dcrat | eac9693c72384b6ec29c6071ebef614361af9cc0e0c921c32a892d82f58e3f44

Analysis

max time kernel
92s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2024 19:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_eac9693c72384b6ec29c6071ebef614361af9cc0e0c921c32a892d82f58e3f44.exe
Size

1.3MB
MD5

5ac329ecbe6f960be3ffd836a9e28f6d
SHA1

c71c92ca2e634298fc1106ec7662d9e594aef100
SHA256

eac9693c72384b6ec29c6071ebef614361af9cc0e0c921c32a892d82f58e3f44
SHA512

363b7726c3373dee058abb8bcf58219323f1644c42da218c2721044d443f6e378a2c8e8300580b0b7b110adbee57100b5d46d3e2f1dc17764d4e945adf0c9e30
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 64 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4588	220	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	212	220	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1652	220	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3332	220	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4396	220	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1940	220	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	964	220	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4044	220	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1984	220	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	220	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4516	220	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2456	220	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2464	220	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3720	220	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1768	220	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	648	220	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1956	220	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3948	220	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3084	220	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4504	220	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4500	220	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4024	220	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2128	220	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4836	220	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3480	220	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3004	220	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4444	220	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4620	220	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2424	220	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1932	220	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3096	220	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4124	220	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1972	220	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4712	220	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2216	220	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4704	220	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1472	220	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4588	220	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	212	220	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2164	220	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4396	220	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5116	220	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3312	220	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	220	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	964	220	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	740	220	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2412	220	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4176	220	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1812	220	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4140	220	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3548	220	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4112	220	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4100	220	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	220	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1952	220	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2240	220	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4200	220	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2384	220	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3460	220	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4832	220	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2512	220	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3680	220	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3020	220	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1016	220	schtasks.exe	88

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x0007000000023c82-9.dat	dcrat
behavioral2/memory/4376-13-0x0000000000620000-0x0000000000730000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 24 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4748	powershell.exe
2288	powershell.exe
3880	powershell.exe
3128	powershell.exe
980	powershell.exe
4720	powershell.exe
3492	powershell.exe
2052	powershell.exe
1340	powershell.exe
3608	powershell.exe
1792	powershell.exe
4648	powershell.exe
4732	powershell.exe
472	powershell.exe
2116	powershell.exe
436	powershell.exe
1520	powershell.exe
2720	powershell.exe
3240	powershell.exe
4156	powershell.exe
3644	powershell.exe
4000	powershell.exe
2236	powershell.exe
5084	powershell.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	JaffaCakes118_eac9693c72384b6ec29c6071ebef614361af9cc0e0c921c32a892d82f58e3f44.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe

