dcrat | a39cf9c0099f1c91e2d6c420a095fe92b7b8d5130f3269a0536d00d69885d187

Analysis

max time kernel
148s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-12-2024 18:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a39cf9c0099f1c91e2d6c420a095fe92b7b8d5130f3269a0536d00d69885d187.exe
Size

1.3MB
MD5

97d8f84cd7262853c17b38b0bc81f768
SHA1

600fd7020c6eaf0a63231bdb002d5b95d1c376e8
SHA256

a39cf9c0099f1c91e2d6c420a095fe92b7b8d5130f3269a0536d00d69885d187
SHA512

a83e6c78d795fb09e8357e5b0430952400d2c8be559c9f348aa109a020e7ae7ac5d4e2b86e179724f50a0cc6189fbe4b6935cf2c08ffeb54c9d70d3cb3307747
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 64 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3008	2620	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2384	2620	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1812	2620	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	564	2620	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2412	2620	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2392	2620	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	904	2620	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2924	2620	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1160	2620	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1980	2620	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1680	2620	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	824	2620	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1696	2620	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2940	2620	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1672	2620	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1520	2620	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1092	2620	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3000	2620	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2164	2620	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1788	2620	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2408	2620	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2116	2620	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2892	2620	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1256	2620	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1428	2620	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1040	2620	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2240	2620	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1044	2620	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1704	2620	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1300	2620	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1936	2620	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2696	2620	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	2620	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2680	2620	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2812	2620	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2776	2620	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2556	2620	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2596	2620	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	836	2620	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2076	2620	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	752	2620	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1772	2620	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2260	2620	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2192	2620	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1504	2620	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1084	2620	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1144	2620	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2388	2620	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2692	2620	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1728	2620	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2852	2620	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2796	2620	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2456	2620	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1528	2620	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2528	2620	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1640	2620	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1768	2620	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	2620	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2968	2620	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3068	2620	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1508	2620	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1456	2620	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2792	2620	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2240	2620	schtasks.exe	34

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000017472-9.dat	dcrat
behavioral1/memory/2800-13-0x00000000010D0000-0x00000000011E0000-memory.dmp	dcrat
behavioral1/memory/640-251-0x0000000000E30000-0x0000000000F40000-memory.dmp	dcrat
behavioral1/memory/2124-310-0x0000000000E70000-0x0000000000F80000-memory.dmp	dcrat
behavioral1/memory/2592-371-0x0000000000FE0000-0x00000000010F0000-memory.dmp	dcrat
behavioral1/memory/2032-550-0x0000000001340000-0x0000000001450000-memory.dmp	dcrat
behavioral1/memory/2996-610-0x0000000000030000-0x0000000000140000-memory.dmp	dcrat
behavioral1/memory/1256-670-0x00000000011E0000-0x00000000012F0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 31 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2324	powershell.exe
768	powershell.exe
2192	powershell.exe
396	powershell.exe
580	powershell.exe
868	powershell.exe
2336	powershell.exe
1684	powershell.exe
1488	powershell.exe
444	powershell.exe
1544	powershell.exe
2592	powershell.exe
1128	powershell.exe
2464	powershell.exe
640	powershell.exe
1924	powershell.exe
2208	powershell.exe
688	powershell.exe
2020	powershell.exe
908	powershell.exe
2344	powershell.exe
2768	powershell.exe
2180	powershell.exe
1936	powershell.exe
2400	powershell.exe
2044	powershell.exe
2856	powershell.exe
436	powershell.exe
2120	powershell.exe
948	powershell.exe
2656	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2800	DllCommonsvc.exe
2988	DllCommonsvc.exe
828	DllCommonsvc.exe
640	powershell.exe
2124	powershell.exe
2592	powershell.exe
1820	powershell.exe
1980	powershell.exe
2032	powershell.exe
2996	powershell.exe
1256	powershell.exe
2956	powershell.exe

Loads dropped DLL 2 IoCs

pid	Process
2820	cmd.exe
2820	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
12	raw.githubusercontent.com
19	raw.githubusercontent.com
32	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
29	raw.githubusercontent.com
15	raw.githubusercontent.com
22	raw.githubusercontent.com
26	raw.githubusercontent.com

