dcrat | f48bce1afb9d813684c56e06ee6df0905b1ed83f843cc55f6481b62a94b6f142

Analysis

max time kernel
148s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2024 20:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_f48bce1afb9d813684c56e06ee6df0905b1ed83f843cc55f6481b62a94b6f142.exe
Size

1.3MB
MD5

32d240a4e06320b02139ac23d293b690
SHA1

d0545c3832f80b94899ec7170ecc39f369582e9d
SHA256

f48bce1afb9d813684c56e06ee6df0905b1ed83f843cc55f6481b62a94b6f142
SHA512

54d1ea49edae50f3958cf10a751ba5ded2bc6b21717de32a73114b28387b1533784de1ddbcb0487fed2a844120188d466afd32d5b1355395ff3ee91d122dfdc3
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 30 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1480	2480	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1884	2480	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1820	2480	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4544	2480	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2524	2480	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2148	2480	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3308	2480	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2920	2480	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3684	2480	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2384	2480	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	216	2480	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2052	2480	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3424	2480	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4496	2480	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4956	2480	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3916	2480	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	964	2480	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	228	2480	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2948	2480	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4248	2480	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4596	2480	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	384	2480	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3276	2480	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5012	2480	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3256	2480	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3652	2480	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4408	2480	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2320	2480	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2676	2480	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2912	2480	schtasks.exe	86

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x000e000000023bd7-9.dat	dcrat
behavioral2/memory/908-13-0x0000000000EB0000-0x0000000000FC0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1712	powershell.exe
3260	powershell.exe
2436	powershell.exe
2016	powershell.exe
3388	powershell.exe
2812	powershell.exe
4136	powershell.exe
4752	powershell.exe
4736	powershell.exe
3884	powershell.exe
4448	powershell.exe

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	JaffaCakes118_f48bce1afb9d813684c56e06ee6df0905b1ed83f843cc55f6481b62a94b6f142.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe

Executes dropped EXE 14 IoCs

pid	Process
908	DllCommonsvc.exe
4168	fontdrvhost.exe
3772	fontdrvhost.exe
3524	fontdrvhost.exe
4736	fontdrvhost.exe
3016	fontdrvhost.exe
1460	fontdrvhost.exe
2280	fontdrvhost.exe
3140	fontdrvhost.exe
1664	fontdrvhost.exe
4012	fontdrvhost.exe
4516	fontdrvhost.exe
3592	fontdrvhost.exe
4316	fontdrvhost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 13 IoCs

Web Service

T1102

flow	ioc
13	raw.githubusercontent.com
37	raw.githubusercontent.com
39	raw.githubusercontent.com
43	raw.githubusercontent.com
44	raw.githubusercontent.com
51	raw.githubusercontent.com
14	raw.githubusercontent.com
22	raw.githubusercontent.com
38	raw.githubusercontent.com
42	raw.githubusercontent.com
50	raw.githubusercontent.com
52	raw.githubusercontent.com
53	raw.githubusercontent.com

