dcrat | 2e819e4bb06177770b6a5a9ca624ebba0e775d125bc060a2ead7e8c38757e2d3

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2024 13:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_2e819e4bb06177770b6a5a9ca624ebba0e775d125bc060a2ead7e8c38757e2d3.exe
Size

1.3MB
MD5

7652bdac3a679be76582141b7036081e
SHA1

0b0ab3541a1e5859d50831c69c91f74d0acd1ead
SHA256

2e819e4bb06177770b6a5a9ca624ebba0e775d125bc060a2ead7e8c38757e2d3
SHA512

f1ed512610d6c6d073a222aebbca13412442b2d557154336ca939ea333b96e15522a68e162563e9f68163f6832dda9b3f70bc8b6aa463d53f841173a1782e544
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 30 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4660	1880	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2224	1880	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4696	1880	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2108	1880	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4472	1880	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4988	1880	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	668	1880	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4388	1880	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2112	1880	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3980	1880	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	636	1880	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	1880	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	828	1880	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4400	1880	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1480	1880	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3752	1880	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2760	1880	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	680	1880	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4560	1880	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3032	1880	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	1880	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	868	1880	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1460	1880	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	116	1880	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1512	1880	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	820	1880	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	876	1880	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2640	1880	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2224	1880	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4696	1880	schtasks.exe	86

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x0007000000023cb6-10.dat	dcrat
behavioral2/memory/3524-13-0x00000000007E0000-0x00000000008F0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3012	powershell.exe
4656	powershell.exe
4568	powershell.exe
884	powershell.exe
4920	powershell.exe
3968	powershell.exe
3116	powershell.exe
3432	powershell.exe
1636	powershell.exe
2108	powershell.exe
3532	powershell.exe
3664	powershell.exe

Checks computer location settings 2 TTPs 16 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	JaffaCakes118_2e819e4bb06177770b6a5a9ca624ebba0e775d125bc060a2ead7e8c38757e2d3.exe

Executes dropped EXE 15 IoCs

pid	Process
3524	DllCommonsvc.exe
4836	DllCommonsvc.exe
4584	StartMenuExperienceHost.exe
1192	StartMenuExperienceHost.exe
392	StartMenuExperienceHost.exe
3324	StartMenuExperienceHost.exe
4532	StartMenuExperienceHost.exe
5068	StartMenuExperienceHost.exe
1720	StartMenuExperienceHost.exe
1688	StartMenuExperienceHost.exe
4776	StartMenuExperienceHost.exe
928	StartMenuExperienceHost.exe
4392	StartMenuExperienceHost.exe
2196	StartMenuExperienceHost.exe
3524	StartMenuExperienceHost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 13 IoCs

Web Service

T1102

flow	ioc
40	raw.githubusercontent.com
41	raw.githubusercontent.com
46	raw.githubusercontent.com
47	raw.githubusercontent.com
48	raw.githubusercontent.com
49	raw.githubusercontent.com
22	raw.githubusercontent.com
35	raw.githubusercontent.com
36	raw.githubusercontent.com
37	raw.githubusercontent.com
45	raw.githubusercontent.com
19	raw.githubusercontent.com
20	raw.githubusercontent.com

