dcrat | 474bcfa355ac65a54034728501299eab3a57c0da745b6d7e33365071b52abf11

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2024 04:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_474bcfa355ac65a54034728501299eab3a57c0da745b6d7e33365071b52abf11.exe
Size

1.3MB
MD5

0e767084281e91566eaf9290332918fb
SHA1

1e58ddf351c1c947fe733bc6758295b93957038e
SHA256

474bcfa355ac65a54034728501299eab3a57c0da745b6d7e33365071b52abf11
SHA512

a7ac2157020c4a44e7eab10cd0ad5986a11b746ce5b969cef2168cb875946a983d4673220d02e9b7392ebd04212b39394fcf48be19a90f3bae0c13f171a9554b
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 64 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4056	1980	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4776	1980	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3728	1980	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3344	1980	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3944	1980	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3988	1980	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4220	1980	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2700	1980	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1992	1980	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1484	1980	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3640	1980	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2468	1980	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	840	1980	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	880	1980	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3208	1980	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3768	1980	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2128	1980	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1440	1980	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3212	1980	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5000	1980	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2688	1980	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4240	1980	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4528	1980	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1324	1980	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	384	1980	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2108	1980	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	532	1980	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1972	1980	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2192	1980	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4608	1980	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	744	1980	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1972	1980	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	112	1980	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	228	1980	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4836	1980	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3760	1980	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1224	1980	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4208	1980	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2684	1980	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3372	1980	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4912	1980	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1740	1980	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3456	1980	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3772	1980	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3344	1980	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	464	1980	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1496	1980	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3156	1980	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4220	1980	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5036	1980	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4352	1980	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3036	1980	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1416	1980	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4544	1980	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	1980	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	744	1980	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2188	1980	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2256	1980	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	612	1980	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5084	1980	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2184	1980	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3308	1980	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3180	1980	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1064	1980	schtasks.exe	86

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x000a000000023b60-9.dat	dcrat
behavioral2/memory/1716-13-0x0000000000520000-0x0000000000630000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 24 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1608	powershell.exe
4884	powershell.exe
3420	powershell.exe
3784	powershell.exe
2380	powershell.exe
2512	powershell.exe
4584	powershell.exe
4596	powershell.exe
4828	powershell.exe
1056	powershell.exe
3760	powershell.exe
3968	powershell.exe
4568	powershell.exe
3848	powershell.exe
4912	powershell.exe
4600	powershell.exe
3372	powershell.exe
2684	powershell.exe
1364	powershell.exe
3264	powershell.exe
936	powershell.exe
904	powershell.exe
4492	powershell.exe
1224	powershell.exe

Checks computer location settings 2 TTPs 17 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	conhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	conhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	conhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	conhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	conhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	conhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	conhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	conhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	JaffaCakes118_474bcfa355ac65a54034728501299eab3a57c0da745b6d7e33365071b52abf11.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	conhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	conhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	conhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	conhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	conhost.exe

Executes dropped EXE 15 IoCs

pid	Process
1716	DllCommonsvc.exe
4004	DllCommonsvc.exe
660	conhost.exe
1016	conhost.exe
464	conhost.exe
228	conhost.exe
5092	conhost.exe
1056	conhost.exe
980	conhost.exe
3772	conhost.exe
3156	conhost.exe
4384	conhost.exe
4576	conhost.exe
4760	conhost.exe
1692	conhost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 14 IoCs

Web Service

T1102

flow	ioc
41	raw.githubusercontent.com
55	raw.githubusercontent.com
15	raw.githubusercontent.com
16	raw.githubusercontent.com
46	raw.githubusercontent.com
39	raw.githubusercontent.com
44	raw.githubusercontent.com
52	raw.githubusercontent.com
25	raw.githubusercontent.com
51	raw.githubusercontent.com
53	raw.githubusercontent.com
54	raw.githubusercontent.com
40	raw.githubusercontent.com
45	raw.githubusercontent.com