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Idle.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\f3b6ecef712a24	DllCommonsvc.exe
File created	C:\Program Files\VideoLAN\VLC\conhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Portable Devices\088424020bedd6	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Defender\es-ES\conhost.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Idle.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\6ccacd8608530f	DllCommonsvc.exe
File created	C:\Program Files\VideoLAN\VLC\088424020bedd6	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Portable Devices\conhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Defender\es-ES\088424020bedd6	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\services.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\c5b4cb5e9653cc	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\spoolsv.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Internet Explorer\it-IT\spoolsv.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Internet Explorer\it-IT\f3b6ecef712a24	DllCommonsvc.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\DigitalLocker\en-US\powershell.exe	DllCommonsvc.exe
File created	C:\Windows\DigitalLocker\en-US\e978f868350d50	DllCommonsvc.exe
File created	C:\Windows\Globalization\System.exe	DllCommonsvc.exe
File created	C:\Windows\Globalization\27d1bcfc3c54e0	DllCommonsvc.exe
File created	C:\Windows\Offline Web Pages\winlogon.exe	DllCommonsvc.exe
File created	C:\Windows\Offline Web Pages\cc11b995f2a76d	DllCommonsvc.exe
File created	C:\Windows\AppPatch\winlogon.exe	DllCommonsvc.exe
File created	C:\Windows\AppPatch\cc11b995f2a76d	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a39cf9c0099f1c91e2d6c420a095fe92b7b8d5130f3269a0536d00d69885d187.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1728	schtasks.exe
2644	schtasks.exe
2392	schtasks.exe
1640	schtasks.exe
2412	schtasks.exe
1520	schtasks.exe
2796	schtasks.exe
1660	schtasks.exe
824	schtasks.exe
1504	schtasks.exe
3068	schtasks.exe
2812	schtasks.exe
1084	schtasks.exe
2388	schtasks.exe
2528	schtasks.exe
1456	schtasks.exe
604	schtasks.exe
1080	schtasks.exe
3008	schtasks.exe
1788	schtasks.exe
1704	schtasks.exe
1300	schtasks.exe
752	schtasks.exe
304	schtasks.exe
2556	schtasks.exe
2192	schtasks.exe
1508	schtasks.exe
2792	schtasks.exe
2100	schtasks.exe
2924	schtasks.exe
3000	schtasks.exe
2260	schtasks.exe
1528	schtasks.exe
2968	schtasks.exe
1600	schtasks.exe
2012	schtasks.exe
1680	schtasks.exe
1428	schtasks.exe
2780	schtasks.exe
2680	schtasks.exe
836	schtasks.exe
2656	schtasks.exe
2312	schtasks.exe
2776	schtasks.exe
2596	schtasks.exe
2076	schtasks.exe
2852	schtasks.exe
2320	schtasks.exe
2176	schtasks.exe
1852	schtasks.exe
2796	schtasks.exe
2384	schtasks.exe
1092	schtasks.exe
2408	schtasks.exe
1768	schtasks.exe
2072	schtasks.exe
1936	schtasks.exe
564	schtasks.exe
904	schtasks.exe
1980	schtasks.exe
1696	schtasks.exe
2940	schtasks.exe
2164	schtasks.exe
2240	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2800	DllCommonsvc.exe
2592	powershell.exe
580	powershell.exe
868	powershell.exe
640	powershell.exe
2988	DllCommonsvc.exe
2988	DllCommonsvc.exe
2988	DllCommonsvc.exe
2988	DllCommonsvc.exe
2988	DllCommonsvc.exe
2988	DllCommonsvc.exe
2988	DllCommonsvc.exe
2988	DllCommonsvc.exe
2988	DllCommonsvc.exe
2988	DllCommonsvc.exe
2988	DllCommonsvc.exe
2336	powershell.exe
2344	powershell.exe
2120	powershell.exe
1488	powershell.exe
948	powershell.exe
1684	powershell.exe
2044	powershell.exe
2208	powershell.exe
2020	powershell.exe
828	DllCommonsvc.exe
2464	powershell.exe
1924	powershell.exe
768	powershell.exe
688	powershell.exe
1128	powershell.exe
2856	powershell.exe
2324	powershell.exe
828	DllCommonsvc.exe
828	DllCommonsvc.exe
828	DllCommonsvc.exe
828	DllCommonsvc.exe
828	DllCommonsvc.exe
828	DllCommonsvc.exe
828	DllCommonsvc.exe
828	DllCommonsvc.exe
828	DllCommonsvc.exe
828	DllCommonsvc.exe
828	DllCommonsvc.exe
828	DllCommonsvc.exe
828	DllCommonsvc.exe
828	DllCommonsvc.exe
828	DllCommonsvc.exe
828	DllCommonsvc.exe
828	DllCommonsvc.exe
828	DllCommonsvc.exe
828	DllCommonsvc.exe
828	DllCommonsvc.exe
828	DllCommonsvc.exe
828	DllCommonsvc.exe
828	DllCommonsvc.exe
828	DllCommonsvc.exe
828	DllCommonsvc.exe
828	DllCommonsvc.exe
828	DllCommonsvc.exe
828	DllCommonsvc.exe
828	DllCommonsvc.exe
828	DllCommonsvc.exe
2400	powershell.exe

