Analysis

  • max time kernel
    148s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    21-12-2024 22:21

General

  • Target

    JaffaCakes118_50e084f718746b0599c5cfc48f8e86032d24a3f9e29d716533b205cad3cabd91.exe

  • Size

    1.3MB

  • MD5

    ef34fc6d3f55b68d4c5ec2fe4f86204b

  • SHA1

    07c79d701c1cc7d7e0a71e9010f2d4905bdd1b3b

  • SHA256

    50e084f718746b0599c5cfc48f8e86032d24a3f9e29d716533b205cad3cabd91

  • SHA512

    d0c4e4dee957c9456ef88f93ef73355e803a0a558342cbbf38e989f94f29aa16221ed87902a05a6e8e6df7dc46f61ea53887cdfb90bbcc4139a57376574d09fb

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 64 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 7 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 30 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 13 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
  • Drops file in Program Files directory 21 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 43 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_50e084f718746b0599c5cfc48f8e86032d24a3f9e29d716533b205cad3cabd91.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_50e084f718746b0599c5cfc48f8e86032d24a3f9e29d716533b205cad3cabd91.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2016
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2316
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1964
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2672
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1284
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\wininit.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3028
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\WMIADAP.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2972
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\sppsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1576
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\DVD Maker\es-ES\lsm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2424
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\conhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3016
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\cmd.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1904
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1004
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2468
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Cookies\lsass.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1696
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Desktop\spoolsv.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1864
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3020
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\System.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1600
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\lsm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1592
          • C:\providercommon\DllCommonsvc.exe
            "C:\providercommon\DllCommonsvc.exe"
            5⤵
            • Executes dropped EXE
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1944
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:576
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\system\conhost.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2360
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Registration\CRMLog\powershell.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1768
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\spoolsv.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2520
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dwm.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:900
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\Lang\powershell.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:908
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\cmd.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2132
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\en-US\conhost.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2828
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Analysis Services\conhost.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:568
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\DllCommonsvc.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2564
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\ja-JP\csrss.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1504
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\conhost.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2700
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\schtasks.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:968
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\wininit.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1304
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\powershell.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1140
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\schtasks.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2804
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\779qc6ONGy.bat"
              6⤵
                PID:1628
                • C:\Windows\system32\w32tm.exe
                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                  7⤵
                    PID:936
                  • C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\conhost.exe
                    "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\conhost.exe"
                    7⤵
                    • Executes dropped EXE
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:920
                    • C:\Windows\System32\cmd.exe
                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Lg3y2yDdyq.bat"
                      8⤵
                        PID:2956
                        • C:\Windows\system32\w32tm.exe
                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                          9⤵
                            PID:1164
                          • C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\conhost.exe
                            "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\conhost.exe"
                            9⤵
                            • Executes dropped EXE
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of AdjustPrivilegeToken
                            PID:1860
                            • C:\Windows\System32\cmd.exe
                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MNu5MeZyGQ.bat"
                              10⤵
                                PID:996
                                • C:\Windows\system32\w32tm.exe
                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                  11⤵
                                    PID:1904
                                  • C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\conhost.exe
                                    "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\conhost.exe"
                                    11⤵
                                    • Executes dropped EXE
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:2724
                                    • C:\Windows\System32\cmd.exe
                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JJ2zQTaq6h.bat"
                                      12⤵
                                        PID:2312
                                        • C:\Windows\system32\w32tm.exe
                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                          13⤵
                                            PID:3056
                                          • C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\conhost.exe
                                            "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\conhost.exe"
                                            13⤵
                                            • Executes dropped EXE
                                            • Suspicious behavior: EnumeratesProcesses
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:3040
                                            • C:\Windows\System32\cmd.exe
                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kyAhxuXJBD.bat"
                                              14⤵
                                                PID:2152
                                                • C:\Windows\system32\w32tm.exe
                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                  15⤵
                                                    PID:572
                                                  • C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\conhost.exe
                                                    "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\conhost.exe"
                                                    15⤵
                                                    • Executes dropped EXE
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    PID:1748
                                                    • C:\Windows\System32\cmd.exe
                                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aTd08pZfDw.bat"
                                                      16⤵
                                                        PID:1008
                                                        • C:\Windows\system32\w32tm.exe
                                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                          17⤵
                                                            PID:2868
                                                          • C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\conhost.exe
                                                            "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\conhost.exe"
                                                            17⤵
                                                            • Executes dropped EXE
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            PID:2536
                                                            • C:\Windows\System32\cmd.exe
                                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CV35gbisF1.bat"
                                                              18⤵
                                                                PID:2788
                                                                • C:\Windows\system32\w32tm.exe
                                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                  19⤵
                                                                    PID:2468
                                                                  • C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\conhost.exe
                                                                    "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\conhost.exe"
                                                                    19⤵
                                                                    • Executes dropped EXE
                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                    PID:1812
                                                                    • C:\Windows\System32\cmd.exe
                                                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YwiSfj46e4.bat"
                                                                      20⤵
                                                                        PID:1048
                                                                        • C:\Windows\system32\w32tm.exe
                                                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                          21⤵
                                                                            PID:544
                                                                          • C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\conhost.exe
                                                                            "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\conhost.exe"
                                                                            21⤵
                                                                            • Executes dropped EXE
                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                            PID:800
                                                                            • C:\Windows\System32\cmd.exe
                                                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LabqbH8bfv.bat"
                                                                              22⤵
                                                                                PID:1304
                                                                                • C:\Windows\system32\w32tm.exe
                                                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                  23⤵
                                                                                    PID:1004
                                                                                  • C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\conhost.exe
                                                                                    "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\conhost.exe"
                                                                                    23⤵
                                                                                    • Executes dropped EXE
                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                    PID:1632
                                                                                    • C:\Windows\System32\cmd.exe
                                                                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5cWoBfSAzl.bat"
                                                                                      24⤵
                                                                                        PID:1848
                                                                                        • C:\Windows\system32\w32tm.exe
                                                                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                          25⤵