Executes dropped EXE 3 IoCs

pid	Process
4376	DllCommonsvc.exe
3232	DllCommonsvc.exe
4596	powershell.exe

Drops file in Program Files directory 14 IoCs

description	ioc	Process
File created	C:\Program Files\Mozilla Firefox\browser\VisualElements\powershell.exe	DllCommonsvc.exe
File created	C:\Program Files\Mozilla Firefox\browser\VisualElements\e978f868350d50	DllCommonsvc.exe
File created	C:\Program Files\Internet Explorer\uk-UA\RuntimeBroker.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Internet Explorer\fr-FR\SppExtComObj.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Google\Temp\66fc9ff0ee96c2	DllCommonsvc.exe
File created	C:\Program Files (x86)\Google\Temp\sihost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Portable Devices\e978f868350d50	DllCommonsvc.exe
File created	C:\Program Files (x86)\Internet Explorer\fr-FR\e1ef82546f0b02	DllCommonsvc.exe
File created	C:\Program Files (x86)\Google\9e8d7a4ca61bd9	DllCommonsvc.exe
File created	C:\Program Files\Internet Explorer\it-IT\9e8d7a4ca61bd9	DllCommonsvc.exe
File created	C:\Program Files (x86)\Google\RuntimeBroker.exe	DllCommonsvc.exe
File created	C:\Program Files\Internet Explorer\uk-UA\9e8d7a4ca61bd9	DllCommonsvc.exe
File created	C:\Program Files\Internet Explorer\it-IT\RuntimeBroker.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Portable Devices\powershell.exe	DllCommonsvc.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\Speech_OneCore\fontdrvhost.exe	DllCommonsvc.exe
File created	C:\Windows\Speech_OneCore\5b884080fd4f94	DllCommonsvc.exe
File created	C:\Windows\ModemLogs\spoolsv.exe	DllCommonsvc.exe
File created	C:\Windows\ModemLogs\f3b6ecef712a24	DllCommonsvc.exe
File created	C:\Windows\IME\IMETC\powershell.exe	DllCommonsvc.exe
File created	C:\Windows\IME\IMETC\e978f868350d50	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_eac9693c72384b6ec29c6071ebef614361af9cc0e0c921c32a892d82f58e3f44.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	JaffaCakes118_eac9693c72384b6ec29c6071ebef614361af9cc0e0c921c32a892d82f58e3f44.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1956	schtasks.exe
3084	schtasks.exe
3004	schtasks.exe
4396	schtasks.exe
2988	schtasks.exe
3548	schtasks.exe
2512	schtasks.exe
3948	schtasks.exe
3480	schtasks.exe
964	schtasks.exe
2412	schtasks.exe
4620	schtasks.exe
1952	schtasks.exe
212	schtasks.exe
4500	schtasks.exe
2424	schtasks.exe
1812	schtasks.exe
3020	schtasks.exe
648	schtasks.exe
4504	schtasks.exe
740	schtasks.exe
4200	schtasks.exe
1564	schtasks.exe
3720	schtasks.exe
1768	schtasks.exe
2164	schtasks.exe
4176	schtasks.exe
4140	schtasks.exe
3648	schtasks.exe
4588	schtasks.exe
1652	schtasks.exe
2128	schtasks.exe
4444	schtasks.exe
3096	schtasks.exe
5116	schtasks.exe
4832	schtasks.exe
3680	schtasks.exe
964	schtasks.exe
2464	schtasks.exe
2216	schtasks.exe
2728	schtasks.exe
1016	schtasks.exe
4516	schtasks.exe
4704	schtasks.exe
212	schtasks.exe
4112	schtasks.exe
1940	schtasks.exe
4124	schtasks.exe
1472	schtasks.exe
2384	schtasks.exe
3332	schtasks.exe
1984	schtasks.exe
4836	schtasks.exe
1932	schtasks.exe
2868	schtasks.exe
2240	schtasks.exe
4396	schtasks.exe
4044	schtasks.exe
2456	schtasks.exe
4712	schtasks.exe
4588	schtasks.exe
3312	schtasks.exe
4024	schtasks.exe
1972	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4376	DllCommonsvc.exe
3240	powershell.exe
980	powershell.exe
980	powershell.exe
4748	powershell.exe
4156	powershell.exe
3608	powershell.exe
2720	powershell.exe
3232	DllCommonsvc.exe
3240	powershell.exe
4748	powershell.exe
3608	powershell.exe
4156	powershell.exe
2720	powershell.exe
3232	DllCommonsvc.exe
3232	DllCommonsvc.exe
3232	DllCommonsvc.exe
3232	DllCommonsvc.exe
3232	DllCommonsvc.exe
3232	DllCommonsvc.exe
3232	DllCommonsvc.exe
3232	DllCommonsvc.exe
1792	powershell.exe
1792	powershell.exe
436	powershell.exe
436	powershell.exe
1340	powershell.exe
1340	powershell.exe
3644	powershell.exe
3644	powershell.exe
4732	powershell.exe
4732	powershell.exe
2236	powershell.exe
2236	powershell.exe
4648	powershell.exe
4648	powershell.exe
472	powershell.exe
472	powershell.exe
4720	powershell.exe
4720	powershell.exe
1520	powershell.exe
1520	powershell.exe
4000	powershell.exe
4000	powershell.exe
3128	powershell.exe
3128	powershell.exe
2052	powershell.exe
2052	powershell.exe
2288	powershell.exe
2288	powershell.exe
2116	powershell.exe
2116	powershell.exe
3492	powershell.exe
3492	powershell.exe
3128	powershell.exe
3880	powershell.exe
3880	powershell.exe
5084	powershell.exe
5084	powershell.exe
2236	powershell.exe
2116	powershell.exe
436	powershell.exe
436	powershell.exe
1792	powershell.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

