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Adobe\Setup\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RuntimeBroker.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
59d97011e091004eaffb9816aa0b9abd

SHA1
1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

SHA256
18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

SHA512
d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e448fe0d240184c6597a31d3be2ced58

SHA1
372b8d8c19246d3e38cd3ba123cc0f56070f03cd

SHA256
c660f0db85a1e7f0f68db19868979bf50bd541531babf77a701e1b1ce5e6a391

SHA512
0b7f7eae7700d32b18eee3677cb7f89b46ace717fa7e6b501d6c47d54f15dff7e12b49f5a7d36a6ffe4c16165c7d55162db4f3621db545b6af638035752beab4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
28d4235aa2e6d782751f980ceb6e5021

SHA1
f5d82d56acd642b9fc4b963f684fd6b78f25a140

SHA256
8c66720f953e82cfbd8f00543c42c0cf77c3d97787ec09cb3e1e2ba5819bd638

SHA512
dba1bd6600f5affcfdc33a59e7ac853ee5fdfafb8d1407a1768728bd4f66ef6b49437214716b7e33e3de91d7ce95709050a3dab4354dd62acaf1de28107017a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
292B

MD5
3d664f4ecfc865a8cc2244af53d47816

SHA1
5f65acbf5719b64e89034db8e3fe2a4603648589

SHA256
f3d668ce61fd32508ede141ea2d82a4d47a2f9ca0df3190e4df727e337ecb962

SHA512
c178020eac473fb2cbaf1c9fa0a83bf5d49113e98aa3e99ac60b23a97cf64b3ac33f08efb51a4b7ae0ede9079e89583231caa1fec16ec3087a0a7e6b6d998e9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\60iZj2KDpL.bat

Filesize
206B

MD5
d42373a637f21394dfdf5c66a5944523

SHA1
70d83c30e8323744577cb4510d8b57c648df8688

SHA256
67dae7c67f2e793b6c96a6e41c8cff4dce4f920a0fca6aabc0d23aba85ee9972

SHA512
7b847280664bfa2d13614e5195adf81c3db2a601dc4b6a8d3538f2f0adba06b0e1d32e94016795f1c015ba3688829db2bf03dfb39f585b8b6f8c7dbcb8f28e56

Download Submit
C:\Users\Admin\AppData\Local\Temp\EqBdbgL5Ji.bat

Filesize
206B

MD5
1900c60b67c71a25c2ca0a7e18af2065

SHA1
d8516d0bb46779cb24468e224c90b63eb4df0d1f

SHA256
07b3289f9e45112a25887bb2eaca859df8c3b0122dae53481437fbc5ff2f2357

SHA512
67164b003f0e5deb57742e96d11ca8630db1154157388fa2d6e20715744693047fb5c49a0d774ec69f27a5a950a6a99a6f1731353bf6e23a69dd71672e0efaf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\JhFjyqSsxH.bat

Filesize
206B

MD5
dba44af1633febdfc1400f867bc3fdd9

SHA1
e5a7b06e0fbba6491c3155588c631152f737e4e0

SHA256
188723d510ce346161a27a6df4c5418c894cca3b7bf636297584346699a3fda1

SHA512
8490fbd54d45eded025688aeafad90c2361a79afb2f8a5a9d0aa08fb32dceff1e08298ae67fc4e9f3dd58c423324d5f3fd569dd019bacfda541ff6bb46ca73fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\KmPq9HzxB6.bat

Filesize
206B

MD5
5de74bdf1428b14bdd63f927b33320a3

SHA1
011a163009405e9bf7574cf7c3ecf0df9374c244

SHA256
8728ef4be84931aabdc8e00278d708a55b7ce7e1fa3320320c182313124be9cd

SHA512
bc9873c2f7610ecf7cf60c9a85a932d9ddc2573a22338a4b0520f3ad47cb9ccf39abf7bff76ff5b9b603ebafe0b5d13650715012a399b04c486c66501787e237

Download Submit
C:\Users\Admin\AppData\Local\Temp\LdHmevWlG3.bat

Filesize
206B

MD5
4747ab66471f09c803233a541d1d8280

SHA1
a97ea4e1781de3f3966b1729a37fac2ce02b49f4

SHA256
411a640630bb8980cf7677282464558ae501ccc1ed1e1e5a209cf44cd12ef95f

SHA512
8e9c19ccdc557e7def7bf82b8707b7e81bab340ab31a354b8163239a03867b629317564a5fbd246417b655a4d3b09cc0944e157dd97cf2fa9dab24ba8a0cc615

Download Submit
C:\Users\Admin\AppData\Local\Temp\MpmmxgpAh8.bat

Filesize
206B

MD5
989e697fe995212f62d8a967cbf4adaa

SHA1
83b2491326e2e6a54779265a4aa6be3c1121cf3f

SHA256
555203f8f2321fdbe8e180af0763b8c3958f27598c7497d1783c5a7d04e15f32

SHA512
afae863999762cc7719da8916b56f10730a807ec416c6f2461deb9c0719b88fb5f95826d71b25e8f92670fd7403658f939abf0bb47488902d64821e833a4b42f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Xf1jqcOj5W.bat

