dcrat | 4cbfb546ac8cfb8306a45cdbad351086702e848a39287c1a307b7b61a9b87449

Analysis

max time kernel
145s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-12-2024 18:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_4cbfb546ac8cfb8306a45cdbad351086702e848a39287c1a307b7b61a9b87449.exe
Size

1.3MB
MD5

a1cf5062e5faf2371cfcb53d29e09464
SHA1

2a50ffad16c528707a7ebf453f9c0d91258ac132
SHA256

4cbfb546ac8cfb8306a45cdbad351086702e848a39287c1a307b7b61a9b87449
SHA512

8a14c9bcdb08770c742c52987d80d34d23da772255086c3a73515084355d72e361f39262bd6171900eabf9c71aee1985886ce04af8ac930dcf607db58c2d87e8
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 64 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	3412	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	3412	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4024	3412	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4880	3412	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3268	3412	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4916	3412	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4980	3412	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3416	3412	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2748	3412	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1624	3412	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	456	3412	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4740	3412	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1240	3412	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4132	3412	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3168	3412	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3764	3412	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	640	3412	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3616	3412	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4768	3412	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4428	3412	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2188	3412	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4512	3412	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2076	3412	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3112	3412	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	436	3412	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4484	3412	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4852	3412	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4524	3412	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2548	3412	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4620	3412	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1804	3412	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4352	3412	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4340	3412	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3152	3412	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2224	3412	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3652	3412	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1084	3412	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4032	3412	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2644	3412	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2812	3412	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3056	3412	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4468	3412	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4372	3412	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3656	3412	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3968	3412	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	3412	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5068	3412	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2628	3412	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5020	3412	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4092	3412	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3268	3412	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2144	3412	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2340	3412	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3544	3412	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4872	3412	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3064	3412	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1848	3412	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4364	3412	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3044	3412	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3240	3412	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2012	3412	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1400	3412	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2520	3412	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4356	3412	schtasks.exe	86

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x0007000000023cb4-10.dat	dcrat
behavioral2/memory/4124-13-0x0000000000A10000-0x0000000000B20000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 24 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1832	powershell.exe
3368	powershell.exe
3524	powershell.exe
4668	powershell.exe
1732	powershell.exe
3684	powershell.exe
4476	powershell.exe
516	powershell.exe
3236	powershell.exe
1064	powershell.exe
5052	powershell.exe
3976	powershell.exe
3404	powershell.exe
3120	powershell.exe
1076	powershell.exe
3840	powershell.exe
1052	powershell.exe
4676	powershell.exe
2788	powershell.exe
4160	powershell.exe
1504	powershell.exe
4928	powershell.exe
4728	powershell.exe
4624	powershell.exe

Checks computer location settings 2 TTPs 17 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	TextInputHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	TextInputHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	TextInputHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	TextInputHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	TextInputHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	TextInputHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	TextInputHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	TextInputHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	JaffaCakes118_4cbfb546ac8cfb8306a45cdbad351086702e848a39287c1a307b7b61a9b87449.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	TextInputHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	TextInputHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	TextInputHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	TextInputHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	TextInputHost.exe

Executes dropped EXE 15 IoCs

pid	Process
4124	DllCommonsvc.exe
1004	DllCommonsvc.exe
5084	TextInputHost.exe
6032	TextInputHost.exe
3652	TextInputHost.exe
5452	TextInputHost.exe
1964	TextInputHost.exe
3360	TextInputHost.exe
2960	TextInputHost.exe
3296	TextInputHost.exe
464	TextInputHost.exe
2004	TextInputHost.exe
5764	TextInputHost.exe
6036	TextInputHost.exe
5200	TextInputHost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 14 IoCs

Web Service

T1102

flow	ioc
18	raw.githubusercontent.com
45	raw.githubusercontent.com
17	raw.githubusercontent.com
44	raw.githubusercontent.com
54	raw.githubusercontent.com
25	raw.githubusercontent.com
52	raw.githubusercontent.com
53	raw.githubusercontent.com
41	raw.githubusercontent.com
40	raw.githubusercontent.com
46	raw.githubusercontent.com
55	raw.githubusercontent.com
56	raw.githubusercontent.com
39	raw.githubusercontent.com