description	pid	Process
Token: SeDebugPrivilege	4376	DllCommonsvc.exe
Token: SeDebugPrivilege	3240	powershell.exe
Token: SeDebugPrivilege	980	powershell.exe
Token: SeDebugPrivilege	4748	powershell.exe
Token: SeDebugPrivilege	4156	powershell.exe
Token: SeDebugPrivilege	3608	powershell.exe
Token: SeDebugPrivilege	2720	powershell.exe
Token: SeDebugPrivilege	3232	DllCommonsvc.exe
Token: SeDebugPrivilege	1792	powershell.exe
Token: SeDebugPrivilege	436	powershell.exe
Token: SeDebugPrivilege	1340	powershell.exe
Token: SeDebugPrivilege	3644	powershell.exe
Token: SeDebugPrivilege	4732	powershell.exe
Token: SeDebugPrivilege	2116	powershell.exe
Token: SeDebugPrivilege	4596	powershell.exe
Token: SeDebugPrivilege	2236	powershell.exe
Token: SeDebugPrivilege	3492	powershell.exe
Token: SeDebugPrivilege	4648	powershell.exe
Token: SeDebugPrivilege	472	powershell.exe
Token: SeDebugPrivilege	4720	powershell.exe
Token: SeDebugPrivilege	1520	powershell.exe
Token: SeDebugPrivilege	4000	powershell.exe
Token: SeDebugPrivilege	3128	powershell.exe
Token: SeDebugPrivilege	3880	powershell.exe
Token: SeDebugPrivilege	2052	powershell.exe
Token: SeDebugPrivilege	5084	powershell.exe
Token: SeDebugPrivilege	2288	powershell.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 3012 wrote to memory of 4712	3012	JaffaCakes118_eac9693c72384b6ec29c6071ebef614361af9cc0e0c921c32a892d82f58e3f44.exe	83
PID 3012 wrote to memory of 4712	3012	JaffaCakes118_eac9693c72384b6ec29c6071ebef614361af9cc0e0c921c32a892d82f58e3f44.exe	83
PID 3012 wrote to memory of 4712	3012	JaffaCakes118_eac9693c72384b6ec29c6071ebef614361af9cc0e0c921c32a892d82f58e3f44.exe	83
PID 4712 wrote to memory of 3128	4712	WScript.exe	85
PID 4712 wrote to memory of 3128	4712	WScript.exe	85
PID 4712 wrote to memory of 3128	4712	WScript.exe	85
PID 3128 wrote to memory of 4376	3128	cmd.exe	87
PID 3128 wrote to memory of 4376	3128	cmd.exe	87
PID 4376 wrote to memory of 2720	4376	DllCommonsvc.exe	105
PID 4376 wrote to memory of 2720	4376	DllCommonsvc.exe	105
PID 4376 wrote to memory of 980	4376	DllCommonsvc.exe	106
PID 4376 wrote to memory of 980	4376	DllCommonsvc.exe	106
PID 4376 wrote to memory of 4748	4376	DllCommonsvc.exe	107
PID 4376 wrote to memory of 4748	4376	DllCommonsvc.exe	107
PID 4376 wrote to memory of 3240	4376	DllCommonsvc.exe	108
PID 4376 wrote to memory of 3240	4376	DllCommonsvc.exe	108
PID 4376 wrote to memory of 3608	4376	DllCommonsvc.exe	109
PID 4376 wrote to memory of 3608	4376	DllCommonsvc.exe	109