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeDebugPrivilege	2800	DllCommonsvc.exe
Token: SeDebugPrivilege	2592	powershell.exe
Token: SeDebugPrivilege	580	powershell.exe
Token: SeDebugPrivilege	868	powershell.exe
Token: SeDebugPrivilege	640	powershell.exe
Token: SeDebugPrivilege	2988	DllCommonsvc.exe
Token: SeDebugPrivilege	2336	powershell.exe
Token: SeDebugPrivilege	2344	powershell.exe
Token: SeDebugPrivilege	2120	powershell.exe
Token: SeDebugPrivilege	1488	powershell.exe
Token: SeDebugPrivilege	828	DllCommonsvc.exe
Token: SeDebugPrivilege	948	powershell.exe
Token: SeDebugPrivilege	1684	powershell.exe
Token: SeDebugPrivilege	2044	powershell.exe
Token: SeDebugPrivilege	2208	powershell.exe
Token: SeDebugPrivilege	2020	powershell.exe
Token: SeDebugPrivilege	2464	powershell.exe
Token: SeDebugPrivilege	1924	powershell.exe
Token: SeDebugPrivilege	768	powershell.exe
Token: SeDebugPrivilege	688	powershell.exe
Token: SeDebugPrivilege	1128	powershell.exe
Token: SeDebugPrivilege	2856	powershell.exe
Token: SeDebugPrivilege	2324	powershell.exe
Token: SeDebugPrivilege	2400	powershell.exe
Token: SeDebugPrivilege	436	powershell.exe
Token: SeDebugPrivilege	908	powershell.exe
Token: SeDebugPrivilege	396	powershell.exe
Token: SeDebugPrivilege	1936	powershell.exe
Token: SeDebugPrivilege	2768	powershell.exe
Token: SeDebugPrivilege	444	powershell.exe
Token: SeDebugPrivilege	2656	powershell.exe
Token: SeDebugPrivilege	1544	powershell.exe
Token: SeDebugPrivilege	2192	powershell.exe
Token: SeDebugPrivilege	2180	powershell.exe
Token: SeDebugPrivilege	640	powershell.exe
Token: SeDebugPrivilege	2124	powershell.exe
Token: SeDebugPrivilege	2592	powershell.exe
Token: SeDebugPrivilege	1820	powershell.exe
Token: SeDebugPrivilege	1980	powershell.exe
Token: SeDebugPrivilege	2032	powershell.exe
Token: SeDebugPrivilege	2996	powershell.exe
Token: SeDebugPrivilege	1256	powershell.exe
Token: SeDebugPrivilege	2956	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2160 wrote to memory of 2768	2160	a39cf9c0099f1c91e2d6c420a095fe92b7b8d5130f3269a0536d00d69885d187.exe	30
PID 2160 wrote to memory of 2768	2160	a39cf9c0099f1c91e2d6c420a095fe92b7b8d5130f3269a0536d00d69885d187.exe	30
PID 2160 wrote to memory of 2768	2160	a39cf9c0099f1c91e2d6c420a095fe92b7b8d5130f3269a0536d00d69885d187.exe	30
PID 2160 wrote to memory of 2768	2160	a39cf9c0099f1c91e2d6c420a095fe92b7b8d5130f3269a0536d00d69885d187.exe	30
PID 2768 wrote to memory of 2820	2768	WScript.exe	31
PID 2768 wrote to memory of 2820	2768	WScript.exe	31
PID 2768 wrote to memory of 2820	2768	WScript.exe	31
PID 2768 wrote to memory of 2820	2768	WScript.exe	31
PID 2820 wrote to memory of 2800	2820	cmd.exe	33
PID 2820 wrote to memory of 2800	2820	cmd.exe	33
PID 2820 wrote to memory of 2800	2820	cmd.exe	33
PID 2820 wrote to memory of 2800	2820	cmd.exe	33
PID 2800 wrote to memory of 580	2800	DllCommonsvc.exe	44