Drops file in Program Files directory 11 IoCs

description	ioc	Process
File created	C:\Program Files\7-Zip\Lang\fontdrvhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\wininit.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\56085415360792	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\wininit.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\56085415360792	DllCommonsvc.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\System.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Common Files\System\5b884080fd4f94	DllCommonsvc.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fontdrvhost.exe	DllCommonsvc.exe
File created	C:\Program Files\7-Zip\Lang\5b884080fd4f94	DllCommonsvc.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\27d1bcfc3c54e0	DllCommonsvc.exe
File created	C:\Program Files (x86)\Common Files\System\fontdrvhost.exe	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Containers\Registry.exe	DllCommonsvc.exe
File created	C:\Windows\Containers\ee2ad38f3d4382	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_f48bce1afb9d813684c56e06ee6df0905b1ed83f843cc55f6481b62a94b6f142.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 13 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	JaffaCakes118_f48bce1afb9d813684c56e06ee6df0905b1ed83f843cc55f6481b62a94b6f142.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	fontdrvhost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 30 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4544	schtasks.exe
4956	schtasks.exe
3276	schtasks.exe
2524	schtasks.exe
3308	schtasks.exe
3652	schtasks.exe
1820	schtasks.exe
2920	schtasks.exe
3916	schtasks.exe
964	schtasks.exe
3256	schtasks.exe
1884	schtasks.exe
216	schtasks.exe
2948	schtasks.exe
4596	schtasks.exe
1480	schtasks.exe
2148	schtasks.exe
4408	schtasks.exe
2320	schtasks.exe
2052	schtasks.exe
228	schtasks.exe
384	schtasks.exe
3424	schtasks.exe
4248	schtasks.exe
2676	schtasks.exe
2912	schtasks.exe
3684	schtasks.exe
2384	schtasks.exe
4496	schtasks.exe
5012	schtasks.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
908	DllCommonsvc.exe
908	DllCommonsvc.exe
908	DllCommonsvc.exe
908	DllCommonsvc.exe
908	DllCommonsvc.exe
908	DllCommonsvc.exe
908	DllCommonsvc.exe
2016	powershell.exe
2016	powershell.exe
3260	powershell.exe
3260	powershell.exe
4736	powershell.exe
4736	powershell.exe
2812	powershell.exe
2812	powershell.exe
3884	powershell.exe
3884	powershell.exe
2436	powershell.exe
2436	powershell.exe
1712	powershell.exe
1712	powershell.exe
4136	powershell.exe
4136	powershell.exe
4752	powershell.exe
4752	powershell.exe
4448	powershell.exe
4448	powershell.exe
3388	powershell.exe
3388	powershell.exe
4168	fontdrvhost.exe
4168	fontdrvhost.exe
2812	powershell.exe
3260	powershell.exe
2436	powershell.exe
2016	powershell.exe
3884	powershell.exe
3388	powershell.exe
1712	powershell.exe
4736	powershell.exe
4136	powershell.exe
4448	powershell.exe
4752	powershell.exe
3772	fontdrvhost.exe
3524	fontdrvhost.exe
4736	fontdrvhost.exe
3016	fontdrvhost.exe
1460	fontdrvhost.exe
2280	fontdrvhost.exe
3140	fontdrvhost.exe
1664	fontdrvhost.exe
4012	fontdrvhost.exe
4516	fontdrvhost.exe
3592	fontdrvhost.exe
4316	fontdrvhost.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeDebugPrivilege	908	DllCommonsvc.exe
Token: SeDebugPrivilege	2016	powershell.exe
Token: SeDebugPrivilege	3388	powershell.exe
Token: SeDebugPrivilege	3260	powershell.exe
Token: SeDebugPrivilege	2436	powershell.exe
Token: SeDebugPrivilege	4736	powershell.exe
Token: SeDebugPrivilege	2812	powershell.exe
Token: SeDebugPrivilege	3884	powershell.exe
Token: SeDebugPrivilege	1712	powershell.exe
Token: SeDebugPrivilege	4136	powershell.exe
Token: SeDebugPrivilege	4752	powershell.exe
Token: SeDebugPrivilege	4448	powershell.exe
Token: SeDebugPrivilege	4168	fontdrvhost.exe
Token: SeDebugPrivilege	3772	fontdrvhost.exe
Token: SeDebugPrivilege	3524	fontdrvhost.exe
Token: SeDebugPrivilege	4736	fontdrvhost.exe
Token: SeDebugPrivilege	3016	fontdrvhost.exe
Token: SeDebugPrivilege	1460	fontdrvhost.exe