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\unsecapp.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\29c1c3cc0f7685	DllCommonsvc.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\SppExtComObj.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\e1ef82546f0b02	DllCommonsvc.exe
File created	C:\Program Files\Google\dwm.exe	DllCommonsvc.exe
File created	C:\Program Files\Google\6cb0b6c459d5d3	DllCommonsvc.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\RuntimeBroker.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\RuntimeBroker.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\9e8d7a4ca61bd9	DllCommonsvc.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csrss.exe	DllCommonsvc.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Windows\WaaS\tasks\Idle.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_2e819e4bb06177770b6a5a9ca624ebba0e775d125bc060a2ead7e8c38757e2d3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 14 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	JaffaCakes118_2e819e4bb06177770b6a5a9ca624ebba0e775d125bc060a2ead7e8c38757e2d3.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	StartMenuExperienceHost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 30 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4988	schtasks.exe
668	schtasks.exe
4560	schtasks.exe
868	schtasks.exe
4660	schtasks.exe
4400	schtasks.exe
2648	schtasks.exe
4696	schtasks.exe
116	schtasks.exe
2224	schtasks.exe
680	schtasks.exe
1480	schtasks.exe
3032	schtasks.exe
1512	schtasks.exe
636	schtasks.exe
828	schtasks.exe
1460	schtasks.exe
4472	schtasks.exe
4388	schtasks.exe
2880	schtasks.exe
3752	schtasks.exe
2760	schtasks.exe
2224	schtasks.exe
2640	schtasks.exe
3980	schtasks.exe
2112	schtasks.exe
820	schtasks.exe
876	schtasks.exe
4696	schtasks.exe
2108	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3524	DllCommonsvc.exe
3524	DllCommonsvc.exe
3524	DllCommonsvc.exe
3524	DllCommonsvc.exe
3524	DllCommonsvc.exe
3524	DllCommonsvc.exe
3524	DllCommonsvc.exe
3524	DllCommonsvc.exe
3524	DllCommonsvc.exe
884	powershell.exe
3012	powershell.exe
4568	powershell.exe
3012	powershell.exe
3116	powershell.exe
4656	powershell.exe
4920	powershell.exe
3968	powershell.exe
1636	powershell.exe
4568	powershell.exe
4568	powershell.exe
4836	DllCommonsvc.exe
4836	DllCommonsvc.exe
4836	DllCommonsvc.exe
4836	DllCommonsvc.exe
4836	DllCommonsvc.exe
4836	DllCommonsvc.exe
4836	DllCommonsvc.exe
4836	DllCommonsvc.exe
884	powershell.exe
884	powershell.exe
3116	powershell.exe
3116	powershell.exe
4920	powershell.exe
4920	powershell.exe
4656	powershell.exe
4656	powershell.exe
3968	powershell.exe
1636	powershell.exe
3968	powershell.exe
1636	powershell.exe
3664	powershell.exe
3664	powershell.exe
2108	powershell.exe
2108	powershell.exe
3532	powershell.exe
3532	powershell.exe
3432	powershell.exe
3432	powershell.exe
2108	powershell.exe
3664	powershell.exe
3532	powershell.exe
3432	powershell.exe
4584	StartMenuExperienceHost.exe
1192	StartMenuExperienceHost.exe
392	StartMenuExperienceHost.exe
3324	StartMenuExperienceHost.exe
4532	StartMenuExperienceHost.exe
5068	StartMenuExperienceHost.exe
1720	StartMenuExperienceHost.exe
1688	StartMenuExperienceHost.exe
4776	StartMenuExperienceHost.exe
928	StartMenuExperienceHost.exe
4392	StartMenuExperienceHost.exe
2196	StartMenuExperienceHost.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