Drops file in Program Files directory 17 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\9e8d7a4ca61bd9	DllCommonsvc.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\TextInputHost.exe	DllCommonsvc.exe
File created	C:\Program Files\VideoLAN\VLC\locale\38384e6a620884	DllCommonsvc.exe
File created	C:\Program Files\Windows Portable Devices\SppExtComObj.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RuntimeBroker.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\f3b6ecef712a24	DllCommonsvc.exe
File created	C:\Program Files\VideoLAN\VLC\locale\SearchApp.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Portable Devices\e1ef82546f0b02	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\spoolsv.exe	DllCommonsvc.exe
File created	C:\Program Files\VideoLAN\VLC\ee2ad38f3d4382	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Portable Devices\SppExtComObj.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\SppExtComObj.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Portable Devices\e1ef82546f0b02	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\uk-UA\sihost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\uk-UA\66fc9ff0ee96c2	DllCommonsvc.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\22eafd247d37c3	DllCommonsvc.exe
File created	C:\Program Files\VideoLAN\VLC\Registry.exe	DllCommonsvc.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\Logs\WindowsUpdate\StartMenuExperienceHost.exe	DllCommonsvc.exe
File created	C:\Windows\Logs\WindowsUpdate\55b276f4edf653	DllCommonsvc.exe
File created	C:\Windows\apppatch\de-DE\csrss.exe	DllCommonsvc.exe
File created	C:\Windows\apppatch\de-DE\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Windows\Installer\sysmon.exe	DllCommonsvc.exe
File created	C:\Windows\Installer\121e5b5079f7c0	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_4cbfb546ac8cfb8306a45cdbad351086702e848a39287c1a307b7b61a9b87449.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	JaffaCakes118_4cbfb546ac8cfb8306a45cdbad351086702e848a39287c1a307b7b61a9b87449.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	TextInputHost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4024	schtasks.exe
2748	schtasks.exe
4340	schtasks.exe
2812	schtasks.exe
5020	schtasks.exe
1848	schtasks.exe
1624	schtasks.exe
1240	schtasks.exe
3764	schtasks.exe
4524	schtasks.exe
2644	schtasks.exe
3656	schtasks.exe
640	schtasks.exe
4852	schtasks.exe
4032	schtasks.exe
5068	schtasks.exe
2340	schtasks.exe
1260	schtasks.exe
2628	schtasks.exe
4872	schtasks.exe
3044	schtasks.exe
4356	schtasks.exe
2004	schtasks.exe
4620	schtasks.exe
3652	schtasks.exe
4372	schtasks.exe
2988	schtasks.exe
3240	schtasks.exe
2012	schtasks.exe
3268	schtasks.exe
3968	schtasks.exe
4916	schtasks.exe
436	schtasks.exe
3056	schtasks.exe
4092	schtasks.exe
4512	schtasks.exe
2076	schtasks.exe
3268	schtasks.exe
2144	schtasks.exe
4364	schtasks.exe
2888	schtasks.exe
3544	schtasks.exe
1400	schtasks.exe
2988	schtasks.exe
4468	schtasks.exe
3064	schtasks.exe
3416	schtasks.exe
2520	schtasks.exe
3616	schtasks.exe
4428	schtasks.exe
3112	schtasks.exe
4484	schtasks.exe
2548	schtasks.exe
4352	schtasks.exe
3152	schtasks.exe
4740	schtasks.exe
3168	schtasks.exe
1804	schtasks.exe
2224	schtasks.exe
4880	schtasks.exe
456	schtasks.exe
4132	schtasks.exe
1084	schtasks.exe
4980	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4124	DllCommonsvc.exe
4124	DllCommonsvc.exe
4124	DllCommonsvc.exe
4124	DllCommonsvc.exe
4124	DllCommonsvc.exe
4124	DllCommonsvc.exe
3840	powershell.exe
3236	powershell.exe
1504	powershell.exe
3236	powershell.exe
3524	powershell.exe
3840	powershell.exe
1504	powershell.exe
3524	powershell.exe
1004	DllCommonsvc.exe
1004	DllCommonsvc.exe
1004	DllCommonsvc.exe
1004	DllCommonsvc.exe
1004	DllCommonsvc.exe
1004	DllCommonsvc.exe
1004	DllCommonsvc.exe
1004	DllCommonsvc.exe
516	powershell.exe
3684	powershell.exe
516	powershell.exe
3684	powershell.exe
1064	powershell.exe
1064	powershell.exe
4160	powershell.exe
4160	powershell.exe
1076	powershell.exe
1076	powershell.exe
1732	powershell.exe
1732	powershell.exe
1832	powershell.exe
1832	powershell.exe
4928	powershell.exe
4928	powershell.exe
3120	powershell.exe
3120	powershell.exe
4728	powershell.exe
4728	powershell.exe
4668	powershell.exe
4668	powershell.exe
3976	powershell.exe
3976	powershell.exe
1052	powershell.exe
1052	powershell.exe
5052	powershell.exe
5052	powershell.exe
2788	powershell.exe
2788	powershell.exe
4624	powershell.exe
4624	powershell.exe
4160	powershell.exe
4676	powershell.exe
4676	powershell.exe
3404	powershell.exe
3404	powershell.exe
3368	powershell.exe
3368	powershell.exe
5084	TextInputHost.exe
5084	TextInputHost.exe
4476	powershell.exe