                                                                                            PID:2340
                                                                                          • C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\conhost.exe
                                                                                            "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\conhost.exe"
                                                                                            25⤵
                                                                                            • Executes dropped EXE
                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                            PID:1644
                                                                                            • C:\Windows\System32\cmd.exe
                                                                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CTHuJZ10YE.bat"
                                                                                              26⤵
                                                                                                PID:2684
                                                                                                • C:\Windows\system32\w32tm.exe
                                                                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                                  27⤵
                                                                                                    PID:2064
                                                                                                  • C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\conhost.exe
                                                                                                    "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\conhost.exe"
                                                                                                    27⤵
                                                                                                    • Executes dropped EXE
                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                    PID:852
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Program Files\Uninstall Information\wininit.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2556
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\wininit.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                PID:2804
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Program Files\Uninstall Information\wininit.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                PID:2576
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 13 /tr "'C:\providercommon\WMIADAP.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                PID:2548
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\providercommon\WMIADAP.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:532
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 14 /tr "'C:\providercommon\WMIADAP.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2984
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\sppsvc.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:768
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                PID:576
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1840
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Program Files\DVD Maker\es-ES\lsm.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2760
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\es-ES\lsm.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                PID:1812
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Program Files\DVD Maker\es-ES\lsm.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2432
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\providercommon\conhost.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1000
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1508
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1220
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\providercommon\cmd.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2784
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\providercommon\cmd.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2036
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\providercommon\cmd.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1628
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1164
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1768
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2880
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsm.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2152
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2356
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                PID:1484
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Cookies\lsass.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2216
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Admin\Cookies\lsass.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                PID:1664
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Cookies\lsass.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:444
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Desktop\spoolsv.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1672
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default\Desktop\spoolsv.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2628
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Desktop\spoolsv.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:708
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1940
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2008
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                PID:1744
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\System.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:908
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\System.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                PID:2268
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\System.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1680
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\lsm.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                PID:1796
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\lsm.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2096
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\lsm.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1260
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Windows\system\conhost.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                PID:532
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\system\conhost.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1516
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Windows\system\conhost.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2644
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 13 /tr "'C:\Windows\Registration\CRMLog\powershell.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2572
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Windows\Registration\CRMLog\powershell.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                PID:2020
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 14 /tr "'C:\Windows\Registration\CRMLog\powershell.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2156
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\spoolsv.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2596
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\spoolsv.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2888
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\spoolsv.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2716
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\providercommon\dwm.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:3064
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2604
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:3036
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 14 /tr "'C:\Program Files\7-Zip\Lang\powershell.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                PID:1988
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\powershell.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2920
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 7 /tr "'C:\Program Files\7-Zip\Lang\powershell.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2032
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\cmd.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                PID:1604
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\Default User\cmd.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2008
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\cmd.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1760
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Defender\en-US\conhost.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1548
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\en-US\conhost.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1796
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Defender\en-US\conhost.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1208
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\conhost.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1160
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\conhost.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2424
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\conhost.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1664
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\DllCommonsvc.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:764
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\DllCommonsvc.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1484
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\DllCommonsvc.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:628
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Mail\ja-JP\csrss.exe'" /f
                                                1⤵
                                                  PID:1516
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\ja-JP\csrss.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:1916
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Mail\ja-JP\csrss.exe'" /rl HIGHEST /f
                                                  1⤵
                                                    PID:1848
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\conhost.exe'" /f
                                                    1⤵
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:2532
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\conhost.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:2020
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\conhost.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:2584
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\schtasks.exe'" /f
                                                    1⤵
                                                      PID:1692
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "schtasks" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\schtasks.exe'" /rl HIGHEST /f
                                                      1⤵
                                                      • Scheduled Task/Job: Scheduled Task
                                                      PID:1928
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\schtasks.exe'" /rl HIGHEST /f
                                                      1⤵
                                                      • Scheduled Task/Job: Scheduled Task
                                                      PID:3060
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\providercommon\wininit.exe'" /f
                                                      1⤵
                                                      • Scheduled Task/Job: Scheduled Task
                                                      PID:1564
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f
                                                      1⤵
                                                      • Scheduled Task/Job: Scheduled Task
                                                      PID:1588
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f
                                                      1⤵
                                                        PID:2772
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 14 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\powershell.exe'" /f
                                                        1⤵
                                                          PID:2792
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\powershell.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Scheduled Task/Job: Scheduled Task
                                                          PID:1948
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\powershell.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Scheduled Task/Job: Scheduled Task
                                                          PID:1860
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 12 /tr "'C:\providercommon\schtasks.exe'" /f
                                                          1⤵
                                                          • Scheduled Task/Job: Scheduled Task
                                                          PID:2788
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "schtasks" /sc ONLOGON /tr "'C:\providercommon\schtasks.exe'" /rl HIGHEST /f
                                                          1⤵
                                                            PID:2404
                                                          • C:\Windows\system32\schtasks.exe
                                                            schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 8 /tr "'C:\providercommon\schtasks.exe'" /rl HIGHEST /f
                                                            1⤵
                                                            • Scheduled Task/Job: Scheduled Task
                                                            PID:3032