Drops file in Program Files directory 14 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows NT\StartMenuExperienceHost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\conhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\088424020bedd6	DllCommonsvc.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\OfficeClickToRun.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\e6c9b481da804f	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows NT\55b276f4edf653	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\it-IT\TextInputHost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\66fc9ff0ee96c2	DllCommonsvc.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\OfficeClickToRun.exe	DllCommonsvc.exe
File created	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\microsoft.system.package.metadata\SearchApp.exe	DllCommonsvc.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\sppsvc.exe	DllCommonsvc.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\0a1fd5f707cd16	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\it-IT\22eafd247d37c3	DllCommonsvc.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\sihost.exe	DllCommonsvc.exe

Drops file in Windows directory 15 IoCs

description	ioc	Process
File created	C:\Windows\PolicyDefinitions\de-DE\c5b4cb5e9653cc	DllCommonsvc.exe
File created	C:\Windows\tracing\smss.exe	DllCommonsvc.exe
File opened for modification	C:\Windows\INF\.NET Data Provider for SqlServer\0C0A\powershell.exe	DllCommonsvc.exe
File created	C:\Windows\SoftwareDistribution\DataStore\TextInputHost.exe	DllCommonsvc.exe
File created	C:\Windows\Tasks\088424020bedd6	DllCommonsvc.exe
File created	C:\Windows\AppReadiness\5b884080fd4f94	DllCommonsvc.exe
File created	C:\Windows\LanguageOverlayCache\conhost.exe	DllCommonsvc.exe
File created	C:\Windows\SoftwareDistribution\DataStore\22eafd247d37c3	DllCommonsvc.exe
File created	C:\Windows\INF\.NET Data Provider for SqlServer\0C0A\powershell.exe	DllCommonsvc.exe
File created	C:\Windows\INF\.NET Data Provider for SqlServer\0C0A\e978f868350d50	DllCommonsvc.exe
File created	C:\Windows\Tasks\conhost.exe	DllCommonsvc.exe
File created	C:\Windows\tracing\69ddcba757bf72	DllCommonsvc.exe
File created	C:\Windows\AppReadiness\fontdrvhost.exe	DllCommonsvc.exe
File created	C:\Windows\PolicyDefinitions\de-DE\services.exe	DllCommonsvc.exe
File created	C:\Windows\LanguageOverlayCache\conhost.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_474bcfa355ac65a54034728501299eab3a57c0da745b6d7e33365071b52abf11.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 14 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	JaffaCakes118_474bcfa355ac65a54034728501299eab3a57c0da745b6d7e33365071b52abf11.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	conhost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1484	schtasks.exe
4608	schtasks.exe
4352	schtasks.exe
1972	schtasks.exe
744	schtasks.exe
3180	schtasks.exe
4776	schtasks.exe
3728	schtasks.exe
4220	schtasks.exe
2684	schtasks.exe
464	schtasks.exe
1416	schtasks.exe
2184	schtasks.exe
1064	schtasks.exe
3988	schtasks.exe
3768	schtasks.exe
3760	schtasks.exe
3944	schtasks.exe
3156	schtasks.exe
2620	schtasks.exe
2192	schtasks.exe
4208	schtasks.exe
2256	schtasks.exe
2468	schtasks.exe
112	schtasks.exe
4836	schtasks.exe
4544	schtasks.exe
2700	schtasks.exe
5000	schtasks.exe
744	schtasks.exe
880	schtasks.exe
3208	schtasks.exe
2108	schtasks.exe
2688	schtasks.exe
4060	schtasks.exe
4056	schtasks.exe
1972	schtasks.exe
1224	schtasks.exe
840	schtasks.exe
384	schtasks.exe
5084	schtasks.exe
3344	schtasks.exe
1440	schtasks.exe
4240	schtasks.exe
3308	schtasks.exe
3372	schtasks.exe
1740	schtasks.exe
1496	schtasks.exe
5036	schtasks.exe
2128	schtasks.exe
4528	schtasks.exe
3772	schtasks.exe
432	schtasks.exe
1992	schtasks.exe
1324	schtasks.exe
4220	schtasks.exe
228	schtasks.exe
4912	schtasks.exe
3456	schtasks.exe
3344	schtasks.exe
3036	schtasks.exe
3640	schtasks.exe
3212	schtasks.exe
532	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1716	DllCommonsvc.exe
1716	DllCommonsvc.exe
1716	DllCommonsvc.exe
1716	DllCommonsvc.exe
1716	DllCommonsvc.exe
1716	DllCommonsvc.exe
1716	DllCommonsvc.exe
1716	DllCommonsvc.exe
1716	DllCommonsvc.exe
1716	DllCommonsvc.exe
1716	DllCommonsvc.exe
936	powershell.exe
936	powershell.exe
2512	powershell.exe
2512	powershell.exe
4584	powershell.exe
3968	powershell.exe
3968	powershell.exe
4584	powershell.exe
904	powershell.exe
904	powershell.exe
3264	powershell.exe
3264	powershell.exe
1608	powershell.exe
1608	powershell.exe
4884	powershell.exe
4884	powershell.exe
4492	powershell.exe
4492	powershell.exe
4596	powershell.exe
4596	powershell.exe
2380	powershell.exe
2380	powershell.exe
4004	DllCommonsvc.exe
4004	DllCommonsvc.exe
936	powershell.exe
3968	powershell.exe
2512	powershell.exe
4584	powershell.exe
1608	powershell.exe
904	powershell.exe
4492	powershell.exe
4884	powershell.exe
3264	powershell.exe
4596	powershell.exe
2380	powershell.exe
4004	DllCommonsvc.exe
4004	DllCommonsvc.exe
4004	DllCommonsvc.exe
4004	DllCommonsvc.exe
4004	DllCommonsvc.exe
4004	DllCommonsvc.exe
4004	DllCommonsvc.exe
4004	DllCommonsvc.exe
4004	DllCommonsvc.exe
4004	DllCommonsvc.exe
4004	DllCommonsvc.exe
4004	DllCommonsvc.exe
4004	DllCommonsvc.exe
4004	DllCommonsvc.exe
3420	powershell.exe
3420	powershell.exe
1224	powershell.exe
1224	powershell.exe