Suspicious use of AdjustPrivilegeToken 39 IoCs

description	pid	Process
Token: SeDebugPrivilege	4124	DllCommonsvc.exe
Token: SeDebugPrivilege	3840	powershell.exe
Token: SeDebugPrivilege	3236	powershell.exe
Token: SeDebugPrivilege	1504	powershell.exe
Token: SeDebugPrivilege	3524	powershell.exe
Token: SeDebugPrivilege	1004	DllCommonsvc.exe
Token: SeDebugPrivilege	4928	powershell.exe
Token: SeDebugPrivilege	3684	powershell.exe
Token: SeDebugPrivilege	516	powershell.exe
Token: SeDebugPrivilege	5084	TextInputHost.exe
Token: SeDebugPrivilege	1064	powershell.exe
Token: SeDebugPrivilege	4160	powershell.exe
Token: SeDebugPrivilege	1076	powershell.exe
Token: SeDebugPrivilege	1732	powershell.exe
Token: SeDebugPrivilege	1832	powershell.exe
Token: SeDebugPrivilege	3120	powershell.exe
Token: SeDebugPrivilege	4728	powershell.exe
Token: SeDebugPrivilege	4668	powershell.exe
Token: SeDebugPrivilege	3976	powershell.exe
Token: SeDebugPrivilege	1052	powershell.exe
Token: SeDebugPrivilege	4476	powershell.exe
Token: SeDebugPrivilege	5052	powershell.exe
Token: SeDebugPrivilege	2788	powershell.exe
Token: SeDebugPrivilege	4624	powershell.exe
Token: SeDebugPrivilege	4676	powershell.exe
Token: SeDebugPrivilege	3404	powershell.exe
Token: SeDebugPrivilege	3368	powershell.exe
Token: SeDebugPrivilege	6032	TextInputHost.exe
Token: SeDebugPrivilege	3652	TextInputHost.exe
Token: SeDebugPrivilege	5452	TextInputHost.exe
Token: SeDebugPrivilege	1964	TextInputHost.exe
Token: SeDebugPrivilege	3360	TextInputHost.exe
Token: SeDebugPrivilege	2960	TextInputHost.exe
Token: SeDebugPrivilege	3296	TextInputHost.exe
Token: SeDebugPrivilege	464	TextInputHost.exe
Token: SeDebugPrivilege	2004	TextInputHost.exe
Token: SeDebugPrivilege	5764	TextInputHost.exe
Token: SeDebugPrivilege	6036	TextInputHost.exe
Token: SeDebugPrivilege	5200	TextInputHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 244 wrote to memory of 2084	244	JaffaCakes118_4cbfb546ac8cfb8306a45cdbad351086702e848a39287c1a307b7b61a9b87449.exe	82
PID 244 wrote to memory of 2084	244	JaffaCakes118_4cbfb546ac8cfb8306a45cdbad351086702e848a39287c1a307b7b61a9b87449.exe	82
PID 244 wrote to memory of 2084	244	JaffaCakes118_4cbfb546ac8cfb8306a45cdbad351086702e848a39287c1a307b7b61a9b87449.exe	82
PID 2084 wrote to memory of 4712	2084	WScript.exe	83
PID 2084 wrote to memory of 4712	2084	WScript.exe	83
PID 2084 wrote to memory of 4712	2084	WScript.exe	83
PID 4712 wrote to memory of 4124	4712	cmd.exe	85
PID 4712 wrote to memory of 4124	4712	cmd.exe	85
PID 4124 wrote to memory of 3524	4124	DllCommonsvc.exe	96
PID 4124 wrote to memory of 3524	4124	DllCommonsvc.exe	96
PID 4124 wrote to memory of 3236	4124	DllCommonsvc.exe	97
PID 4124 wrote to memory of 3236	4124	DllCommonsvc.exe	97
PID 4124 wrote to memory of 1504	4124	DllCommonsvc.exe	98
PID 4124 wrote to memory of 1504	4124	DllCommonsvc.exe	98
PID 4124 wrote to memory of 3840	4124	DllCommonsvc.exe	99