                                                          Network

                                                          MITRE ATT&CK Enterprise v15

                                                          Replay Monitor

                                                          Loading Replay Monitor...

                                                          Downloads

                                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                            Filesize

                                                            342B

                                                            MD5

                                                            c81bd34d0a6c96857472f48f57a2681e

                                                            SHA1

                                                            94c48f3a8e53d7575bb6e63fc4e96f8465add7ea

                                                            SHA256

                                                            4108845e3361bee686996f2d081fcf8f07a0a03478c8841a6bb71734ed73f435

                                                            SHA512

                                                            26ffa61f231571f0a879a84a92adcae82a64f393dcf6d5d9040794b5704a5f072e93f97bb8a33605070355cd8b294ec41da0934b546f45e083567347ddc68f16

                                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                            Filesize

                                                            342B

                                                            MD5

                                                            36cd85ee7cd479462a796fd255919c66

                                                            SHA1

                                                            c814229569d539da91c76d1350c286acbe0f0d8a

                                                            SHA256

                                                            6523860bbfe41ef3b9c1de8bfe74c77426689e54802b65aaf2162832592b6297

                                                            SHA512

                                                            483b4f83dc2d9c240b78619011882f570c46909ba43c7623c6c9c08a65aab976cf29820915f7e7aab8920ceba5341b817fafd2e7a7b15f24d16d982c7c1d6633

                                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                            Filesize

                                                            342B

                                                            MD5

                                                            5a054778cc6164a02f3734cc2600853a

                                                            SHA1

                                                            67f5aed4cf0b0c21234ef3e73aef2f3cdc4383f6

                                                            SHA256

                                                            8e08e13e6a78f37d5a4836f5ec6b1811221ff1711ddd7339ee8cdcf7b77e6800

                                                            SHA512

                                                            3ed817798ed0a262f5d124ddc1aa9f7ada82d352060e269de554dd610758eb841b73920f7b2082ce49c32b7c7d95627d1f29cb241d2f56ed7d2d7373fe4d6a23

                                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                            Filesize