description	pid	Process
Token: SeDebugPrivilege	3524	DllCommonsvc.exe
Token: SeDebugPrivilege	884	powershell.exe
Token: SeDebugPrivilege	3012	powershell.exe
Token: SeDebugPrivilege	4568	powershell.exe
Token: SeDebugPrivilege	4656	powershell.exe
Token: SeDebugPrivilege	3116	powershell.exe
Token: SeDebugPrivilege	4920	powershell.exe
Token: SeDebugPrivilege	3968	powershell.exe
Token: SeDebugPrivilege	1636	powershell.exe
Token: SeDebugPrivilege	4836	DllCommonsvc.exe
Token: SeDebugPrivilege	3664	powershell.exe
Token: SeDebugPrivilege	2108	powershell.exe
Token: SeDebugPrivilege	3532	powershell.exe
Token: SeDebugPrivilege	3432	powershell.exe
Token: SeDebugPrivilege	4584	StartMenuExperienceHost.exe
Token: SeDebugPrivilege	1192	StartMenuExperienceHost.exe
Token: SeDebugPrivilege	392	StartMenuExperienceHost.exe
Token: SeDebugPrivilege	3324	StartMenuExperienceHost.exe
Token: SeDebugPrivilege	4532	StartMenuExperienceHost.exe
Token: SeDebugPrivilege	5068	StartMenuExperienceHost.exe
Token: SeDebugPrivilege	1720	StartMenuExperienceHost.exe
Token: SeDebugPrivilege	1688	StartMenuExperienceHost.exe
Token: SeDebugPrivilege	4776	StartMenuExperienceHost.exe
Token: SeDebugPrivilege	928	StartMenuExperienceHost.exe
Token: SeDebugPrivilege	4392	StartMenuExperienceHost.exe
Token: SeDebugPrivilege	2196	StartMenuExperienceHost.exe
Token: SeDebugPrivilege	3524	StartMenuExperienceHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4380 wrote to memory of 812	4380	JaffaCakes118_2e819e4bb06177770b6a5a9ca624ebba0e775d125bc060a2ead7e8c38757e2d3.exe	82
PID 4380 wrote to memory of 812	4380	JaffaCakes118_2e819e4bb06177770b6a5a9ca624ebba0e775d125bc060a2ead7e8c38757e2d3.exe	82
PID 4380 wrote to memory of 812	4380	JaffaCakes118_2e819e4bb06177770b6a5a9ca624ebba0e775d125bc060a2ead7e8c38757e2d3.exe	82
PID 812 wrote to memory of 2812	812	WScript.exe	83
PID 812 wrote to memory of 2812	812	WScript.exe	83
PID 812 wrote to memory of 2812	812	WScript.exe	83
PID 2812 wrote to memory of 3524	2812	cmd.exe	85
PID 2812 wrote to memory of 3524	2812	cmd.exe	85
PID 3524 wrote to memory of 884	3524	DllCommonsvc.exe	108
PID 3524 wrote to memory of 884	3524	DllCommonsvc.exe	108
PID 3524 wrote to memory of 4920	3524	DllCommonsvc.exe	109
PID 3524 wrote to memory of 4920	3524	DllCommonsvc.exe	109
PID 3524 wrote to memory of 3968	3524	DllCommonsvc.exe	110
PID 3524 wrote to memory of 3968	3524	DllCommonsvc.exe	110
PID 3524 wrote to memory of 3116	3524	DllCommonsvc.exe	111
PID 3524 wrote to memory of 3116	3524	DllCommonsvc.exe	111
PID 3524 wrote to memory of 3012	3524	DllCommonsvc.exe	112
PID 3524 wrote to memory of 3012	3524	DllCommonsvc.exe	112
PID 3524 wrote to memory of 4656	3524	DllCommonsvc.exe	113
PID 3524 wrote to memory of 4656	3524	DllCommonsvc.exe	113
PID 3524 wrote to memory of 4568	3524	DllCommonsvc.exe	114
PID 3524 wrote to memory of 4568	3524	DllCommonsvc.exe	114
PID 3524 wrote to memory of 1636	3524	DllCommonsvc.exe	115
PID 3524 wrote to memory of 1636	3524	DllCommonsvc.exe	115
PID 3524 wrote to memory of 4836	3524	DllCommonsvc.exe	124
PID 3524 wrote to memory of 4836	3524	DllCommonsvc.exe	124
PID 4836 wrote to memory of 3532	4836	DllCommonsvc.exe	134
PID 4836 wrote to memory of 3532	4836	DllCommonsvc.exe	134
PID 4836 wrote to memory of 2108	4836	DllCommonsvc.exe	135
PID 4836 wrote to memory of 2108	4836	DllCommonsvc.exe	135
PID 4836 wrote to memory of 3664	4836	DllCommonsvc.exe	136
PID 4836 wrote to memory of 3664	4836	DllCommonsvc.exe	136
PID 4836 wrote to memory of 3432	4836	DllCommonsvc.exe	137
PID 4836 wrote to memory of 3432	4836	DllCommonsvc.exe	137
PID 4836 wrote to memory of 2772	4836	DllCommonsvc.exe	142
PID 4836 wrote to memory of 2772	4836	DllCommonsvc.exe	142
PID 2772 wrote to memory of 4724	2772	cmd.exe	144
PID 2772 wrote to memory of 4724	2772	cmd.exe	144
PID 2772 wrote to memory of 4584	2772	cmd.exe	148
PID 2772 wrote to memory of 4584	2772	cmd.exe	148
PID 4584 wrote to memory of 5024	4584	StartMenuExperienceHost.exe	152
PID 4584 wrote to memory of 5024	4584	StartMenuExperienceHost.exe	152
PID 5024 wrote to memory of 3948	5024	cmd.exe	154
PID 5024 wrote to memory of 3948	5024	cmd.exe	154
PID 5024 wrote to memory of 1192	5024	cmd.exe	155
PID 5024 wrote to memory of 1192	5024	cmd.exe	155
PID 1192 wrote to memory of 2732	1192	StartMenuExperienceHost.exe	156
PID 1192 wrote to memory of 2732	1192	StartMenuExperienceHost.exe	156
PID 2732 wrote to memory of 2144	2732	cmd.exe	158
PID 2732 wrote to memory of 2144	2732	cmd.exe	158
PID 2732 wrote to memory of 392	2732	cmd.exe	161
PID 2732 wrote to memory of 392	2732	cmd.exe	161
PID 392 wrote to memory of 1224	392	StartMenuExperienceHost.exe	162
PID 392 wrote to memory of 1224	392	StartMenuExperienceHost.exe	162
PID 1224 wrote to memory of 1360	1224	cmd.exe	164
PID 1224 wrote to memory of 1360	1224	cmd.exe	164
PID 1224 wrote to memory of 3324	1224	cmd.exe	165
PID 1224 wrote to memory of 3324	1224	cmd.exe	165
PID 3324 wrote to memory of 1784	3324	StartMenuExperienceHost.exe	166
PID 3324 wrote to memory of 1784	3324	StartMenuExperienceHost.exe	166
PID 1784 wrote to memory of 4472	1784	cmd.exe	168
PID 1784 wrote to memory of 4472	1784	cmd.exe	168
PID 1784 wrote to memory of 4532	1784	cmd.exe	169
PID 1784 wrote to memory of 4532	1784	cmd.exe	169