PID 4124 wrote to memory of 3840	4124	DllCommonsvc.exe	99
PID 4124 wrote to memory of 4244	4124	DllCommonsvc.exe	103
PID 4124 wrote to memory of 4244	4124	DllCommonsvc.exe	103
PID 4244 wrote to memory of 2284	4244	cmd.exe	106
PID 4244 wrote to memory of 2284	4244	cmd.exe	106
PID 4244 wrote to memory of 1004	4244	cmd.exe	107
PID 4244 wrote to memory of 1004	4244	cmd.exe	107
PID 1004 wrote to memory of 4728	1004	DllCommonsvc.exe	165
PID 1004 wrote to memory of 4728	1004	DllCommonsvc.exe	165
PID 1004 wrote to memory of 1732	1004	DllCommonsvc.exe	166
PID 1004 wrote to memory of 1732	1004	DllCommonsvc.exe	166
PID 1004 wrote to memory of 1052	1004	DllCommonsvc.exe	167
PID 1004 wrote to memory of 1052	1004	DllCommonsvc.exe	167
PID 1004 wrote to memory of 4928	1004	DllCommonsvc.exe	168
PID 1004 wrote to memory of 4928	1004	DllCommonsvc.exe	168
PID 1004 wrote to memory of 4668	1004	DllCommonsvc.exe	169
PID 1004 wrote to memory of 4668	1004	DllCommonsvc.exe	169
PID 1004 wrote to memory of 1064	1004	DllCommonsvc.exe	170
PID 1004 wrote to memory of 1064	1004	DllCommonsvc.exe	170
PID 1004 wrote to memory of 4676	1004	DllCommonsvc.exe	171
PID 1004 wrote to memory of 4676	1004	DllCommonsvc.exe	171
PID 1004 wrote to memory of 3684	1004	DllCommonsvc.exe	172
PID 1004 wrote to memory of 3684	1004	DllCommonsvc.exe	172
PID 1004 wrote to memory of 5052	1004	DllCommonsvc.exe	173
PID 1004 wrote to memory of 5052	1004	DllCommonsvc.exe	173
PID 1004 wrote to memory of 4476	1004	DllCommonsvc.exe	174
PID 1004 wrote to memory of 4476	1004	DllCommonsvc.exe	174
PID 1004 wrote to memory of 1832	1004	DllCommonsvc.exe	175
PID 1004 wrote to memory of 1832	1004	DllCommonsvc.exe	175
PID 1004 wrote to memory of 3976	1004	DllCommonsvc.exe	176
PID 1004 wrote to memory of 3976	1004	DllCommonsvc.exe	176
PID 1004 wrote to memory of 4624	1004	DllCommonsvc.exe	177
PID 1004 wrote to memory of 4624	1004	DllCommonsvc.exe	177
PID 1004 wrote to memory of 2788	1004	DllCommonsvc.exe	178
PID 1004 wrote to memory of 2788	1004	DllCommonsvc.exe	178
PID 1004 wrote to memory of 3404	1004	DllCommonsvc.exe	179
PID 1004 wrote to memory of 3404	1004	DllCommonsvc.exe	179
PID 1004 wrote to memory of 4160	1004	DllCommonsvc.exe	180
PID 1004 wrote to memory of 4160	1004	DllCommonsvc.exe	180
PID 1004 wrote to memory of 3368	1004	DllCommonsvc.exe	181
PID 1004 wrote to memory of 3368	1004	DllCommonsvc.exe	181
PID 1004 wrote to memory of 1076	1004	DllCommonsvc.exe	182
PID 1004 wrote to memory of 1076	1004	DllCommonsvc.exe	182
PID 1004 wrote to memory of 3120	1004	DllCommonsvc.exe	183
PID 1004 wrote to memory of 3120	1004	DllCommonsvc.exe	183
PID 1004 wrote to memory of 516	1004	DllCommonsvc.exe	185
PID 1004 wrote to memory of 516	1004	DllCommonsvc.exe	185
PID 1004 wrote to memory of 5084	1004	DllCommonsvc.exe	205
PID 1004 wrote to memory of 5084	1004	DllCommonsvc.exe	205