Token: SeDebugPrivilege	2280	fontdrvhost.exe
Token: SeDebugPrivilege	3140	fontdrvhost.exe
Token: SeDebugPrivilege	1664	fontdrvhost.exe
Token: SeDebugPrivilege	4012	fontdrvhost.exe
Token: SeDebugPrivilege	4516	fontdrvhost.exe
Token: SeDebugPrivilege	3592	fontdrvhost.exe
Token: SeDebugPrivilege	4316	fontdrvhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3512 wrote to memory of 2368	3512	JaffaCakes118_f48bce1afb9d813684c56e06ee6df0905b1ed83f843cc55f6481b62a94b6f142.exe	82
PID 3512 wrote to memory of 2368	3512	JaffaCakes118_f48bce1afb9d813684c56e06ee6df0905b1ed83f843cc55f6481b62a94b6f142.exe	82
PID 3512 wrote to memory of 2368	3512	JaffaCakes118_f48bce1afb9d813684c56e06ee6df0905b1ed83f843cc55f6481b62a94b6f142.exe	82
PID 2368 wrote to memory of 3776	2368	WScript.exe	83
PID 2368 wrote to memory of 3776	2368	WScript.exe	83
PID 2368 wrote to memory of 3776	2368	WScript.exe	83
PID 3776 wrote to memory of 908	3776	cmd.exe	85
PID 3776 wrote to memory of 908	3776	cmd.exe	85
PID 908 wrote to memory of 4136	908	DllCommonsvc.exe	117
PID 908 wrote to memory of 4136	908	DllCommonsvc.exe	117
PID 908 wrote to memory of 1712	908	DllCommonsvc.exe	118
PID 908 wrote to memory of 1712	908	DllCommonsvc.exe	118
PID 908 wrote to memory of 3260	908	DllCommonsvc.exe	119
PID 908 wrote to memory of 3260	908	DllCommonsvc.exe	119
PID 908 wrote to memory of 4448	908	DllCommonsvc.exe	120
PID 908 wrote to memory of 4448	908	DllCommonsvc.exe	120
PID 908 wrote to memory of 2436	908	DllCommonsvc.exe	121
PID 908 wrote to memory of 2436	908	DllCommonsvc.exe	121
PID 908 wrote to memory of 2016	908	DllCommonsvc.exe	122
PID 908 wrote to memory of 2016	908	DllCommonsvc.exe	122
PID 908 wrote to memory of 4752	908	DllCommonsvc.exe	123
PID 908 wrote to memory of 4752	908	DllCommonsvc.exe	123
PID 908 wrote to memory of 4736	908	DllCommonsvc.exe	124
PID 908 wrote to memory of 4736	908	DllCommonsvc.exe	124
PID 908 wrote to memory of 3388	908	DllCommonsvc.exe	125
PID 908 wrote to memory of 3388	908	DllCommonsvc.exe	125
PID 908 wrote to memory of 3884	908	DllCommonsvc.exe	126
PID 908 wrote to memory of 3884	908	DllCommonsvc.exe	126
PID 908 wrote to memory of 2812	908	DllCommonsvc.exe	127
PID 908 wrote to memory of 2812	908	DllCommonsvc.exe	127
PID 908 wrote to memory of 4168	908	DllCommonsvc.exe	139
PID 908 wrote to memory of 4168	908	DllCommonsvc.exe	139
PID 4168 wrote to memory of 4284	4168	fontdrvhost.exe	140
PID 4168 wrote to memory of 4284	4168	fontdrvhost.exe	140
PID 4284 wrote to memory of 372	4284	cmd.exe	142
PID 4284 wrote to memory of 372	4284	cmd.exe	142
PID 4284 wrote to memory of 3772	4284	cmd.exe	143
PID 4284 wrote to memory of 3772	4284	cmd.exe	143
PID 3772 wrote to memory of 2460	3772	fontdrvhost.exe	151
PID 3772 wrote to memory of 2460	3772	fontdrvhost.exe	151
PID 2460 wrote to memory of 1456	2460	cmd.exe	153
PID 2460 wrote to memory of 1456	2460	cmd.exe	153
PID 2460 wrote to memory of 3524	2460	cmd.exe	155
PID 2460 wrote to memory of 3524	2460	cmd.exe	155
PID 3524 wrote to memory of 4824	3524	fontdrvhost.exe	156
PID 3524 wrote to memory of 4824	3524	fontdrvhost.exe	156
PID 4824 wrote to memory of 2428	4824	cmd.exe	158
PID 4824 wrote to memory of 2428	4824	cmd.exe	158
PID 4824 wrote to memory of 4736	4824	cmd.exe	159
PID 4824 wrote to memory of 4736	4824	cmd.exe	159
PID 4736 wrote to memory of 4636	4736	fontdrvhost.exe	160
PID 4736 wrote to memory of 4636	4736	fontdrvhost.exe	160
PID 4636 wrote to memory of 5076	4636	cmd.exe	162
PID 4636 wrote to memory of 5076	4636	cmd.exe	162
PID 4636 wrote to memory of 3016	4636	cmd.exe	163
PID 4636 wrote to memory of 3016	4636	cmd.exe	163
PID 3016 wrote to memory of 3388	3016	fontdrvhost.exe	164
PID 3016 wrote to memory of 3388	3016	fontdrvhost.exe	164
PID 3388 wrote to memory of 1084	3388	cmd.exe	166
PID 3388 wrote to memory of 1084	3388	cmd.exe	166
PID 3388 wrote to memory of 1460	3388	cmd.exe	167
PID 3388 wrote to memory of 1460	3388	cmd.exe	167
PID 1460 wrote to memory of 4336	1460	fontdrvhost.exe	168
PID 1460 wrote to memory of 4336	1460	fontdrvhost.exe	168