                                                            342B

                                                            MD5

                                                            7d8b0feb9c3a7c07b56582ff357d4791

                                                            SHA1

                                                            88015c4ef3ecbf864f000a6522361ead4bfee5fa

                                                            SHA256

                                                            30a5f3b65f03b2dee98c31e8149c48bb096ad4d9d77564a1fbdc1507076dc00d

                                                            SHA512

                                                            ffecdc894b1cd8da9ee6ab8dde1c33159a621f52b2138a14a500dc82aba92f71364c89dfff253e6cee9424c849835a6eb5a4f6c321da3c71ce08d176bc538e1e

                                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                            Filesize

                                                            342B

                                                            MD5

                                                            155bf46ae751725d4a01adddeea844ff

                                                            SHA1

                                                            f3e80f8453ba7b32066d9938c0c43a96772cfa24

                                                            SHA256

                                                            68576d632ba988927cf8ffa09c3de795b3039d7b920e19f52932fc515ad82753

                                                            SHA512

                                                            fc2adf5a4a295045be5e08989a7d5a3c62b6b03f72628394488349fa42123c10eba11e13cb9d291561baa70c8119198bbe4fdc6ae02a9d276b23d4cf4a7baf2e

                                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                            Filesize

                                                            342B

                                                            MD5

                                                            471886f1671f4e83b08ddafa6004cc7b

                                                            SHA1

                                                            aa956e5e0e8b3857dd56d110beba2feb29bf63ea

                                                            SHA256

                                                            36a0852252f0dac82f8ddc1edc6f7436c9366094b14e1a04e8d4c3d0288e0c84

                                                            SHA512

                                                            aedb6eea1c5f5eee5c30987ccb86c2c5439b3207980db0d0fd5a4fc4864322fbf7afeb2665719e452cc95fa90adda7ef66befaebba4dd52b74d3ae5196ac5b27

                                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                            Filesize

                                                            342B

                                                            MD5

                                                            180af8bae5995a64e9fafeae6058d785

                                                            SHA1

                                                            7d2204400e4b1e23d6f62ad5877d42183a17a5a5

                                                            SHA256

                                                            f5af2ac8f734cf14bf901b3d6b78fd06dcce9113cea083f9ec02b8bb70e18bb8

                                                            SHA512

                                                            fa6deaf96c9df7e356e71062132be1c0cff1c6247b63648072e302e8a29bc6735b7004d441cb3c580a6e24bb6d5ec00d2e4334c399cae76d7db33c860c26f994

                                                          • C:\Users\Admin\AppData\Local\Temp\779qc6ONGy.bat

                                                            Filesize

                                                            241B

                                                            MD5

                                                            c077816d8eb0029f2a72790189fbe404

                                                            SHA1

                                                            bf184c821926ce4c8418f5940e467b2be4bf11fe

                                                            SHA256

                                                            032d432bd501536b34ed0e68417cc366f79a14d58ac7f642992657d1a0cfe82c

                                                            SHA512

                                                            a23b4c06c65752218983cd99723f7589c5a96aa4ec71bbf99c810712e2110fca64411e3c2031a4fac01f7a1f453279ff1168ca893fb83e45bf3a43e3273273f5

                                                          • C:\Users\Admin\AppData\Local\Temp\CV35gbisF1.bat

                                                            Filesize

                                                            241B

                                                            MD5

                                                            b3d8b1d8f9e84c3d29e0d3d2a2122efb

                                                            SHA1

                                                            d8aa2dd94ff7bef4ad3e15a2e2faaf33988387d1

                                                            SHA256

                                                            04f54c02a6ac9a3f363247f08cfb99f620d0484a7e7e555e1fd36a6e3de9501b

                                                            SHA512

                                                            9570dabfed846f09f412c4a31d4f82745a6f603b45eb1554ead9056ad8c9fa5bf766af378c3a48db4f0bca42fec8f72174f72010a094577710924bf431eea168

                                                          • C:\Users\Admin\AppData\Local\Temp\Cab2A9B.tmp

                                                            Filesize

                                                            70KB

                                                            MD5

                                                            49aebf8cbd62d92ac215b2923fb1b9f5

                                                            SHA1

                                                            1723be06719828dda65ad804298d0431f6aff976

                                                            SHA256

                                                            b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                                            SHA512

                                                            bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                                          • C:\Users\Admin\AppData\Local\Temp\JJ2zQTaq6h.bat