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4cbfb546ac8cfb8306a45cdbad351086702e848a39287c1a307b7b61a9b87449.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4cbfb546ac8cfb8306a45cdbad351086702e848a39287c1a307b7b61a9b87449.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:244
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2084
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4712
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4124
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3524
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3236
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\fontdrvhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1504
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RuntimeBroker.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3840
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\de8XdyWh5a.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4244
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2284
      - C:\providercommon\DllCommonsvc.exe
        
        "C:\providercommon\DllCommonsvc.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1004
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4728
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\SppExtComObj.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1732
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\RuntimeBroker.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1052
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\uk-UA\sihost.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4928
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\My Documents\DllCommonsvc.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4668
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1064
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\TextInputHost.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4676
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\Registry.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3684
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\DllCommonsvc.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5052
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Logs\WindowsUpdate\StartMenuExperienceHost.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4476
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\spoolsv.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1832
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\OfficeClickToRun.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3976
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\locale\SearchApp.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4624
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\apppatch\de-DE\csrss.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2788
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\SppExtComObj.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3404
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Installer\sysmon.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4160
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\sihost.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3368
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\System.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1076
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\unsecapp.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3120
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Start Menu\upfc.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:516
        
        C:\Program Files (x86)\Mozilla Maintenance Service\logs\TextInputHost.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\TextInputHost.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5084
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OTxxDhnLNa.bat"
        8⤵
        
        PID:5832
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:5908
        
        C:\Program Files (x86)\Mozilla Maintenance Service\logs\TextInputHost.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\TextInputHost.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:6032
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fH1ASKIIFN.bat"
        10⤵
        
        PID:3112
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:928
        
        C:\Program Files (x86)\Mozilla Maintenance Service\logs\TextInputHost.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\TextInputHost.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3652
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\m47JVZSxDi.bat"
        12⤵
        
        PID:4368
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:1372
        
        C:\Program Files (x86)\Mozilla Maintenance Service\logs\TextInputHost.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\TextInputHost.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5452
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UWW2tbEWSD.bat"
        14⤵
        
        PID:556
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:640
        
        C:\Program Files (x86)\Mozilla Maintenance Service\logs\TextInputHost.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\TextInputHost.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1964
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XIQ15LoDrx.bat"
        16⤵
        
        PID:1612
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:5176
        
        C:\Program Files (x86)\Mozilla Maintenance Service\logs\TextInputHost.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\TextInputHost.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3360
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\12JaEZR6zX.bat"
        18⤵
        
        PID:3384
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:4092
        
        C:\Program Files (x86)\Mozilla Maintenance Service\logs\TextInputHost.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\TextInputHost.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2960
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OTxxDhnLNa.bat"
        20⤵
        
        PID:1652
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2644
        
        C:\Program Files (x86)\Mozilla Maintenance Service\logs\TextInputHost.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\TextInputHost.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3296
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YNa8GmLI5m.bat"
        22⤵
        
        PID:3880
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:5312
        
        C:\Program Files (x86)\Mozilla Maintenance Service\logs\TextInputHost.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\TextInputHost.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:464
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7lFc7N4hi3.bat"
        24⤵
        
        PID:4192
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:1356
        
        C:\Program Files (x86)\Mozilla Maintenance Service\logs\TextInputHost.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\TextInputHost.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2004
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SRNviAgREO.bat"
        26⤵
        
        PID:5408
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:5776
        
        C:\Program Files (x86)\Mozilla Maintenance Service\logs\TextInputHost.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\TextInputHost.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5764
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dFeEewS5jL.bat"
        28⤵
        
        PID:6040
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        29⤵
        
        PID:5676
        
        C:\Program Files (x86)\Mozilla Maintenance Service\logs\TextInputHost.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\TextInputHost.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:6036
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lEFN0vw97k.bat"
        30⤵
        
        PID:1624
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        31⤵
        
        PID:1904
        
        C:\Program Files (x86)\Mozilla Maintenance Service\logs\TextInputHost.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\TextInputHost.exe"
        31⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5200
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lEFN0vw97k.bat"
        32⤵
        
        PID:4984
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        33⤵
        
        PID:5292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\providercommon\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\providercommon\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\providercommon\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\providercommon\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Portable Devices\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Portable Devices\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Photo Viewer\uk-UA\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\uk-UA\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Photo Viewer\uk-UA\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 9 /tr "'C:\Users\Default\My Documents\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
PID:4768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Users\Default\My Documents\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 5 /tr "'C:\Users\Default\My Documents\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 12 /tr "'C:\Program Files\VideoLAN\VLC\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 14 /tr "'C:\Program Files\VideoLAN\VLC\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Users\Default User\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\Windows\Logs\WindowsUpdate\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\Logs\WindowsUpdate\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Windows\Logs\WindowsUpdate\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\providercommon\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\providercommon\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 7 /tr "'C:\providercommon\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 7 /tr "'C:\Program Files\VideoLAN\VLC\locale\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\locale\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 7 /tr "'C:\Program Files\VideoLAN\VLC\locale\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Windows\apppatch\de-DE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\apppatch\de-DE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Windows\apppatch\de-DE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Portable Devices\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Portable Devices\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 9 /tr "'C:\Windows\Installer\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Windows\Installer\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 8 /tr "'C:\Windows\Installer\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\Default User\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Users\Default User\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Start Menu\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Users\Admin\Start Menu\upfc.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Start Menu\upfc.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\DllCommonsvc.exe.log