Suspicious use of AdjustPrivilegeToken 39 IoCs

description	pid	Process
Token: SeDebugPrivilege	1716	DllCommonsvc.exe
Token: SeDebugPrivilege	936	powershell.exe
Token: SeDebugPrivilege	904	powershell.exe
Token: SeDebugPrivilege	2512	powershell.exe
Token: SeDebugPrivilege	4584	powershell.exe
Token: SeDebugPrivilege	3968	powershell.exe
Token: SeDebugPrivilege	1608	powershell.exe
Token: SeDebugPrivilege	3264	powershell.exe
Token: SeDebugPrivilege	4884	powershell.exe
Token: SeDebugPrivilege	4492	powershell.exe
Token: SeDebugPrivilege	4596	powershell.exe
Token: SeDebugPrivilege	2380	powershell.exe
Token: SeDebugPrivilege	4004	DllCommonsvc.exe
Token: SeDebugPrivilege	3420	powershell.exe
Token: SeDebugPrivilege	1224	powershell.exe
Token: SeDebugPrivilege	4828	powershell.exe
Token: SeDebugPrivilege	3848	powershell.exe
Token: SeDebugPrivilege	3372	powershell.exe
Token: SeDebugPrivilege	4568	powershell.exe
Token: SeDebugPrivilege	4600	powershell.exe
Token: SeDebugPrivilege	2684	powershell.exe
Token: SeDebugPrivilege	4912	powershell.exe
Token: SeDebugPrivilege	1364	powershell.exe
Token: SeDebugPrivilege	3784	powershell.exe
Token: SeDebugPrivilege	3760	powershell.exe
Token: SeDebugPrivilege	660	conhost.exe
Token: SeDebugPrivilege	1056	powershell.exe
Token: SeDebugPrivilege	1016	conhost.exe
Token: SeDebugPrivilege	464	conhost.exe
Token: SeDebugPrivilege	228	conhost.exe
Token: SeDebugPrivilege	5092	conhost.exe
Token: SeDebugPrivilege	1056	conhost.exe
Token: SeDebugPrivilege	980	conhost.exe
Token: SeDebugPrivilege	3772	conhost.exe
Token: SeDebugPrivilege	3156	conhost.exe
Token: SeDebugPrivilege	4384	conhost.exe
Token: SeDebugPrivilege	4576	conhost.exe
Token: SeDebugPrivilege	4760	conhost.exe
Token: SeDebugPrivilege	1692	conhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2444 wrote to memory of 2436	2444	JaffaCakes118_474bcfa355ac65a54034728501299eab3a57c0da745b6d7e33365071b52abf11.exe	82
PID 2444 wrote to memory of 2436	2444	JaffaCakes118_474bcfa355ac65a54034728501299eab3a57c0da745b6d7e33365071b52abf11.exe	82
PID 2444 wrote to memory of 2436	2444	JaffaCakes118_474bcfa355ac65a54034728501299eab3a57c0da745b6d7e33365071b52abf11.exe	82
PID 2436 wrote to memory of 2892	2436	WScript.exe	83
PID 2436 wrote to memory of 2892	2436	WScript.exe	83
PID 2436 wrote to memory of 2892	2436	WScript.exe	83
PID 2892 wrote to memory of 1716	2892	cmd.exe	85
PID 2892 wrote to memory of 1716	2892	cmd.exe	85
PID 1716 wrote to memory of 2380	1716	DllCommonsvc.exe	117
PID 1716 wrote to memory of 2380	1716	DllCommonsvc.exe	117
PID 1716 wrote to memory of 2512	1716	DllCommonsvc.exe	118
PID 1716 wrote to memory of 2512	1716	DllCommonsvc.exe	118
PID 1716 wrote to memory of 3264	1716	DllCommonsvc.exe	119
PID 1716 wrote to memory of 3264	1716	DllCommonsvc.exe	119
PID 1716 wrote to memory of 936	1716	DllCommonsvc.exe	120