PID 4376 wrote to memory of 4156	4376	DllCommonsvc.exe	110
PID 4376 wrote to memory of 4156	4376	DllCommonsvc.exe	110
PID 4376 wrote to memory of 3232	4376	DllCommonsvc.exe	116
PID 4376 wrote to memory of 3232	4376	DllCommonsvc.exe	116
PID 3232 wrote to memory of 3644	3232	DllCommonsvc.exe	169
PID 3232 wrote to memory of 3644	3232	DllCommonsvc.exe	169
PID 3232 wrote to memory of 1792	3232	DllCommonsvc.exe	170
PID 3232 wrote to memory of 1792	3232	DllCommonsvc.exe	170
PID 3232 wrote to memory of 1340	3232	DllCommonsvc.exe	171
PID 3232 wrote to memory of 1340	3232	DllCommonsvc.exe	171
PID 3232 wrote to memory of 1520	3232	DllCommonsvc.exe	172
PID 3232 wrote to memory of 1520	3232	DllCommonsvc.exe	172
PID 3232 wrote to memory of 436	3232	DllCommonsvc.exe	173
PID 3232 wrote to memory of 436	3232	DllCommonsvc.exe	173
PID 3232 wrote to memory of 4000	3232	DllCommonsvc.exe	175
PID 3232 wrote to memory of 4000	3232	DllCommonsvc.exe	175
PID 3232 wrote to memory of 2052	3232	DllCommonsvc.exe	176
PID 3232 wrote to memory of 2052	3232	DllCommonsvc.exe	176
PID 3232 wrote to memory of 3492	3232	DllCommonsvc.exe	177
PID 3232 wrote to memory of 3492	3232	DllCommonsvc.exe	177
PID 3232 wrote to memory of 5084	3232	DllCommonsvc.exe	179
PID 3232 wrote to memory of 5084	3232	DllCommonsvc.exe	179
PID 3232 wrote to memory of 2236	3232	DllCommonsvc.exe	180
PID 3232 wrote to memory of 2236	3232	DllCommonsvc.exe	180
PID 3232 wrote to memory of 4720	3232	DllCommonsvc.exe	181
PID 3232 wrote to memory of 4720	3232	DllCommonsvc.exe	181
PID 3232 wrote to memory of 2116	3232	DllCommonsvc.exe	182
PID 3232 wrote to memory of 2116	3232	DllCommonsvc.exe	182
PID 3232 wrote to memory of 3128	3232	DllCommonsvc.exe	184
PID 3232 wrote to memory of 3128	3232	DllCommonsvc.exe	184
PID 3232 wrote to memory of 472	3232	DllCommonsvc.exe	185
PID 3232 wrote to memory of 472	3232	DllCommonsvc.exe	185
PID 3232 wrote to memory of 3880	3232	DllCommonsvc.exe	186
PID 3232 wrote to memory of 3880	3232	DllCommonsvc.exe	186
PID 3232 wrote to memory of 2288	3232	DllCommonsvc.exe	187
PID 3232 wrote to memory of 2288	3232	DllCommonsvc.exe	187
PID 3232 wrote to memory of 4732	3232	DllCommonsvc.exe	188
PID 3232 wrote to memory of 4732	3232	DllCommonsvc.exe	188
PID 3232 wrote to memory of 4648	3232	DllCommonsvc.exe	189
PID 3232 wrote to memory of 4648	3232	DllCommonsvc.exe	189
PID 3232 wrote to memory of 4596	3232	DllCommonsvc.exe	205
PID 3232 wrote to memory of 4596	3232	DllCommonsvc.exe	205