Filesize
1KB

MD5
7f3c0ae41f0d9ae10a8985a2c327b8fb

SHA1
d58622bf6b5071beacf3b35bb505bde2000983e3

SHA256
519fceae4d0dd4d09edd1b81bcdfa8aeab4b59eee77a4cd4b6295ce8e591a900

SHA512
8a8fd17eef071f86e672cba0d8fc2cfed6118aff816100b9d7c06eb96443c04c04bc5692259c8d7ecb1563e877921939c61726605af4f969e3f586f0913ed125

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\TextInputHost.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
c86ac3c1bf032c09c871b58e4f257db0

SHA1
915800e8ba0bbbe2fc6b8f4390f265373013fca6

SHA256
6fd214d717629205040f2bd02607b0be2b83a34fedb2019d202ba327a6e03d05

SHA512
be64910fa87861b728334762f95afb5ced93b4ee4f0736ce288e37840333e1674a25d2e8c57f0bbbeac432359ce9a89fffb1a5bfd1895c243337aa4889867f09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3c625954a51c4bbd8141206b00f6fc0a

SHA1
4128cb2f9d2984844e303e2e330e448334e5c273

SHA256
952515feb4929cfad2435c679a5fad19242e938e8a7c97afebb1f3d996bd3ec4

SHA512
3f7c4ea0551de5b6237ca13419413e6e73e85632e9bb09b5354d6310b5969f9c3a2dc27142e75e8572c2c65b2bc7615269fad27dcea2f91c389b6758e2630517

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
01841b4277227c0578c89131444e7d57

SHA1
b00fbb6cabb5d09d50c28c0fdc62e5e6917b0c5d

SHA256
34797c2cafe0d94ea265e6aba8e38c3c34532e125bdd6dc8c1eab16a977a8cfa

SHA512
15c656ce162ff535506f9f22d285355576e53b89baebc1064523ab59f2eccb111cdd71c1fd66e59995d0727993bd268c976a9bd6cd78ff78d19a3c13436f0497

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
aba273eeba4876ea41ee0e64b4cbb51d

SHA1
bef5f75b81cf27268dc0d0f30f00b022f9288db9

SHA256
67fc3f5c3407858793c6fac6131b0f340667ffc567fa76b43245ecf2621322c9

SHA512
23dc2f0cfc68194dcbf407a6528cf9f9a8aa89f4821be22413bde036ae5ca44144b568aa3160372b9741f3d0f5baa48dff8a8b582bdedc3ad3fb121af340c0ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
b740f7616c3c3d006afd7e1586758eeb

SHA1
c465af4c07ecb9e3de239c410d3b2ed5de93cdde

SHA256
c11b84252afa74e4f323fcbae853cb45217a65d70ac44dea182f9ec872bd9872

SHA512
d4dd7531d48a9f6d6432fe0d55cefc76139566c54514ba722d76e5bd4371bfca0e491939795883de21901eac98b1af7236ea83281a7dde8befe16719993f185e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
58d5391a088420e4f58d801ed9f217a6

SHA1
3a9795e248a126b315449549980768729ac2d517

SHA256
5bfe4b5e9492f71d0f90fd6db10ac170c0aaaa932ebc5da9a30b80ab47a6d51f

SHA512
e650e3e9102f9200780215a596549b030fca83433d6fb2e5ecd6bdcc561826a673a83fa75694fb689a1dcd6b049d2fcae324b9dc9bfcd3fcced4f74326a04943

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
17ea263ce8c38396c330fd30047d0522

SHA1
65304731eecbe75dd17c1bafbcc48dbf25e17eb7

SHA256
e82e800314f4323137889614c5094bd5005946be034263b84ca957a992b099e8

SHA512
0799a50c0c6fe5eeca124395e57b38da73ae57554fa0063beb720bba8116e256f91f86c9138e452541e1672b349a4eb4154b3787dda67d481a6f67c97c336eba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
f744cd7aaf7746b659b70728f3172e24

SHA1
cbd6215e6f9416d2bcd48e6e9f56618c48fbbd00

SHA256
917a1e7bd5e754048e17c20e320bc5f06644c7292e7c38334743dcb50e3aec15

SHA512
394f71c4674543f74bef27b0314f997052a1ce0113ce923c4303ea81319995184a55e8582d163bd163b0723e7beb2596f01a6e9e875f11568f117b0218f64fe0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6b4e39689cee6c9a38f5a03b68b3df72

SHA1
af6cc92ac1532a1059151831885c2929d83f8107

SHA256
01bd20c1140847c1d579ca92531850535e5b0aaddfce3c8648716dc1cb811f8d

SHA512
9fb0e8c8ebd43525f8364eff0d18c02a34c044d14558cfbea351d283f03df9b84e3e32453e296b2cd844b785dcefef75adfeaff401d80462959104033fe7ba02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ee02cdcb025f6203e04573a984c71fbe