                                                            Filesize

                                                            241B

                                                            MD5

                                                            a6d55e9a85d156f734845987865e312d

                                                            SHA1

                                                            432dd079491b3f1a03e3979cf0b0f5c812f09513

                                                            SHA256

                                                            9efe25c0625a5bcedf0261121e3aa19c83aac373c6945931f59a4ef466d2c328

                                                            SHA512

                                                            f33e2a5958523ae4984d82f7644e10233d919b2ccd1a507c70cc012fbeca95ab3132abdedb1389f54b59a02f5a7031068b0fad1ca5f392e5dcfc28154c092701

                                                          • C:\Users\Admin\AppData\Local\Temp\LabqbH8bfv.bat

                                                            Filesize

                                                            241B

                                                            MD5

                                                            934388c370167440b73b5e9d494917b6

                                                            SHA1

                                                            952916255ba144e43cd2235ad235cdc74019c19d

                                                            SHA256

                                                            5c7c5bd18e8c15b6d20ae6df5d2ef48476369c0100bba9aa90920b5381eb40bc

                                                            SHA512

                                                            b4aa62402f934f5812e70c4f14448545b20b67fb61b5d1024090147ab4299873af8c19913b8328a0aa92c91dd29f92f98f28bb1e701b0060d871955f9ab6b743

                                                          • C:\Users\Admin\AppData\Local\Temp\Lg3y2yDdyq.bat

                                                            Filesize

                                                            241B

                                                            MD5

                                                            787f867cd568dd3390f0828f26b57105

                                                            SHA1

                                                            166b6a7728abacb2c6c2d3921466fa21963b6627

                                                            SHA256

                                                            77d902a95bd9feded85b461b4e0aa02413322db2d993347a9705f58341884546

                                                            SHA512

                                                            41bbb79ded44d79f7e65bb6ed05e9ffc4095eaf5fca24290c6027fe4982425f1a33e057d9386f8eff94c79a6280362f8ee0a5d02c29becc1da59b1b97c0aa7d4

                                                          • C:\Users\Admin\AppData\Local\Temp\MNu5MeZyGQ.bat

                                                            Filesize

                                                            241B

                                                            MD5

                                                            6d3eb680853c9d94dd051bb4235418f7

                                                            SHA1

                                                            af75b4a6a1f3a4879f151e99882409baefe67f67

                                                            SHA256

                                                            40b0a36209c796082b31873753eca5fdfc25a15b9c14e496dc912251c97444ca

                                                            SHA512

                                                            2f59dc539a73eea797c5c9093fab78242c48885a1d2b9d4f9f6438da95e10449635dbbdd8d8572619c9745da6ee6ba154a2db0ce18d675dcb691bff19883362d

                                                          • C:\Users\Admin\AppData\Local\Temp\Tar2B3A.tmp

                                                            Filesize

                                                            181KB

                                                            MD5

                                                            4ea6026cf93ec6338144661bf1202cd1

                                                            SHA1

                                                            a1dec9044f750ad887935a01430bf49322fbdcb7

                                                            SHA256

                                                            8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                                            SHA512

                                                            6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                                          • C:\Users\Admin\AppData\Local\Temp\YwiSfj46e4.bat

                                                            Filesize

                                                            241B

                                                            MD5

                                                            cd883d4a8d0a8b8e901713cd076d68b9

                                                            SHA1

                                                            ad8f8afdb4cc0f27a839fbf12c51c1b7922dfdd3

                                                            SHA256

                                                            8774238fbd788266654d1b92aa6cfdbda7fbb1b7421e7819c78226038202e6ce

                                                            SHA512

                                                            2af1ec42007838522f02004bfc5a7040c2544fd5998e2091f16d2ad788c1246c09c2f5d34ad20326aafb57f3e7e45f41b0a4aaa93bfa43dcfb9cca99e581dd3c

                                                          • C:\Users\Admin\AppData\Local\Temp\aTd08pZfDw.bat

                                                            Filesize

                                                            241B

                                                            MD5

                                                            f53f39a240bcfce180aa29eebb76d774

                                                            SHA1

                                                            c85bff5540138b68aaf9010c350ac48ad95aeeed

                                                            SHA256

                                                            2c3f991c332a48b9d250d761a8988602b47b9cdb70b0f1b02ae926dddc7b97ab

                                                            SHA512

                                                            80421b905b70ede07a8302fdc1108fadb4a09f1f4449c326945accef8d7aaf6b0930e619fd22dd1f94665552aec1debf839d46c952ce956c1796ce04b5f4f954