PID 2800 wrote to memory of 580	2800	DllCommonsvc.exe	44
PID 2800 wrote to memory of 580	2800	DllCommonsvc.exe	44
PID 2800 wrote to memory of 640	2800	DllCommonsvc.exe	45
PID 2800 wrote to memory of 640	2800	DllCommonsvc.exe	45
PID 2800 wrote to memory of 640	2800	DllCommonsvc.exe	45
PID 2800 wrote to memory of 868	2800	DllCommonsvc.exe	46
PID 2800 wrote to memory of 868	2800	DllCommonsvc.exe	46
PID 2800 wrote to memory of 868	2800	DllCommonsvc.exe	46
PID 2800 wrote to memory of 2592	2800	DllCommonsvc.exe	48
PID 2800 wrote to memory of 2592	2800	DllCommonsvc.exe	48
PID 2800 wrote to memory of 2592	2800	DllCommonsvc.exe	48
PID 2800 wrote to memory of 2140	2800	DllCommonsvc.exe	52
PID 2800 wrote to memory of 2140	2800	DllCommonsvc.exe	52
PID 2800 wrote to memory of 2140	2800	DllCommonsvc.exe	52
PID 2140 wrote to memory of 1716	2140	cmd.exe	54
PID 2140 wrote to memory of 1716	2140	cmd.exe	54
PID 2140 wrote to memory of 1716	2140	cmd.exe	54
PID 2140 wrote to memory of 2988	2140	cmd.exe	55
PID 2140 wrote to memory of 2988	2140	cmd.exe	55
PID 2140 wrote to memory of 2988	2140	cmd.exe	55
PID 2988 wrote to memory of 2120	2988	DllCommonsvc.exe	101
PID 2988 wrote to memory of 2120	2988	DllCommonsvc.exe	101
PID 2988 wrote to memory of 2120	2988	DllCommonsvc.exe	101
PID 2988 wrote to memory of 2336	2988	DllCommonsvc.exe	102
PID 2988 wrote to memory of 2336	2988	DllCommonsvc.exe	102
PID 2988 wrote to memory of 2336	2988	DllCommonsvc.exe	102
PID 2988 wrote to memory of 1488	2988	DllCommonsvc.exe	104
PID 2988 wrote to memory of 1488	2988	DllCommonsvc.exe	104
PID 2988 wrote to memory of 1488	2988	DllCommonsvc.exe	104
PID 2988 wrote to memory of 2344	2988	DllCommonsvc.exe	106
PID 2988 wrote to memory of 2344	2988	DllCommonsvc.exe	106
PID 2988 wrote to memory of 2344	2988	DllCommonsvc.exe	106
PID 2988 wrote to memory of 948	2988	DllCommonsvc.exe	108
PID 2988 wrote to memory of 948	2988	DllCommonsvc.exe	108
PID 2988 wrote to memory of 948	2988	DllCommonsvc.exe	108
PID 2988 wrote to memory of 1684	2988	DllCommonsvc.exe	109
PID 2988 wrote to memory of 1684	2988	DllCommonsvc.exe	109
PID 2988 wrote to memory of 1684	2988	DllCommonsvc.exe	109
PID 2988 wrote to memory of 1924	2988	DllCommonsvc.exe	111
PID 2988 wrote to memory of 1924	2988	DllCommonsvc.exe	111
PID 2988 wrote to memory of 1924	2988	DllCommonsvc.exe	111
PID 2988 wrote to memory of 768	2988	DllCommonsvc.exe	114
PID 2988 wrote to memory of 768	2988	DllCommonsvc.exe	114
PID 2988 wrote to memory of 768	2988	DllCommonsvc.exe	114
PID 2988 wrote to memory of 2020	2988	DllCommonsvc.exe	116
PID 2988 wrote to memory of 2020	2988	DllCommonsvc.exe	116
PID 2988 wrote to memory of 2020	2988	DllCommonsvc.exe	116
PID 2988 wrote to memory of 2856	2988	DllCommonsvc.exe	117
PID 2988 wrote to memory of 2856	2988	DllCommonsvc.exe	117
PID 2988 wrote to memory of 2856	2988	DllCommonsvc.exe	117
PID 2988 wrote to memory of 2044	2988	DllCommonsvc.exe	118