PID 1716 wrote to memory of 936	1716	DllCommonsvc.exe	120
PID 1716 wrote to memory of 904	1716	DllCommonsvc.exe	121
PID 1716 wrote to memory of 904	1716	DllCommonsvc.exe	121
PID 1716 wrote to memory of 4584	1716	DllCommonsvc.exe	122
PID 1716 wrote to memory of 4584	1716	DllCommonsvc.exe	122
PID 1716 wrote to memory of 3968	1716	DllCommonsvc.exe	123
PID 1716 wrote to memory of 3968	1716	DllCommonsvc.exe	123
PID 1716 wrote to memory of 4596	1716	DllCommonsvc.exe	124
PID 1716 wrote to memory of 4596	1716	DllCommonsvc.exe	124
PID 1716 wrote to memory of 1608	1716	DllCommonsvc.exe	125
PID 1716 wrote to memory of 1608	1716	DllCommonsvc.exe	125
PID 1716 wrote to memory of 4884	1716	DllCommonsvc.exe	126
PID 1716 wrote to memory of 4884	1716	DllCommonsvc.exe	126
PID 1716 wrote to memory of 4492	1716	DllCommonsvc.exe	127
PID 1716 wrote to memory of 4492	1716	DllCommonsvc.exe	127
PID 1716 wrote to memory of 4004	1716	DllCommonsvc.exe	139
PID 1716 wrote to memory of 4004	1716	DllCommonsvc.exe	139
PID 4004 wrote to memory of 3760	4004	DllCommonsvc.exe	176
PID 4004 wrote to memory of 3760	4004	DllCommonsvc.exe	176
PID 4004 wrote to memory of 1056	4004	DllCommonsvc.exe	177
PID 4004 wrote to memory of 1056	4004	DllCommonsvc.exe	177
PID 4004 wrote to memory of 4828	4004	DllCommonsvc.exe	178
PID 4004 wrote to memory of 4828	4004	DllCommonsvc.exe	178
PID 4004 wrote to memory of 1224	4004	DllCommonsvc.exe	179
PID 4004 wrote to memory of 1224	4004	DllCommonsvc.exe	179
PID 4004 wrote to memory of 3848	4004	DllCommonsvc.exe	180
PID 4004 wrote to memory of 3848	4004	DllCommonsvc.exe	180
PID 4004 wrote to memory of 4568	4004	DllCommonsvc.exe	181
PID 4004 wrote to memory of 4568	4004	DllCommonsvc.exe	181
PID 4004 wrote to memory of 1364	4004	DllCommonsvc.exe	182
PID 4004 wrote to memory of 1364	4004	DllCommonsvc.exe	182
PID 4004 wrote to memory of 2684	4004	DllCommonsvc.exe	183
PID 4004 wrote to memory of 2684	4004	DllCommonsvc.exe	183
PID 4004 wrote to memory of 3784	4004	DllCommonsvc.exe	184
PID 4004 wrote to memory of 3784	4004	DllCommonsvc.exe	184
PID 4004 wrote to memory of 3372	4004	DllCommonsvc.exe	185
PID 4004 wrote to memory of 3372	4004	DllCommonsvc.exe	185
PID 4004 wrote to memory of 4600	4004	DllCommonsvc.exe	186
PID 4004 wrote to memory of 4600	4004	DllCommonsvc.exe	186
PID 4004 wrote to memory of 3420	4004	DllCommonsvc.exe	187
PID 4004 wrote to memory of 3420	4004	DllCommonsvc.exe	187
PID 4004 wrote to memory of 4912	4004	DllCommonsvc.exe	188
PID 4004 wrote to memory of 4912	4004	DllCommonsvc.exe	188
PID 4004 wrote to memory of 660	4004	DllCommonsvc.exe	202
PID 4004 wrote to memory of 660	4004	DllCommonsvc.exe	202
PID 660 wrote to memory of 1064	660	conhost.exe	206
PID 660 wrote to memory of 1064	660	conhost.exe	206
PID 1064 wrote to memory of 3424	1064	cmd.exe	208
PID 1064 wrote to memory of 3424	1064	cmd.exe	208