SHA1
1774451134cd51ae4523770e0477986c5a9efc2e

SHA256
bc6a014548dc12c82211b19a3ac9394146c52cd0e12e9f3351940037376a092f

SHA512
64f1206ec3c3379f9a2adb043e7abf8aeb3f9d3f052c7f398b5aea8ca65843bcd6a21e741545d807a4f78278c71492c3c612102e6853340ee8fdf5931b9c3765

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2262839c93970e05099a4a7d8d6bf51b

SHA1
5bdc2124f4d84180ab974594fc5d0acce89e02bc

SHA256
df5987de92b53918f66a554e5599a52da01e174b13cd27ac4ba9b12e5b402a65

SHA512
b2c74af14d5f73122c881a2e3e8e94df5c38bc116c837052e21384a3b20167d7746a86680ce88b22e477117924b2fba5d4748135dbd96448e85b77c8bdaf9e1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d42b6da621e8df5674e26b799c8e2aa

SHA1
ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

SHA256
5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

SHA512
53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\12JaEZR6zX.bat

Filesize
238B

MD5
6fea7a4a345024980d9a3273cb04ca3a

SHA1
f0c79ca7fc28e4b47d39589b4d8b8cabe0aff0f2

SHA256
d7323463d50e1d501c73439eef777f8c6a79bf3ebf0c8ce8c58291d118c8f092

SHA512
45c611802c3dd58065fe69fd01c844b5c6c1875a0b85ec597a93cc941c011a63c2c277bd8683d422a1c371a384723d7d3f3a3d288644734a5b1f57a49b02536b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7lFc7N4hi3.bat

Filesize
238B

MD5
f380a893940efce580da8f95248d6a0a

SHA1
db2566ed7f7021c20d51f9e1eaf04bacbed98ade

SHA256
8ebf501d91031f2795e6227712513305d014d1de8df408fb7b599ed023797ad5

SHA512
829a656895a5e18dce36a7f2cfe0ee4f470a60cbe47ecc1df35ff55fe7a88402c9a3a736b3aff70c157c1691ca8fbccfa65429ff79b1ebc16594cd6617414266

Download Submit
C:\Users\Admin\AppData\Local\Temp\OTxxDhnLNa.bat

Filesize
238B

MD5
1853f97027c5bc46c5b4ec9439ede065

SHA1
f74dd30a219288540e5bdbb29bad55836b7ed6a3

SHA256
d1bff599e44cdef18fc27f51cc7141d4bd286fc483402db72c4dce7a31125a62

SHA512
1580782b2bc15a8eb267251062bf833983249de3b4567444fe023ab15b95ad3acc4dc3a8daa5753707afc8ebaf2b883d9ceec599f8281624f5484e6996b3cf7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\SRNviAgREO.bat

Filesize
238B

MD5
de1aef20d7cab2d3430625d417b1ca8a

SHA1
f6c5b5d1bfb29b3f4c423d9757d8229141412b9a

SHA256
0ad230417501660d946789fe165bfd96a4a97108a17d360fe63b4a5e94565384

SHA512
2f73706656ac82b28deaf8adac0117e48a2134415edad53df58a7bd39d1e13b848e5d13d6d71648e128a0d3f449db2594c53f0b83f9c88431bc51e7f908edd5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\UWW2tbEWSD.bat

Filesize
238B

MD5
8a212709365cca615a1138bb80d8e0a1

SHA1
10eca1d097e501a563e24d4fed9455398a4d1a8f

SHA256
e5dbc246898f6f8e66dacde6568b4ff66f5bfc5568d2fb8f0a4cecafc2a930bf

SHA512
3128d6adc56e50c1f5b4b159c0ca674442e8cfe3b7d7989385c5ca90d9f1660ba0b5a7969f74215db90237753516c897a2349b9444f8ef478226083e524d23a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\XIQ15LoDrx.bat

Filesize
238B

MD5
1658f24ed9fd21a255335d1a98bb8c77

SHA1
614708814e60b7f1de9f7577acaff4cab91c2237

SHA256
16b728360aa4a3535d02b9045156d972593db3b3b9baec474934d3268e208784

SHA512
0a9a1a1087caf7a157b06baf8982c5bc01e978768f72fe84daf15cef13f7c0284e06529c49527c48869ef66f017ce95ef1051bc3893a758499f43f492c610c71