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2e819e4bb06177770b6a5a9ca624ebba0e775d125bc060a2ead7e8c38757e2d3.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2e819e4bb06177770b6a5a9ca624ebba0e775d125bc060a2ead7e8c38757e2d3.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4380
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:812
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2812
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3524
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:884
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\RuntimeBroker.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4920
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3968
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3116
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\SppExtComObj.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3012
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\unsecapp.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4656
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\fontdrvhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4568
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\unsecapp.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1636
    - - C:\providercommon\DllCommonsvc.exe
        
        "C:\providercommon\DllCommonsvc.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Program Files directory
        Drops file in Windows directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4836
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3532
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\unsecapp.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2108
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\StartMenuExperienceHost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3664
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\dwm.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3432
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\F09SHXPcG3.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2772
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:4724
        
        C:\providercommon\StartMenuExperienceHost.exe
        
        "C:\providercommon\StartMenuExperienceHost.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4584
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ys8lvSze9b.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:5024
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:3948
        
        C:\providercommon\StartMenuExperienceHost.exe
        
        "C:\providercommon\StartMenuExperienceHost.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1192
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qX4ufk0Q6M.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:2732
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2144
        
        C:\providercommon\StartMenuExperienceHost.exe
        
        "C:\providercommon\StartMenuExperienceHost.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:392
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8KwMxVG80h.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:1224
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:1360
        
        C:\providercommon\StartMenuExperienceHost.exe
        
        "C:\providercommon\StartMenuExperienceHost.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3324
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5Ad8adCyX4.bat"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:1784
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:4472
        
        C:\providercommon\StartMenuExperienceHost.exe
        
        "C:\providercommon\StartMenuExperienceHost.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4532
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BGyPdaK1JU.bat"
        16⤵
        
        PID:1296
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:3980
        
        C:\providercommon\StartMenuExperienceHost.exe
        
        "C:\providercommon\StartMenuExperienceHost.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5068
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HAQQp9H1T4.bat"
        18⤵
        
        PID:2516
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:1088
        
        C:\providercommon\StartMenuExperienceHost.exe
        
        "C:\providercommon\StartMenuExperienceHost.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1720
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fdSjcfTSOA.bat"
        20⤵
        
        PID:868
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:1816
        
        C:\providercommon\StartMenuExperienceHost.exe
        
        "C:\providercommon\StartMenuExperienceHost.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1688
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\F5GJdikwFG.bat"
        22⤵
        
        PID:1052
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:1668
        
        C:\providercommon\StartMenuExperienceHost.exe
        
        "C:\providercommon\StartMenuExperienceHost.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4776
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AMKHlt6LWj.bat"
        24⤵
        
        PID:1248
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:3656
        
        C:\providercommon\StartMenuExperienceHost.exe
        
        "C:\providercommon\StartMenuExperienceHost.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:928
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wLA3izB53h.bat"
        26⤵
        
        PID:1564
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:3464
        
        C:\providercommon\StartMenuExperienceHost.exe
        
        "C:\providercommon\StartMenuExperienceHost.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4392
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Q0tVgmHuxR.bat"
        28⤵
        