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_474bcfa355ac65a54034728501299eab3a57c0da745b6d7e33365071b52abf11.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_474bcfa355ac65a54034728501299eab3a57c0da745b6d7e33365071b52abf11.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2444
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2436
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2892
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1716
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2380
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\OfficeClickToRun.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2512
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\RuntimeBroker.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3264
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\taskhostw.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:936
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Application Data\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:904
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PolicyDefinitions\de-DE\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4584
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3968
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\StartMenuExperienceHost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4596
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\NetHood\RuntimeBroker.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1608
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4884
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4492
    - - C:\providercommon\DllCommonsvc.exe
        
        "C:\providercommon\DllCommonsvc.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4004
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3760
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\INF\.NET Data Provider for SqlServer\0C0A\powershell.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1056
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SoftwareDistribution\DataStore\TextInputHost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4828
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Tasks\conhost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1224
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sppsvc.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3848
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\upfc.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4568
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\sppsvc.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1364
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\tracing\smss.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2684
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Temp\MsEdgeCrashpad\powershell.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3784
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\conhost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3372
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\AppReadiness\fontdrvhost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4600
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\it-IT\TextInputHost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3420
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\sihost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4912
      - C:\Program Files (x86)\Mozilla Maintenance Service\logs\conhost.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\conhost.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:660
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tpXWVAFTZv.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1064
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:3424
        
        C:\Program Files (x86)\Mozilla Maintenance Service\logs\conhost.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\conhost.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1016
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\z3bbUpz34c.bat"
        9⤵
        
        PID:4568
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:640
        
        C:\Program Files (x86)\Mozilla Maintenance Service\logs\conhost.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\conhost.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:464
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YKuCD7w8Ue.bat"
        11⤵
        
        PID:4892
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:628
        
        C:\Program Files (x86)\Mozilla Maintenance Service\logs\conhost.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\conhost.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:228
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9dbjknkRRi.bat"
        13⤵
        