Filesize
206B

MD5
06bb492866799c8d40fde7ee6cb452d2

SHA1
a50f2695347f1c124215d89bee647b3a5e2b630c

SHA256
7a0183857a81b6cceaf21b019fbc774b634e244a47fade1a9d4c0d62a8f8a509

SHA512
aaf09b8cc739062d42865dc610b2d3437cc0c1f45baf2e560391f3fe4ae4ca74c86d74883e0cb49d3410e95c6e4252ddbeff65cebc3ee383b6c355edcfd4d7f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\YUw1O57cI2.bat

Filesize
206B

MD5
07d5ca8b843ddfeb0ffec7a7fa706a4c

SHA1
0222f6097594740bafdfe02b5da722e7093048be

SHA256
3b26d811de2f83abcb3b5da6ac1fbbe465b4cd368ffb9ecddde540e6000462c5

SHA512
46e67f33b54fe365c44e8602d847d60884e48b5551beeb97e77a315bdb92e8049f943cb748d92cfe1cf4e86c690e97975e21d5ec01c9c782a50cff06ff243992

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_w24g3ex4.s0h.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\jFR8woBO6B.bat

Filesize
206B

MD5
c952dd7e0082512a8f8abf649a39633b

SHA1
8717a9a62a29cf51b25c07cc81bc47e541403d1b

SHA256
2d490b2411866fe0393f9a285628c14431bd548a46389f129ae33daa5247b1a5

SHA512
80e6ab80d7e7c2532a6544c1182cf0394e34a93e08e63fe3e866039f63949ac91ed0450aff91f21ad1438682a484d599e3a79375a351725d05ee3fc9b1a47d61

Download Submit
C:\Users\Admin\AppData\Local\Temp\uLZJId2lFR.bat

Filesize
206B

MD5
beb04f9161f3fd365b064dcb629bab18

SHA1
165616d37c4208d3e080c4d73515fe025f88e965

SHA256
9810f9ed4480f6fd16f17098d4d7b092a0230efa785ab65841189672f757f010

SHA512
1cc9a28227c40c377fb1c0999e748761941bed07540b8d15c4f93265ff0a38a28b1f63dd94522905e78662d1c1dd6ff9197b8e53480585fdc98ebee763a42256

Download Submit
C:\Users\Admin\AppData\Local\Temp\y17QM3q8Rw.bat

Filesize
206B

MD5
5ceb99af671f7350350c4d96f62a0bb1

SHA1
e43970a7145915a0afea4f10f609762cf5691a08

SHA256
b4943d0389e6066144bd4fe4ee99f26fe7880d49035cd4ee64af5483a3c0d2b2

SHA512
52d5cf238e505b6ce849cbdb0956f3ca0a6d46e3898839871f6a46eb3252f8d9eea42f39e04b35927ddb7be48fc0ad908d8b998124b76daf8b7e93f4dcb0bf27

Download Submit
C:\Users\Admin\AppData\Local\Temp\zDcPfnAXs0.bat

Filesize
206B

MD5
b0cfe5426c14a14c4711a12d41ccfce9

SHA1
88b9954ff16dedcc75016e7ccad98d909d7d8c66

SHA256
9730a2191cdeef2ddebe5bad99b69cf4671de045b34c1300ebde8a723a3b223d

SHA512
0424ae8b9bcdc60d7a6d9b1a4439db251b57adfe3b8cecb458ec6c532f6f867efb6e42cccb87f5da540bcc4092c76d33032ac0deff577cbbbfb5236f543f36a2

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/1020-250-0x000000001DD80000-0x000000001DF29000-memory.dmp

Filesize
1.7MB

Download
memory/1772-239-0x000000001BBF0000-0x000000001BC02000-memory.dmp

Filesize
72KB

Download
memory/1880-236-0x000000001D1B0000-0x000000001D359000-memory.dmp

Filesize
1.7MB

Download
memory/1880-231-0x000000001AFF0000-0x000000001B002000-memory.dmp

Filesize
72KB

Download
memory/2628-224-0x000000001B5F0000-0x000000001B602000-memory.dmp

Filesize
72KB

Download
memory/2720-258-0x000000001E040000-0x000000001E1E9000-memory.dmp

Filesize
1.7MB

Download
memory/2720-253-0x000000001BBF0000-0x000000001BC02000-memory.dmp

Filesize
72KB

Download
memory/3672-54-0x000001EF4B8F0000-0x000001EF4B912000-memory.dmp

Filesize
136KB

Download
memory/3680-199-0x000000001BFF0000-0x000000001C002000-memory.dmp

Filesize
72KB

Download
memory/4256-189-0x000000001D6A0000-0x000000001D849000-memory.dmp

Filesize
1.7MB

Download
memory/4256-183-0x000000001AFF0000-0x000000001B002000-memory.dmp

Filesize
72KB

Download
memory/4736-17-0x0000000002900000-0x000000000290C000-memory.dmp

Filesize
48KB

Download
memory/4736-16-0x00000000028F0000-0x00000000028FC000-memory.dmp

Filesize
48KB

Download
memory/4736-15-0x0000000002A20000-0x0000000002A2C000-memory.dmp

Filesize
48KB

Download
memory/4736-14-0x00000000028E0000-0x00000000028F2000-memory.dmp

Filesize
72KB

Download
memory/4736-13-0x00000000006D0000-0x00000000007E0000-memory.dmp

Filesize
1.1MB

Download
memory/4736-12-0x00007FFEEB113000-0x00007FFEEB115000-memory.dmp

Filesize
8KB

Download