        PID:636
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        29⤵
        
        PID:212
        
        C:\providercommon\StartMenuExperienceHost.exe
        
        "C:\providercommon\StartMenuExperienceHost.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2196
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jddtUB3Qwl.bat"
        30⤵
        
        PID:3088
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        31⤵
        
        PID:3688
        
        C:\providercommon\StartMenuExperienceHost.exe
        
        "C:\providercommon\StartMenuExperienceHost.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\providercommon\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\providercommon\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\providercommon\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\providercommon\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\providercommon\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\providercommon\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\providercommon\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Program Files\Google\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Google\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Program Files\Google\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\29c1c3cc0f7685

Filesize
15B

MD5
378804650e9401eacd53d10d12cd9d82

SHA1
bc3c3f0a00a26c1fec4e32e7bd9386b78a41629d

SHA256
0a2320e4f515ee2ce826af02499d978a91595c5108d84b1415a93fd497c64f91

SHA512
a88f2a95ab9525d8e6d51c1fc07abbf1030352bf53b9c1e2a0b118e773d89770c47fc1eb0eda9e756e9681191138e27c1d226a4688ade30ddcb3f44ce1f01008

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\DllCommonsvc.exe.log

Filesize
1KB

MD5
7f3c0ae41f0d9ae10a8985a2c327b8fb

SHA1
d58622bf6b5071beacf3b35bb505bde2000983e3

SHA256
519fceae4d0dd4d09edd1b81bcdfa8aeab4b59eee77a4cd4b6295ce8e591a900

SHA512
8a8fd17eef071f86e672cba0d8fc2cfed6118aff816100b9d7c06eb96443c04c04bc5692259c8d7ecb1563e877921939c61726605af4f969e3f586f0913ed125

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\StartMenuExperienceHost.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
59d97011e091004eaffb9816aa0b9abd

SHA1
1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

SHA256
18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

SHA512
d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
98baf5117c4fcec1692067d200c58ab3

SHA1
5b33a57b72141e7508b615e17fb621612cb8e390

SHA256
30bf8496e9a08f4fdfe4767abcd565f92b6da06ca1c7823a70cb7cab16262e51

SHA512
344a70bfc037d54176f12db91f05bf4295bb587a5062fd1febe6f52853571170bd8ef6042cb87b893185bbae1937cf77b679d7970f8cc1c2666b0b7c1b32987d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
15dde0683cd1ca19785d7262f554ba93

SHA1
d039c577e438546d10ac64837b05da480d06bf69

SHA256
d6fa39eab7ee36f44dc3f9f2839d098433db95c1eba924e4bcf4e5c0d268d961

SHA512
57c0e1b87bc1c136f0d39f3ce64bb8f8274a0491e4ca6e45e5c7f9070aa9d9370c6f590ce37cd600b252df2638d870205249a514c43245ca7ed49017024a4672

Download Submit
C:\Users\Admin\AppData\Local\Temp\5Ad8adCyX4.bat

Filesize
210B

MD5
6b8515df3829b448cc80564c50df6325

SHA1
a584374800aa91c043dc569ff68b7229c8b9978f

SHA256
211e83f61181e341f8156dc0b005503a3065075a9b902dfba0ff3e605faf1148

SHA512
7792311efd2ef57dc7349731c7d1738784476d938d0122bac7d7ca895edb5d10c4644cce9fe102f32b98cc8343832a7d36eaa2a647a726fc31e9dcee542c3d67

Download Submit
C:\Users\Admin\AppData\Local\Temp\8KwMxVG80h.bat

Filesize
210B

MD5
6010104e3bb424addcec23609b1e5249

SHA1
d4874a66c2ca40dddd27bd0ac5f3698374198481

SHA256
2c6e0dda5deced96962e628b61f437c1801f54da602786f02db57deb2abf70e8

SHA512
d2f255aba44bc9da5b14714892509e200962ebacb2a955273b7309735701fdf6695487710c054b2e4c888d45714599ce0899e6ecbd6558ca1b2d00692b5258ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\AMKHlt6LWj.bat

Filesize
210B

MD5
113f45b803aa62a0eee5653c1cbd59db

SHA1
37d7de809211307c3f20850f8f4cd8efc1089506

SHA256
fc8461478b6bd5df0ce8544ebb1fd5d3adaabea1f89649ed76b0ffc3e6bfcd9d

SHA512
b8d29d010f5b2f57f4319ef32e9fccf26e7e4ea4fbe71fba56887adcd98594c0b2c211eea432f59492828c413d6bcfc2325fb47c04d39a0891b27f34ca536308