        PID:4612
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2112
        
        C:\Program Files (x86)\Mozilla Maintenance Service\logs\conhost.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\conhost.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5092
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2qVagYZlTM.bat"
        15⤵
        
        PID:2608
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:4216
        
        C:\Program Files (x86)\Mozilla Maintenance Service\logs\conhost.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\conhost.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1056
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CZdmQsnKkU.bat"
        17⤵
        
        PID:4312
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:4724
        
        C:\Program Files (x86)\Mozilla Maintenance Service\logs\conhost.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\conhost.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:980
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MUFyTxLHSg.bat"
        19⤵
        
        PID:4884
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:1976
        
        C:\Program Files (x86)\Mozilla Maintenance Service\logs\conhost.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\conhost.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3772
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ww4YVzclJm.bat"
        21⤵
        
        PID:3692
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:208
        
        C:\Program Files (x86)\Mozilla Maintenance Service\logs\conhost.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\conhost.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3156
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Nflxmifgtk.bat"
        23⤵
        
        PID:2528
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:4692
        
        C:\Program Files (x86)\Mozilla Maintenance Service\logs\conhost.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\conhost.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4384
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Pbn0SniZDX.bat"
        25⤵
        
        PID:3592
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:1156
        
        C:\Program Files (x86)\Mozilla Maintenance Service\logs\conhost.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\conhost.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4576
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SXo39smTXJ.bat"
        27⤵
        
        PID:3176
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        28⤵
        
        PID:4088
        
        C:\Program Files (x86)\Mozilla Maintenance Service\logs\conhost.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\conhost.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4760
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\x7ZYnkvAkq.bat"
        29⤵
        
        PID:544
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        30⤵
        
        PID:1568
        
        C:\Program Files (x86)\Mozilla Maintenance Service\logs\conhost.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\conhost.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1692
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BikqvEHWfW.bat"
        31⤵
        
        PID:2680
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        32⤵
        
        PID:4744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 14 /tr "'C:\providercommon\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\providercommon\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 11 /tr "'C:\providercommon\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Application Data\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\Application Data\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Application Data\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Windows\PolicyDefinitions\de-DE\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\PolicyDefinitions\de-DE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Windows\PolicyDefinitions\de-DE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows NT\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows NT\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\NetHood\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Admin\NetHood\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\NetHood\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\providercommon\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\providercommon\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 8 /tr "'C:\Windows\INF\.NET Data Provider for SqlServer\0C0A\powershell.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Windows\INF\.NET Data Provider for SqlServer\0C0A\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 5 /tr "'C:\Windows\INF\.NET Data Provider for SqlServer\0C0A\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 13 /tr "'C:\Windows\SoftwareDistribution\DataStore\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Windows\SoftwareDistribution\DataStore\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 9 /tr "'C:\Windows\SoftwareDistribution\DataStore\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Windows\Tasks\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\Tasks\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Windows\Tasks\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\providercommon\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Users\Default User\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Windows\tracing\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\tracing\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Windows\tracing\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 7 /tr "'C:\Windows\Temp\MsEdgeCrashpad\powershell.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Windows\Temp\MsEdgeCrashpad\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 5 /tr "'C:\Windows\Temp\MsEdgeCrashpad\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Windows\AppReadiness\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\AppReadiness\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Windows\AppReadiness\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\sihost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\sihost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\DllCommonsvc.exe.log

Filesize
1KB

MD5
7f3c0ae41f0d9ae10a8985a2c327b8fb

SHA1
d58622bf6b5071beacf3b35bb505bde2000983e3

SHA256
519fceae4d0dd4d09edd1b81bcdfa8aeab4b59eee77a4cd4b6295ce8e591a900

SHA512
8a8fd17eef071f86e672cba0d8fc2cfed6118aff816100b9d7c06eb96443c04c04bc5692259c8d7ecb1563e877921939c61726605af4f969e3f586f0913ed125

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a8e8360d573a4ff072dcc6f09d992c88

SHA1
3446774433ceaf0b400073914facab11b98b6807

SHA256
bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b

SHA512
4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e448fe0d240184c6597a31d3be2ced58