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\a39cf9c0099f1c91e2d6c420a095fe92b7b8d5130f3269a0536d00d69885d187.exe
"C:\Users\Admin\AppData\Local\Temp\a39cf9c0099f1c91e2d6c420a095fe92b7b8d5130f3269a0536d00d69885d187.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2160
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2768
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2820
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2800
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:580
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:640
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Globalization\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:868
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2592
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6d8UTaE6fG.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2140
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1716
      - C:\providercommon\DllCommonsvc.exe
        
        "C:\providercommon\DllCommonsvc.exe"
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2988
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2120
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Idle.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2336
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\sppsvc.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1488
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\System.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2344
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:948
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\services.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1684
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Offline Web Pages\winlogon.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1924
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\services.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:768
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\TableTextService\spoolsv.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2020
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\OSPPSVC.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2856
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\csrss.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2044
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2464
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\AppPatch\winlogon.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:688
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1128
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsm.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2208
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Microsoft Help\Idle.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2324
        
        C:\providercommon\DllCommonsvc.exe
        
        "C:\providercommon\DllCommonsvc.exe"
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:828
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2192
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\conhost.exe'
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2656
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\PrintHood\lsm.exe'
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2768
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\NetHood\powershell.exe'
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2180
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\it-IT\spoolsv.exe'
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1936
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\conhost.exe'
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1544
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\powershell.exe'
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2400
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\conhost.exe'
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:444
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\es-ES\conhost.exe'
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:436
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\DigitalLocker\en-US\powershell.exe'
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:908
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\taskhost.exe'
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:396
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kUlUtrswAz.bat"
        8⤵
        
        PID:2220
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:1256
        
        C:\Users\Default User\powershell.exe
        
        "C:\Users\Default User\powershell.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:640
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5pDZQI1oOH.bat"
        10⤵
        
        PID:2584
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2376
        
        C:\Users\Default User\powershell.exe
        
        "C:\Users\Default User\powershell.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2124
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CPbxFudqw6.bat"
        12⤵
        
        PID:300
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:1480
        
        C:\Users\Default User\powershell.exe
        
        "C:\Users\Default User\powershell.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2592
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6Zqs8041Oe.bat"
        14⤵
        
        PID:2508
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:1144
        
        C:\Users\Default User\powershell.exe
        
        "C:\Users\Default User\powershell.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1820
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\c38FLB8gIG.bat"
        16⤵
        
        PID:640
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:2376
        
        C:\Users\Default User\powershell.exe
        
        "C:\Users\Default User\powershell.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1980
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zDWALPrpmL.bat"
        18⤵
        
        PID:2816
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:916
        
        C:\Users\Default User\powershell.exe
        
        "C:\Users\Default User\powershell.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2032
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2U51WDObLZ.bat"
        20⤵
        
        PID:940
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:804
        
        C:\Users\Default User\powershell.exe
        
        "C:\Users\Default User\powershell.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2996
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ljju5cbnZy.bat"
        22⤵
        
        PID:2636
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2584
        
        C:\Users\Default User\powershell.exe
        
        "C:\Users\Default User\powershell.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1256
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ljgkLFIn4v.bat"
        24⤵
        
        PID:2232
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:824
        
        C:\Users\Default User\powershell.exe
        
        "C:\Users\Default User\powershell.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2956
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dIJBhaqFKS.bat"
        26⤵
        