Download Submit
C:\Users\Admin\AppData\Local\Temp\BGyPdaK1JU.bat

Filesize
210B

MD5
833069d4ca7de950d2c6ac633804f2b5

SHA1
dbd1efbbc9ec4093fb361f5bea84cd8a32963ecc

SHA256
0266018153516f623e9fa739955520cb73fd67beb2ef60051f8df255d0e21d39

SHA512
03ca20f010d3cacb735d25513cdcae59e33e264cf52b6a239a8e632d2ff2a2f45ae572a3e989f8c2304f2d9e90ccf957e4d6be81b4b013e1569dc28fe675a429

Download Submit
C:\Users\Admin\AppData\Local\Temp\F09SHXPcG3.bat

Filesize
210B

MD5
ac93bf0c26683a8c5dba9284c9daee6f

SHA1
a1b9703da535c1d80d97996421d18eee1b672a2c

SHA256
03ea961fd6e541cbbd22fb58c47e30343c7d34e1dc0c063119c186e6aa54c098

SHA512
c4d6412171d73bfab3f0c558363fd48788fd9dd4c65f4c3d1829bbffff7684cd6f844fed99cb3105d209b4e208a3561c2482d2580cb5380ce15499a3f91993a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\F5GJdikwFG.bat

Filesize
210B

MD5
c428d46f336ad9cfccb46dc02b5d50bd

SHA1
54d7c43b30dc0297138a9e0123dfc27ec35f4bc0

SHA256
c71e8bf22d4c6aa8a79a935fa5ac2b33d3bbeb0cd343f1ce03ca17993fb1ea01

SHA512
e26b9e85b7645adb2ff687621e133947d49964c7baf5b7e4c5feae02e98e958d1c87ced01fef163d84302eb91d0a662d5fcd88575cd01e529bc15acde0e0bda4

Download Submit
C:\Users\Admin\AppData\Local\Temp\HAQQp9H1T4.bat

Filesize
210B

MD5
3025335cc050144fe207bf3b697352ef

SHA1
065e6a5148700f7ace5e0ac1d63d29ffb3607d49

SHA256
98a20e9be1ee27321102cee25c726815e5006caeda1fd27473462ff12fdba21a

SHA512
b9fb8273144a97cec1535f8596f1f4de1a0e4d12cb0be3341ed242c74374955e7d6ae5b73993fb62bb00161c38e3f968b862a942c12267537cc223f78455f9b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Q0tVgmHuxR.bat

Filesize
210B

MD5
a2136b4f02034cfc3dd657f6e106bed1

SHA1
1a6a48cb5dc72aa961385c01f8f2670ef2d69a14

SHA256
5b20a5504698b9a9ffad7225d3a7e24c127c295dc6645d1942697518c0541d2a

SHA512
67fc1509ee438ac1ea1484b4c15df3709ececa89ba27927cdcd632b4d1244d4d246a53bc51ab31a33bf7d5f1e3a8e50680888130ab61b8db1866dbc78a905efe

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ys8lvSze9b.bat

Filesize
210B

MD5
ec31ef4ff9e217f59f2c054880be2ff4

SHA1
7aab8d1a4aea2d831d9a3d2d2768b432373d3f2c

SHA256
ab64a246351c22ce1d9cf2df6d0d1d517f5b59ca1cd54bbfa59347222a07e2dd

SHA512
849eebf8fd2a0ed16621ba24323cbe77fa1902e8647c7d458655114d60372f1d5fa53c219a0cb5508297733734d56b81578088de7884fae9c5300688dcfb6617

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ythl0u0k.34n.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\fdSjcfTSOA.bat

Filesize
210B

MD5
0950a3fe58c9c221e9e3f423aec8db54

SHA1
4c8c8a8b4da055e182307e8249bdcbf7236006b5

SHA256
4f6438f5d527095e380bc7eba587f7c766887b373c0c6aaf01dc81c6b8b0036e

SHA512
937afe7ff953c0f930f1349fa04ee507a26e26e6b4b0523f9038f3ba8fdb7999f45444cc3e2cd33b72ac02ec0b48dd3e06bee70f789bcd64ac8434c7b6b203db