Download Submit
C:\Users\Admin\AppData\Local\Temp\YNa8GmLI5m.bat

Filesize
238B

MD5
7fce764b9488b35e1d51eecf721831e9

SHA1
9d9d14651d6f2f3f1d0317a7d94522f3e32b6658

SHA256
cf400ff2bc63049a3e9bd49bce0db9333d91a9cf683d99efe6c491e8d97e5c62

SHA512
883838180ee6c2fe6757c07a8cbf478406935ca0e50222b5623323cb7836059b23da432fff1ea01cfd592c410a224eb5fb932d8ec1ced96a2c7904b75d442a8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wjnsh53z.u1k.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\dFeEewS5jL.bat

Filesize
238B

MD5
89858445bbc05b154956843b45284257

SHA1
fe5924b94a6f4a1d82af05aa0e794d73e231dae2

SHA256
c735c157b81f2f9fe34671eb5b3224f597e718e036a5aa1dd1ef6ac4f9b4d9ec

SHA512
687fda2b469117ffa0fa70feb780694dad0ff61a26d0f89370c40c209c3242e398541d7904bf2a35d214012299fa710424360f6204936b57fa66f4ce695ee63f

Download Submit
C:\Users\Admin\AppData\Local\Temp\de8XdyWh5a.bat

Filesize
199B

MD5
124a2bc04b9edbbbbc332512e611657a

SHA1
4394d7ae61acc1feedd29d8a687aa5d465ffe871

SHA256
cbd3e004082828adeebdb5fd9e61bdcce2b51d56bc87da250b58194e725bc212

SHA512
245acef1dc122fbab484e4f26eaf29e6cf715c34a1a07cab5b2af36270278055aca4338a888015aa65ec14ce49c8984f32410e30ddb36db4f43352aa9ccd566d

Download Submit
C:\Users\Admin\AppData\Local\Temp\fH1ASKIIFN.bat

Filesize
238B

MD5
62341359af892676f83823caa93820c3

SHA1
4f8b81cf2808717e62fb7abba1840326bc61844f

SHA256
bc98a7a4f594fee4684c8be9451cdd2cadda3a83d7292fe869a4c8aa3c552a3d

SHA512
fe1d64a204a966c389708d532344aef4e3f96fd8d55d92365c8e04467322295ab10345c4ac56859d4748364db8c01c8b7414830a113bfc2566133a2d14255e96

Download Submit
C:\Users\Admin\AppData\Local\Temp\lEFN0vw97k.bat

Filesize
238B

MD5
21c0539f7a3e0f20d25e647e67c616a8

SHA1
5eaa8697780736adfc9d084606ac039ead48546f

SHA256
4d50390f9d89296d3c70d75ac590135727982b771e517dd1c9e8af17a0184fd9

SHA512
8be2a5b5eff7884acd7601d087617d3e88e7b7be97646330d86eda5b3a5f9e8e8b55556234809410c31664e341607f376ab1c4e12b5239cae346962cd1a7cec0

Download Submit
C:\Users\Admin\AppData\Local\Temp\m47JVZSxDi.bat

Filesize
238B

MD5
4541c7f811cbef4ab1a3bccf1352ce51

SHA1
1970cdaeb612b5b05123f8ed7ada8508b29ffc19

SHA256
6bebb9b8313c115a27ceb06648c19c970ff91494bd05d101370cdb8fe1c0afc1

SHA512
799217ea43255986ecf5412bd4a629d9214abbb20a45ee3ebc9f34ca0b0e49578a7d38cbe26982a549029be37b4856713297cb9405a0301a0c5fd7780500ebde

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/2004-404-0x0000000002360000-0x0000000002372000-memory.dmp

Filesize
72KB

Download
memory/3360-379-0x00000000013F0000-0x0000000001402000-memory.dmp

Filesize
72KB

Download
memory/3840-43-0x0000025CEA6C0000-0x0000025CEA6E2000-memory.dmp

Filesize
136KB

Download
memory/4124-15-0x0000000001480000-0x000000000148C000-memory.dmp

Filesize
48KB

Download
memory/4124-12-0x00007FF8147C3000-0x00007FF8147C5000-memory.dmp

Filesize
8KB

Download
memory/4124-16-0x0000000001490000-0x000000000149C000-memory.dmp

Filesize
48KB

Download
memory/4124-14-0x0000000001470000-0x0000000001482000-memory.dmp

Filesize
72KB

Download
memory/4124-13-0x0000000000A10000-0x0000000000B20000-memory.dmp

Filesize
1.1MB

Download
memory/4124-17-0x00000000014A0000-0x00000000014AC000-memory.dmp

Filesize
48KB

Download
memory/5084-352-0x000000001BE40000-0x000000001BF42000-memory.dmp

Filesize
1.0MB

Download
memory/6036-417-0x0000000002680000-0x0000000002692000-memory.dmp

Filesize
72KB

Download