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_eac9693c72384b6ec29c6071ebef614361af9cc0e0c921c32a892d82f58e3f44.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_eac9693c72384b6ec29c6071ebef614361af9cc0e0c921c32a892d82f58e3f44.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3012
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4712
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3128
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4376
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2720
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sihost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:980
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\uk-UA\RuntimeBroker.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4748
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3240
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\fr-FR\SppExtComObj.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3608
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\RuntimeBroker.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4156
    - - C:\providercommon\DllCommonsvc.exe
        
        "C:\providercommon\DllCommonsvc.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3232
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3644
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sysmon.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1792
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\System.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1340
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\it-IT\RuntimeBroker.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1520
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\conhost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:436
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Speech_OneCore\fontdrvhost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4000
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ModemLogs\spoolsv.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2052
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\System.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3492
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\Temp\sihost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5084
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\wininit.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2236
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\powershell.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4720
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\browser\VisualElements\powershell.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2116
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Saved Games\WmiPrvSE.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3128
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Saved Games\upfc.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:472
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\IME\IMETC\powershell.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3880
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\conhost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2288
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\conhost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4732
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\conhost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4648
      - C:\Program Files (x86)\Windows Portable Devices\powershell.exe
        
        "C:\Program Files (x86)\Windows Portable Devices\powershell.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 6 /tr "'C:\providercommon\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\providercommon\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 7 /tr "'C:\providercommon\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files\Internet Explorer\uk-UA\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\uk-UA\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files\Internet Explorer\uk-UA\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\providercommon\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Internet Explorer\fr-FR\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\fr-FR\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Internet Explorer\fr-FR\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Google\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Google\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 6 /tr "'C:\providercommon\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\providercommon\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 14 /tr "'C:\providercommon\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Users\Public\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Public\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Users\Public\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files\Internet Explorer\it-IT\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\it-IT\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files\Internet Explorer\it-IT\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\providercommon\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Windows\Speech_OneCore\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\Speech_OneCore\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Windows\Speech_OneCore\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Windows\ModemLogs\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\ModemLogs\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Windows\ModemLogs\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Google\Temp\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Temp\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Google\Temp\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Users\Public\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Public\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Users\Public\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Portable Devices\powershell.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Portable Devices\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 14 /tr "'C:\Program Files\Mozilla Firefox\browser\VisualElements\powershell.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\browser\VisualElements\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 12 /tr "'C:\Program Files\Mozilla Firefox\browser\VisualElements\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Saved Games\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Admin\Saved Games\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Saved Games\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Saved Games\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Users\Default\Saved Games\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Saved Games\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 9 /tr "'C:\Windows\IME\IMETC\powershell.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Windows\IME\IMETC\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 13 /tr "'C:\Windows\IME\IMETC\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\providercommon\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:3460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Default User\conhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\conhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
a43e653ffb5ab07940f4bdd9cc8fade4

SHA1
af43d04e3427f111b22dc891c5c7ee8a10ac4123

SHA256
c4c53abb13e99475aebfbe9fec7a8fead81c14c80d9dcc2b81375304f3a683fe

SHA512
62a97e95e1f19a8d4302847110dae44f469877eed6aa8ea22345c6eb25ee220e7d310fa0b7ec5df42356815421c0af7c46a0f1fee8933cc446641800eda6cd1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d42b6da621e8df5674e26b799c8e2aa

SHA1
ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

SHA256
5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

SHA512
53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3db1c0d23daacf01eb99125ccc2787d3

SHA1
0849528de1ba411279231d635d8f39d54cc829d2

SHA256
bceb96f5c3d31447980eb8cd891bba75b3e5b6eb60abf4d829fc13cd8faf2582

SHA512
3d84635a3395bca1d91ce182ccfb9e38c8da87ad678704673a72d580e4251cedc5a6b2a89040a172a5687b67952e74a13673bd115bce7bdabaed06f89323de5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
7a451cd1316d70a65910773fee8c3a43

SHA1
d2db32d5037153dd1d94565b51b5b385817a3c3d

SHA256
862d25ed22075f3d1f5e8d29a3c6e050dc91e53a4dc653c3f0f7c627a12ee26c

SHA512
60887f795036fbd6d25234c17dab4463a8a02f576ae8c07dd7b4c4ff1dba35f99b7301139ea051a7a80fdfc9e003a2f0c2dd0d444a82ecf87a3df21507332aa6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
75d224e238a397659d8e5cf458a41143