Download Submit
C:\Users\Admin\AppData\Local\Temp\jddtUB3Qwl.bat

Filesize
210B

MD5
2794404436cab96e36644fed93e7ea9d

SHA1
cc495203d79fa54abee2fc1afca8230fec84d24a

SHA256
fad8cb10b711bbae86f24bf911fb540803f7f8f2b3d331824866c45688c40890

SHA512
dd6f50a5a87c8ed40415086df5df41f062f53e944b1bfdb4dd9b9688fa80c2b4068aab56641bb4ef1c1b651c9fe6ebb354e0d73201542b6d3c0325899cb616a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\qX4ufk0Q6M.bat

Filesize
210B

MD5
245758ab89cd8b578167a7b0690136bd

SHA1
bb541c23a68b1287ae204fad93621a0833f3fe4e

SHA256
2c39acd17277cfb0a54e8df8488e036c6b6e3dd1c41db9772f89e6f443747fbd

SHA512
76c20f6219d7b5f456bb207e065ecb8b6dd889219469bb7fa2a2f10cd3a38f12abcfa26da31c737c6558a20f83cb4c3e29418661ae1a79fc4fafbac1e0394dc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\wLA3izB53h.bat

Filesize
210B

MD5
313ad229050d80ccc0e238db3615e9d2

SHA1
2a0baa32697d1cc5f36c4afe33c92ca8ee9e36d4

SHA256
b5c4ca3b318d8f6665b274a93dc448dadb0350704bed856e76de21ea1cc1c6f5

SHA512
194951b1f481bfdf9e23c40a5c05a9a220bff3fd572efe780d2cbcbabda1a2700b967818d4953249bd129a2dfcaf75418b8745b705a2240ee2cd95261035dabb

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/392-205-0x000000001C7A0000-0x000000001C949000-memory.dmp

Filesize
1.7MB

Download
memory/928-253-0x0000000002D00000-0x0000000002D12000-memory.dmp

Filesize
72KB

Download
memory/1192-198-0x000000001BA50000-0x000000001BB52000-memory.dmp

Filesize
1.0MB

Download
memory/1688-243-0x000000001C5D0000-0x000000001C73A000-memory.dmp

Filesize
1.4MB

Download
memory/1688-238-0x0000000002BD0000-0x0000000002BE2000-memory.dmp

Filesize
72KB

Download
memory/1720-235-0x000000001BFD0000-0x000000001C179000-memory.dmp

Filesize
1.7MB

Download
memory/1720-230-0x0000000000D60000-0x0000000000D72000-memory.dmp

Filesize
72KB

Download
memory/2196-266-0x00000000013D0000-0x00000000013E2000-memory.dmp

Filesize
72KB

Download
memory/3012-43-0x0000020E335C0000-0x0000020E335E2000-memory.dmp

Filesize
136KB

Download
memory/3324-208-0x0000000001320000-0x0000000001332000-memory.dmp

Filesize
72KB

Download
memory/3324-213-0x000000001C470000-0x000000001C619000-memory.dmp

Filesize
1.7MB

Download
memory/3524-15-0x0000000002B00000-0x0000000002B0C000-memory.dmp

Filesize
48KB

Download
memory/3524-12-0x00007FFC2DE83000-0x00007FFC2DE85000-memory.dmp

Filesize
8KB

Download
memory/3524-13-0x00000000007E0000-0x00000000008F0000-memory.dmp

Filesize
1.1MB

Download
memory/3524-14-0x0000000001240000-0x0000000001252000-memory.dmp

Filesize
72KB

Download
memory/3524-16-0x0000000002B10000-0x0000000002B1C000-memory.dmp

Filesize
48KB

Download
memory/3524-17-0x0000000002B20000-0x0000000002B2C000-memory.dmp

Filesize
48KB

Download
memory/4532-220-0x000000001BD00000-0x000000001BEA9000-memory.dmp

Filesize
1.7MB

Download
memory/4584-191-0x000000001C080000-0x000000001C1EA000-memory.dmp

Filesize
1.4MB

Download
memory/4584-184-0x0000000000D10000-0x0000000000D22000-memory.dmp

Filesize
72KB

Download
memory/4776-246-0x0000000002470000-0x0000000002482000-memory.dmp

Filesize
72KB

Download
memory/4836-89-0x000000001B6F0000-0x000000001B702000-memory.dmp

Filesize
72KB

Download
memory/5068-227-0x000000001C6C0000-0x000000001C869000-memory.dmp

Filesize
1.7MB

Download