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f48bce1afb9d813684c56e06ee6df0905b1ed83f843cc55f6481b62a94b6f142.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f48bce1afb9d813684c56e06ee6df0905b1ed83f843cc55f6481b62a94b6f142.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3512
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2368
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3776
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:908
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4136
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\Lang\fontdrvhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1712
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3260
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Containers\Registry.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4448
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2436
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2016
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4752
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\Shared Gadgets\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4736
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\System\fontdrvhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3388
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Recent\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3884
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\RuntimeBroker.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2812
    - - C:\Program Files (x86)\Common Files\System\fontdrvhost.exe
        
        "C:\Program Files (x86)\Common Files\System\fontdrvhost.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4168
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VbZulfStaN.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4284
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:372
        
        C:\Program Files (x86)\Common Files\System\fontdrvhost.exe
        
        "C:\Program Files (x86)\Common Files\System\fontdrvhost.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3772
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZZzsG8LzQB.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2460
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:1456
        
        C:\Program Files (x86)\Common Files\System\fontdrvhost.exe
        
        "C:\Program Files (x86)\Common Files\System\fontdrvhost.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3524
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SaOkt9ru2m.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:4824
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2428
        
        C:\Program Files (x86)\Common Files\System\fontdrvhost.exe
        
        "C:\Program Files (x86)\Common Files\System\fontdrvhost.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4736
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Wm5t4PlH1R.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:4636
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:5076
        
        C:\Program Files (x86)\Common Files\System\fontdrvhost.exe
        
        "C:\Program Files (x86)\Common Files\System\fontdrvhost.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3016
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kUc4JDtx8N.bat"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:3388
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:1084
        
        C:\Program Files (x86)\Common Files\System\fontdrvhost.exe
        
        "C:\Program Files (x86)\Common Files\System\fontdrvhost.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1460
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Wm5t4PlH1R.bat"
        16⤵
        
        PID:4336
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:2440
        
        C:\Program Files (x86)\Common Files\System\fontdrvhost.exe
        
        "C:\Program Files (x86)\Common Files\System\fontdrvhost.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2280
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eR3ydISl4k.bat"
        18⤵
        
        PID:4296
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:3780
        
        C:\Program Files (x86)\Common Files\System\fontdrvhost.exe
        
        "C:\Program Files (x86)\Common Files\System\fontdrvhost.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3140
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lE88gYdR15.bat"
        20⤵
        
        PID:984
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:4864
        
        C:\Program Files (x86)\Common Files\System\fontdrvhost.exe
        
        "C:\Program Files (x86)\Common Files\System\fontdrvhost.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1664
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wKGJ2NUoAL.bat"
        22⤵
        
        PID:1900
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:320
        
        C:\Program Files (x86)\Common Files\System\fontdrvhost.exe
        
        "C:\Program Files (x86)\Common Files\System\fontdrvhost.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4012
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wKGJ2NUoAL.bat"
        24⤵
        
        PID:3176
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:3476
        
        C:\Program Files (x86)\Common Files\System\fontdrvhost.exe
        
        "C:\Program Files (x86)\Common Files\System\fontdrvhost.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4516
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SaOkt9ru2m.bat"
        26⤵
        
        PID:4808
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:3580
        
        C:\Program Files (x86)\Common Files\System\fontdrvhost.exe
        
        "C:\Program Files (x86)\Common Files\System\fontdrvhost.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3592
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cV1vwDPsky.bat"
        28⤵
        