        PID:2064
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:2152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\providercommon\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Windows\Globalization\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\Globalization\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Windows\Globalization\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\providercommon\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\services.exe'" /f
1⤵
- Process spawned unexpected child process
PID:2116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Windows\Offline Web Pages\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\Offline Web Pages\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Windows\Offline Web Pages\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\providercommon\services.exe'" /f
1⤵
- Process spawned unexpected child process
PID:1044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Windows\AppPatch\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\AppPatch\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Windows\AppPatch\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
PID:2692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Microsoft Help\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft Help\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Microsoft Help\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Users\Default\PrintHood\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Default\PrintHood\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Users\Default\PrintHood\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 9 /tr "'C:\Users\Default\NetHood\powershell.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Users\Default\NetHood\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 14 /tr "'C:\Users\Default\NetHood\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
PID:2240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\spoolsv.exe'" /rl HIGHEST /f
1⤵
PID:2892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\spoolsv.exe'" /rl HIGHEST /f
1⤵
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Program Files\VideoLAN\VLC\conhost.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\conhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Program Files\VideoLAN\VLC\conhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\powershell.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Users\Default User\powershell.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\powershell.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Portable Devices\conhost.exe'" /f
1⤵
PID:2200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\conhost.exe'" /rl HIGHEST /f
1⤵
PID:1084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Portable Devices\conhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\conhost.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\es-ES\conhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\conhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 6 /tr "'C:\Windows\DigitalLocker\en-US\powershell.exe'" /f
1⤵
PID:1740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\en-US\powershell.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 14 /tr "'C:\Windows\DigitalLocker\en-US\powershell.exe'" /rl HIGHEST /f
1⤵
PID:2784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\taskhost.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
78c593c4a76e789a20e18a043df1c7fa

SHA1
346a79e577e8cb7117f1f2ce241ecd767bfbdb7c

SHA256
536e07b0b1176f66e1eeedef38b6932e4d8157a220fabc960b8496af4cfa7bac

SHA512
bdd5532901cdcce09e3edb38fb893fbbcddd8e4b8a1effacad210278815d6310a1731c9fe5b583c9a5a997c841a3a989761b2ad0f20b23dc50d7f2bda1a8304e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0d3bd218fe7d133d9823acda2562f0a1

SHA1
05380c87ee6a446a54fe610219c70a9449973da8

SHA256
72522c26d0d2fb814c1175a4a4fee9b706bc73c1bc39964f6462593a3a19cf51

SHA512
83404fc80ba43d2a57dba3d9ba49b41d5029a86d0dab1b27d1de2880c040778143b42954e2cac1606cf5b82157f0d2ecd3b71691334b73051314a314c7b9d7ce

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
24166e3a207a3caa24ade05824250dd9

SHA1
f53e821452a90f12617e9d874318325947eb0f8f

SHA256
7e3610d7caeee519126d23296cd862e44c65250ec605368dc97fc71a4eba3487

SHA512
834880602b4bf5f6929d650b8c76d14900d1a19db0642f2901fc18d29ac9cf91fa849a66065dd38098f6262a4c9139e1db5b7ad270601d7bb0eb7e3984a4ac2c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9bfc729dcbfe6d21329f202d78f2e450

SHA1
dd5c073318a39921cc4fa17a9e7029806db180d7

SHA256
4487b9e1fe922406f08d6b3ea5d98ddfdc60377288f2ee9976d92a02e75128bb

SHA512
26aaecd48c0a3f60cf353a39453b222c574414f18e24c271af0120a60eb5b51621b280d10edd9d7188c044c87e4fcb4dd882e44481bd59feb36a9b488a709b4d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ea1e29636efad358b35f1ff98be1faca

SHA1
c03f5273542c8bf00dd7538765cb1699c782f1e8

SHA256
8bbb6bb9dd132b36dac1d18d7a061d633bbcd920d12b1462773b1077755e1d9e

SHA512
37dbf970eeb64c5828dac7f6dfdf8bc9ba61451d1733dee0676ec8de415ccd001680415889cc0cabe2ec26217efd81ee01e307c597797928406d9afbe20681f8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c0ad12582424562d73dc28a9740f89ea

SHA1
9b09b878623d24ff63375450388b6315a8d0de0c

SHA256
9d3e65fb341dd17395fed32a2b111b86f8a1639d267bbc59b599772ecc2b4531

SHA512
2ad5642fdfb42a813539df101597baaa5cb6a3edd307376775028e830750db19ad8fe669bda7bbe29980590b0cc852fbdaab1a0731247768821f80ed58dd13f4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
68464a0f97cb98b3379181655e26c65a

SHA1
3094c1c1669a33757cb5cb73cecb819aa059e259

SHA256
25cebbcff282e0701987f91460323e614f614b8893db5719532c5283f600fa05

SHA512
4b52894e34faa0c3619aa40dc34ce8e4ad06ecf1bfe299316b2874a0ec1d40143e92ea34f83ac83bccd3b32f96ae324bf5711afb0750ca78d06ae2dc320184d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\2U51WDObLZ.bat