                                                          • C:\Users\Admin\AppData\Local\Temp\kyAhxuXJBD.bat

                                                            Filesize

                                                            241B

                                                            MD5

                                                            c414d5fc7532e6ce3a32dff65e408f0d

                                                            SHA1

                                                            ce6619414e295ad794209b5e77f797a62bb323b3

                                                            SHA256

                                                            73c7278c305f4d7a954a21057de381b4b729515e0e0039c435b3fcc5a20f2b0b

                                                            SHA512

                                                            7243040619f6da95bc43e018c00ac9b3161a1c11640dd400fa518acf6b5b5c70eac96283bc3f846243a2687e5306fb9b9ec175eeadceaabcc125b1ac135ffde0

                                                          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\KVWW43Y2AN13U8NT0FP4.temp

                                                            Filesize

                                                            7KB

                                                            MD5

                                                            a7eacb8c13014643eb42d41c48afff6b

                                                            SHA1

                                                            3c8f8f4b3964ccacd1ae4d42b81979c7f970377a

                                                            SHA256

                                                            63328a5fb294955d38a77b7cdffd896f1bd91dc9336dcbdff99d868ff3aea6a2

                                                            SHA512

                                                            9be09cebf287116956cc814b908e740298f7b4cc9be938ec103999c6dd1288a79c604d178d14928ad48c329d0bf715a6c2e910f3149ce5580a0badc13dc51dc4

                                                          • C:\providercommon\1zu9dW.bat

                                                            Filesize

                                                            36B

                                                            MD5

                                                            6783c3ee07c7d151ceac57f1f9c8bed7

                                                            SHA1

                                                            17468f98f95bf504cc1f83c49e49a78526b3ea03

                                                            SHA256

                                                            8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                                            SHA512

                                                            c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                                          • C:\providercommon\DllCommonsvc.exe

                                                            Filesize

                                                            1.0MB

                                                            MD5

                                                            bd31e94b4143c4ce49c17d3af46bcad0

                                                            SHA1

                                                            f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                                            SHA256

                                                            b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                                            SHA512

                                                            f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                                          • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                                            Filesize

                                                            197B

                                                            MD5

                                                            8088241160261560a02c84025d107592

                                                            SHA1

                                                            083121f7027557570994c9fc211df61730455bb5

                                                            SHA256

                                                            2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                                            SHA512

                                                            20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                                          • memory/920-238-0x00000000013C0000-0x00000000014D0000-memory.dmp

                                                            Filesize

                                                            1.1MB

                                                          • memory/1304-165-0x0000000001EE0000-0x0000000001EE8000-memory.dmp

                                                            Filesize

                                                            32KB

                                                          • memory/1304-164-0x000000001B5A0000-0x000000001B882000-memory.dmp

                                                            Filesize

                                                            2.9MB

                                                          • memory/1748-477-0x0000000001320000-0x0000000001430000-memory.dmp

                                                            Filesize

                                                            1.1MB

                                                          • memory/1812-596-0x0000000000160000-0x0000000000172000-memory.dmp

                                                            Filesize

                                                            72KB

                                                          • memory/1860-297-0x00000000003C0000-0x00000000004D0000-memory.dmp

                                                            Filesize

                                                            1.1MB

                                                          • memory/1944-69-0x0000000000150000-0x0000000000162000-memory.dmp

                                                            Filesize

                                                            72KB

                                                          • memory/2424-52-0x000000001B7D0000-0x000000001BAB2000-memory.dmp

                                                            Filesize

                                                            2.9MB

                                                          • memory/2424-54-0x00000000027E0000-0x00000000027E8000-memory.dmp

                                                            Filesize

                                                            32KB

                                                          • memory/2672-17-0x0000000000B30000-0x0000000000B3C000-memory.dmp

                                                            Filesize

                                                            48KB

                                                          • memory/2672-14-0x0000000000450000-0x0000000000462000-memory.dmp

                                                            Filesize

                                                            72KB

                                                          • memory/2672-15-0x0000000000470000-0x000000000047C000-memory.dmp

                                                            Filesize

                                                            48KB

                                                          • memory/2672-13-0x00000000013B0000-0x00000000014C0000-memory.dmp

                                                            Filesize

                                                            1.1MB

                                                          • memory/2672-16-0x0000000000460000-0x000000000046C000-memory.dmp

                                                            Filesize

                                                            48KB

                                                          • memory/2724-357-0x0000000000E30000-0x0000000000F40000-memory.dmp

                                                            Filesize

                                                            1.1MB

                                                          • memory/3040-417-0x0000000000320000-0x0000000000430000-memory.dmp

                                                            Filesize

                                                            1.1MB