        PID:4136
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        29⤵
        
        PID:2320
        
        C:\Program Files (x86)\Common Files\System\fontdrvhost.exe
        
        "C:\Program Files (x86)\Common Files\System\fontdrvhost.exe"
        29⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Program Files\7-Zip\Lang\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Program Files\7-Zip\Lang\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 5 /tr "'C:\Windows\Containers\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Windows\Containers\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 13 /tr "'C:\Windows\Containers\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Common Files\System\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\System\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Common Files\System\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Recent\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\Recent\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Recent\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\fontdrvhost.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
59d97011e091004eaffb9816aa0b9abd

SHA1
1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

SHA256
18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

SHA512
d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Temp\SaOkt9ru2m.bat

Filesize
223B

MD5
8c7d259fd97a97d841e72a46b99b19fd

SHA1
685327b22f686c269affbfe6ee98817b4b44298c

SHA256
7dd5940aa4365df23a7723a272b2a0936429b3adc214fce1169a2605b41c0fa1

SHA512
af87ba6d14cc01692c52c8d8962e8fe164e8dda6d616806fe0c71758cd4c7d3277cf20f57d9919fade31af27d9bd095a0cfa3c34e88608b5e5491ab1a7366079

Download Submit
C:\Users\Admin\AppData\Local\Temp\VbZulfStaN.bat

Filesize
223B

MD5
88d9965cf2aad5541b0c71472feabfbd

SHA1
a129a1e91469b38984303dfe5bc880e8ee5d1046

SHA256
1240f5ca4b7446d3efbec55a8b437dab83009eec9aab2e94e948ffc2d33d87af

SHA512
9805fbca2aef531515f506b32380e42dcc3a98e1fb2d677e3907c04f19497f9211382e5c2a571b085bf5e632e5e5944a4e65c069fff3f1d73082d2482a1c943b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wm5t4PlH1R.bat

Filesize
223B

MD5
7894e03ced346452b5bc0e5de308643f

SHA1
68f50413cfb337959ac73fd90e6242de436ec064

SHA256
7d857018ce78990a67c7fba01124f6a0cdc76f500061e4566012ca91a176b8ce

SHA512
c506fedc304f21574cb7fee3320605dd631a06c8c7f59712661bd97a7c1c50b7d6d7be248bd74ebda3bd90bc440344b3cc363927ec339afa913f5a47ca53c936

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZZzsG8LzQB.bat

Filesize
223B

MD5
6cdede8dec68dc2721122b6261248b82

SHA1
2dda5f669e26f90ee84b6f53409f4cd4f87f124c

SHA256
f3d47120d998ef23b54ee28e11a810a72b86a8f706a7451c57af417382b13db5

SHA512
f33438758b8788bc2232861282dea7e2830cbad2c733aa2d9c6fc914890ca032b174b94108fc522a1f14e544d7c9d7d5015fdf33a18ee4dd50a5fc50186fc712

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_c0wvxl3l.ncc.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\cV1vwDPsky.bat

Filesize
223B

MD5
dd2bf548fa53989326d1efd3a4337b5c

SHA1
515da4bbdd9f2faa0cdd2728929c2fc91c30be2c

SHA256
d4322530019f68aee23b7e35d5ece37f2ecef052377cdf080b6754ff49252c23

SHA512
2458b366b24d834e7c1356964f92be040a2e21684f95b9530bce2ebbda08b308205b2b84492d082c0fd31b5def925254d395f8bc240dcf071c340031287e7c44

Download Submit
C:\Users\Admin\AppData\Local\Temp\eR3ydISl4k.bat

Filesize
223B

MD5
e622610add6b516eacfa6e822bfe94ed

SHA1
96aa3953e8dcad2b3aead2b502cbf83800620ea1

SHA256
297b442f9bdf368b88baef30983cf27a77dc9ad5153233426efa89eccb7c41a4

SHA512
993c24f313f44288d0d5d364873f6f606e1cb7220fae7236796f2fe383c33f32c58ff9b1d907b48ebbffa1dfbd3d7629211763faa3f87a126c402759f71ff4a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\kUc4JDtx8N.bat