Filesize
201B

MD5
4458ff44270e1fe883426ee0c33c1d85

SHA1
f5964213309219c83e78967a4ef145f5b9cf4bea

SHA256
494516d15094ad9afc513f35e4c78b4949146664cbef6074ae888d6f92a9999e

SHA512
310be2f9afec6da25f7e521bbe694045f0673febe63cf9d97bf099cd4b862e8b0e4acb1f6a660ff9e344e3f3d78084d1b2218e67f0adf3e1f526b9d22a3516a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\5pDZQI1oOH.bat

Filesize
201B

MD5
ac5c9024eb26164200c1a1d6fd1766d6

SHA1
2ecd48d9d61a841c85e93bf699d9290d4f391ee2

SHA256
e211fc5ff191b56e93459f664f408d30dd119e19492f92acc2273142f04c3e96

SHA512
e484684a9c0921764d8ac9fa3a481dfad5e0bd7a2268d57f754318f8114ba81fd7b816f9c458e594d80c6727892a00bc5c49a0c69ed36a64dbe45bf36035d76d

Download Submit
C:\Users\Admin\AppData\Local\Temp\6Zqs8041Oe.bat

Filesize
201B

MD5
49e9aea0badaead7ed320466756c6e65

SHA1
8b7c6b53158a4bc606afc453048a48651fe45c3d

SHA256
8db940ce0bff727b52cd63e844c3f14f6d0a351aaa29cd9f500f42bbd922db18

SHA512
e6f57dd17ad2899f2684f719927e2975fd988ab312d533ed31fcb70b6560cd50effb23781e4e6a8c3261502f548568e1fb4ec6b4d8fa2535bbfd2462131d5f14

Download Submit
C:\Users\Admin\AppData\Local\Temp\6d8UTaE6fG.bat

Filesize
199B

MD5
add773d203833e6c059593db4f87bfc7

SHA1
931e3202897e169fe53a85bf84091819316bac7f

SHA256
bba867bdad04a512a1ba5f45b500218d914e0d69ed9f8941246daa9d8f3a439f

SHA512
3ee2f1a5b4ae5b8622ebc169e405aff56d6936f57cd441df0aec6b946b73186e3a52e3cb52924302f16c1c8673158226bce2972ba14aeee2abed163173619b67

Download Submit
C:\Users\Admin\AppData\Local\Temp\CPbxFudqw6.bat

Filesize
201B

MD5
11552be6a0ed527cbbff005979309a78

SHA1
cebd53aa6e956ea2e697038f85a3868678532daa

SHA256
f46cabb7ffe734392cb7171561026e492e1702f513bfdaf29fd5b7f5d9ac358f

SHA512
3cf26a6a1b213a092f8aa3cf44ae23dd7146ae4cdc20c00a164d88450e8f87d762973ca864d42608afd2dc51395ee027354c2c7ee95c8c86aac77e9be36a90d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab758F.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ljju5cbnZy.bat

Filesize
201B

MD5
5516628141f2b0de25fd54faa6abe5c7

SHA1
b9b858c96d4e03da04efcbb39078632937693357

SHA256
c6dd5590750e51098cc69a16d45325f26ce9ab912d924a1fc3dc54976f24f9f8

SHA512
f99b4e3a99ab0ae0ad7ebc22afcb0abe973d0e71800ad43f064a1c175755741ec13034d771773f60e94899fac5da69d6cd99922b7f651cf8eedf1b9bba4bebd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar75A2.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\c38FLB8gIG.bat

Filesize
201B

MD5
f95776c2b23ead1413bfe14a099957c2

SHA1
b73a031f2a109cdb2ce637222fb636eab81a1c66

SHA256
60201c1872288b68c1a7184448add3a98fc7d95c3b3d80ad5fc07faf9d539fab

SHA512
efb72d8c4f82de179378d97c80a110bd63e4e688a26dea0bcab3d01330589faf4f2d349caa55c5fe724f8c6e996793b563893ecb32c73111a848f090798993aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\kUlUtrswAz.bat