SHA1
d182d16283d3d864a2e328b677551428c29ad6df

SHA256
6a98fa5e6c5b77722f2bd8c855fd14d6bf545fc35b292252d1dc136b89ed2fee

SHA512
3477f3b4182ffdccc817de4242c8fcba706c193a0de5170cd023f8df3d330487d7e372556524b5a0fe1df56de40923700f3f8368eadf6601970e347cbcf078cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
816d03b14553d8d2cd19771bf135873f

SHA1
3efdd566ca724299705e7c30d4cbb84349b7a1ae

SHA256
70d3acdba0037de3d175aca44a86daf8392b2350f6f8b026b7accb02f95a9304

SHA512
365ac792e05619e5ef42b40f1e4dd5d1ebb18a5a409be9c5428e52be7896f4b18eef2a93a4e0f5e1930996bf70798fe45fc5b6d829687d975191015944dbbdbd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
b22bcc023ccf6782c755f5b743aa3a52

SHA1
141150057021a07fa6aa03f46c9f2fd5719b3eeb

SHA256
a977c9d6fc409dbc0abbaa17e306eca391657f1f3c974cf1b004826000b8d1b4

SHA512
05c78b755324319a86857f3d249cfc9cc0c6c51a4f8ee94350a1936853e323af668fa8ee224d60eea618f1a7684897c3ce24713365dbeeba02e7718cbe4b3b0e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
01841b4277227c0578c89131444e7d57

SHA1
b00fbb6cabb5d09d50c28c0fdc62e5e6917b0c5d

SHA256
34797c2cafe0d94ea265e6aba8e38c3c34532e125bdd6dc8c1eab16a977a8cfa

SHA512
15c656ce162ff535506f9f22d285355576e53b89baebc1064523ab59f2eccb111cdd71c1fd66e59995d0727993bd268c976a9bd6cd78ff78d19a3c13436f0497

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
9bf2b1a5d4f6bd85aa4e75d833186aaa

SHA1
44cce8cba6525ba252f6a9253ec10a11d8044788

SHA256
2f17b4ae194794a15897c5241c20bc086cc3d32797dad4a677103f25bd892524

SHA512
f48fe3ca2ee9902bd5e696318aafe95ba0514774ef76b953df77bdb69008a2257cd0ce6784ae05a4e4a9b398cd4977cf55f9a0f8eb8b92625a6256bb9d502379

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ee1c70b5cabd30d7c1860e395d176aec

SHA1
867c332640b21a7c6c6dfc6177121eb23e1aba53

SHA256
c3f962da3272612556fb293f1f3c95166a90e509aaa85486e6dbeae60b906b5f

SHA512
bed18583c994bc1c185621105a4b90597e530c8c056ff2c9cc496dbaabf405481d177d0a2acd421b7103b96b092d3f4ef46f0b28ee8dc7a674a141e700409440

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
e88746ac8a91063a3cf30c100e7f81a6

SHA1
bef89ea73b5ac1afcbb6a6d356a5b1658381d94f

SHA256
2b4489ded346a3fc11c164fc9bf96ff3d3b9881e4f8ed010e2119be426abb36d

SHA512
2f16cc24dd94dd53dfc9cb9ba1e1b7c922808b51a8679ab82b2c86dc84557bbf1b3c3e88bece05af1d697df03d9977ae29cb01805a704c46a162dc7c3e14568c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0pa451lg.2ca.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/980-39-0x0000027932CF0000-0x0000027932D12000-memory.dmp

Filesize
136KB

Download
memory/4376-17-0x00000000028E0000-0x00000000028EC000-memory.dmp

Filesize
48KB

Download
memory/4376-16-0x00000000028D0000-0x00000000028DC000-memory.dmp

Filesize
48KB

Download
memory/4376-15-0x000000001B250000-0x000000001B25C000-memory.dmp

Filesize
48KB

Download
memory/4376-14-0x00000000028C0000-0x00000000028D2000-memory.dmp

Filesize
72KB

Download
memory/4376-13-0x0000000000620000-0x0000000000730000-memory.dmp

Filesize
1.1MB

Download
memory/4376-12-0x00007FFF45453000-0x00007FFF45455000-memory.dmp

Filesize
8KB

Download