Filesize
223B

MD5
2bef0c1e00b0374e13cc73307059135d

SHA1
b75a5c315c30a4b363676611e89866c7048b253f

SHA256
bee9fe0b37f02c1ce266c18ecb3b3679ad62e3de0a29339a86e0e336cd0c03aa

SHA512
5878e155a0b46e410381d013e812f94a0580c0ede7a27d0b6ebc6b3aa2cce8a38be63b82da0697c55317f38c3c13e1462585f5a0bbe9ae1eb73ef3b2ccd275f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\lE88gYdR15.bat

Filesize
223B

MD5
70ca4e1dd116c0cfa443588a10fdcd43

SHA1
280e302de5e1c294e28a7198d27c873daa0ed9c3

SHA256
ce739209bbb233b7ec5e9fac16bccfbbd63df5c3018e472120245036f70c3fcc

SHA512
11303e736d4e1d6a3896648ae9d47b6984696332bf3e1eaf91091fd18a4b449c9f79bf122a1517ff237c16a50251e84eb2359c3d65d41db024e82a0a97e9575b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wKGJ2NUoAL.bat

Filesize
223B

MD5
f70dda0cccb6e3e5b7e74d840fe76b00

SHA1
91b69d7643fdda602caf91ed80500066931efc56

SHA256
b493bdb2d670329cf0992099d58df8a9f73072179a18fcdb1892309e9e8e3be1

SHA512
a5ea902467326db78b903c96b3706884a3ad31693d8ae61aca331164727ea9d7bd96f220b720f8e1edae831958ef624991e7a2c1d0c82c4cf2d7832b1308cf40

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/908-17-0x000000001BBD0000-0x000000001BBDC000-memory.dmp

Filesize
48KB

Download
memory/908-16-0x00000000030A0000-0x00000000030AC000-memory.dmp

Filesize
48KB

Download
memory/908-15-0x000000001BBE0000-0x000000001BBEC000-memory.dmp

Filesize
48KB

Download
memory/908-14-0x0000000003030000-0x0000000003042000-memory.dmp

Filesize
72KB

Download
memory/908-13-0x0000000000EB0000-0x0000000000FC0000-memory.dmp

Filesize
1.1MB

Download
memory/908-12-0x00007FFB39AF3000-0x00007FFB39AF5000-memory.dmp

Filesize
8KB

Download
memory/1712-166-0x00000179DD970000-0x00000179DDADA000-memory.dmp

Filesize
1.4MB

Download
memory/2016-67-0x000002150AC80000-0x000002150ACA2000-memory.dmp

Filesize
136KB

Download
memory/2016-171-0x0000021523250000-0x00000215233BA000-memory.dmp

Filesize
1.4MB

Download
memory/2436-159-0x00000241DAC40000-0x00000241DADAA000-memory.dmp

Filesize
1.4MB

Download
memory/2812-163-0x000002A22D9D0000-0x000002A22DB3A000-memory.dmp

Filesize
1.4MB

Download
memory/3260-169-0x000001CA9D7E0000-0x000001CA9D94A000-memory.dmp

Filesize
1.4MB

Download
memory/3388-180-0x00000210FBF40000-0x00000210FC0AA000-memory.dmp

Filesize
1.4MB

Download
memory/3524-199-0x0000000000C20000-0x0000000000C32000-memory.dmp

Filesize
72KB

Download
memory/3592-255-0x00000000016C0000-0x00000000016D2000-memory.dmp

Filesize
72KB

Download
memory/3772-192-0x0000000002730000-0x0000000002742000-memory.dmp

Filesize
72KB

Download
memory/3884-174-0x000001B258230000-0x000001B25839A000-memory.dmp

Filesize
1.4MB

Download
memory/4012-242-0x0000000000CB0000-0x0000000000CC2000-memory.dmp

Filesize
72KB

Download
memory/4136-162-0x0000020FF1D50000-0x0000020FF1EBA000-memory.dmp

Filesize
1.4MB

Download
memory/4168-149-0x0000000002A20000-0x0000000002A32000-memory.dmp

Filesize
72KB

Download
memory/4448-177-0x0000023EB6550000-0x0000023EB66BA000-memory.dmp

Filesize
1.4MB

Download
memory/4736-170-0x000001A4AD660000-0x000001A4AD7CA000-memory.dmp

Filesize
1.4MB

Download
memory/4752-183-0x00000257E53C0000-0x00000257E552A000-memory.dmp

Filesize
1.4MB

Download