Filesize
201B

MD5
a83f10b118d8c131fa8c6b645dab0d53

SHA1
5e2444ea3b0d0d6501dd41732d5871778841736d

SHA256
41aa447164338c327374d0efacd44336e7deb498639cb35b6a849a1e41967f01

SHA512
561acecf573199fa471f5c1d5fc48e0899f269a1776aaeaeec623e39e19120b69d6a7b66a7d136e8671d631c6e2414dac0509e083c12e989e86f9d63e3749664

Download Submit
C:\Users\Admin\AppData\Local\Temp\ljgkLFIn4v.bat

Filesize
201B

MD5
a7dcb516cd86ed9339c48dda660f328d

SHA1
c135a3048f3e04c79cc755044fd84b814518aee7

SHA256
ce9e59180a9e506bdec69e3ddb96b94206757cf11da31419e3ac807e72d1f0ef

SHA512
8375fbc88aa54e0edd147da090c00feb93983cfb10e198b04be1b7e3f08e10a19fc2cdc337f936653e30c93dba5bb3480cc585853188a6e2f8b6d44834d968fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\zDWALPrpmL.bat

Filesize
201B

MD5
a1ea40fd28904d02bb8edbd1989c7445

SHA1
4e6fa0cf9db8a11cd965f2c10f32d9c0b858f0a5

SHA256
f47e1a8a363cc146b982081cd46a2a47d4f507f71907448dea8b261ba359ef8c

SHA512
311ea5c93da0cd088e28412ab0d10a5edea05db18185332ba65c19ddc9d726db962eda9dffdd8a3f0dba809e8412eff8aae56ec8d27ed1c33863bed8ad124d42

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
f254bffe9560f4b3afde51ee1d7a6286

SHA1
090651496e46e97e4db02579cfe7615f5487d2cc

SHA256
ef2767f393d8c996869107bf2232ecff0c105fd0562b6ef1391fe5db59978627

SHA512
30196258fe074bbe4eb9a8ae40862e783c8fcbe3b974d04bf4525652225502be02402df404a67a83d663cf57f0e2d4aa98d184b44223ad934d4591f56b9427b9

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/436-223-0x0000000001D80000-0x0000000001D88000-memory.dmp

Filesize
32KB

Download
memory/640-251-0x0000000000E30000-0x0000000000F40000-memory.dmp

Filesize
1.1MB

Download
memory/828-125-0x00000000003C0000-0x00000000003D2000-memory.dmp

Filesize
72KB

Download
memory/1256-670-0x00000000011E0000-0x00000000012F0000-memory.dmp

Filesize
1.1MB

Download
memory/2032-550-0x0000000001340000-0x0000000001450000-memory.dmp

Filesize
1.1MB

Download
memory/2124-311-0x00000000003D0000-0x00000000003E2000-memory.dmp

Filesize
72KB

Download
memory/2124-310-0x0000000000E70000-0x0000000000F80000-memory.dmp

Filesize
1.1MB

Download
memory/2336-94-0x00000000027D0000-0x00000000027D8000-memory.dmp

Filesize
32KB

Download
memory/2336-88-0x000000001B6F0000-0x000000001B9D2000-memory.dmp

Filesize
2.9MB

Download
memory/2400-219-0x000000001B550000-0x000000001B832000-memory.dmp

Filesize
2.9MB

Download
memory/2592-372-0x00000000004C0000-0x00000000004D2000-memory.dmp

Filesize
72KB

Download
memory/2592-371-0x0000000000FE0000-0x00000000010F0000-memory.dmp

Filesize
1.1MB

Download
memory/2592-48-0x0000000002390000-0x0000000002398000-memory.dmp

Filesize
32KB

Download
memory/2592-47-0x000000001B750000-0x000000001BA32000-memory.dmp

Filesize
2.9MB

Download
memory/2800-15-0x00000000005E0000-0x00000000005EC000-memory.dmp

Filesize
48KB

Download
memory/2800-16-0x0000000000450000-0x000000000045C000-memory.dmp

Filesize
48KB

Download
memory/2800-14-0x0000000000440000-0x0000000000452000-memory.dmp

Filesize
72KB

Download
memory/2800-13-0x00000000010D0000-0x00000000011E0000-memory.dmp

Filesize
1.1MB

Download
memory/2800-17-0x00000000005F0000-0x00000000005FC000-memory.dmp

Filesize
48KB

Download
memory/2996-610-0x0000000000030000-0x0000000000140000-memory.dmp

Filesize
1.1MB

Download