SHA1
372b8d8c19246d3e38cd3ba123cc0f56070f03cd

SHA256
c660f0db85a1e7f0f68db19868979bf50bd541531babf77a701e1b1ce5e6a391

SHA512
0b7f7eae7700d32b18eee3677cb7f89b46ace717fa7e6b501d6c47d54f15dff7e12b49f5a7d36a6ffe4c16165c7d55162db4f3621db545b6af638035752beab4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
17a47fb37c3db6efe43338a1e70ef084

SHA1
cd7a943fd86d4be455d01c3cc8bd970d4016f034

SHA256
2cce0f8634c36ae42b3c8116659e968a621789179b8ba3849ac3ed240b113b09

SHA512
9586d02560844cb57d7356cecd2bc271120536f8d73ccc99d4d1e61bbf3af2adfa2dc05aad5b1822da4b406f78c3399e33663949198b864ccc01a8f67e763f22

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
92075279f2dbcaa5724ee5a47e49712f

SHA1
8dd3e2faa8432dde978946ebaf9054f7c6e0b2cb

SHA256
fd985ddd090621af25aa77aebff689c95ea7679ff0e81887124b2802ae3e9442

SHA512
744c62556233d9872f43ffb5a5a98aee20a44834436306f0a948c8c4072bdb46ef8044616593747edd645caaee60faf8b14fedb2d6df5f6019b5c73357d80d22

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
8f659389c6e21eb0c627fbae833500c7

SHA1
ae632f1e4af08587934ff168155b30e2b28d7475

SHA256
a12763453f79453dd8f25f0c90d001ffb5d409ec698491666c9f076c6bc60d8c

SHA512
f4849e0b1d6ab3d4dd054f590a359af8dd1b9d3df2ad78033ad1a59ebafb1ca96aa76fa9061a466d74e8e3266dc882818d79db47908b21ca3ef8be20e427d327

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a9a7f35c006bbf5da72f9cb250ffbddb

SHA1
458a8cedc38dac109631d9fccb3bf6d2c5c0e89e

SHA256
a1db56d56e35a6c95f98204e40f69f70422969681d408e5edc4afbf732eef86b

SHA512
d341773d30e09214567c65f24cd1854f1e438b8528aa30d35b6baac16e671dde1245edda654f19343b7c160da45985ab53f08453e7f6286e272d544f8741c131

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
dd0716df5ff6e2ed8bfa08e271d64dd8

SHA1
c342bbe936058ea27843d5dbe5eb434f926612f7

SHA256
15ea3598b422f0d7705405688a174b98789b623154d4ccf3f3148f7c10bafdd8

SHA512
7e6dc8f9ad269ca3969e7b1284399f16f59559d5a4232537147fb7edcba86932474eff26921c09472894d55ee045dd3e371dcfce65d358785166742582e0b8a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a672fcf7facce635c83caf7b195d0bf8

SHA1
fec2f6c2456efe713ba08fa692a4a356f2f37ba8

SHA256
71945453f618f8cf9c2ddb24132d7e0522643e13ce42a59ff65476938f56082c

SHA512
12713a140e8a73c9dd8b3bc309e3ff1256c16ecd019d1ded31ab47c71651b11dcdcf48ef889805e5bc87bdeb323c5663ff34313cc41170d2d9b45051107dc31f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
b22bcc023ccf6782c755f5b743aa3a52

SHA1
141150057021a07fa6aa03f46c9f2fd5719b3eeb

SHA256
a977c9d6fc409dbc0abbaa17e306eca391657f1f3c974cf1b004826000b8d1b4

SHA512
05c78b755324319a86857f3d249cfc9cc0c6c51a4f8ee94350a1936853e323af668fa8ee224d60eea618f1a7684897c3ce24713365dbeeba02e7718cbe4b3b0e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
dcee2c4799aaf7d786c7a18e235934c4

SHA1
92b08222812d2c4392cd5babf316c6509a1d202c

SHA256
33fb8b90e373768d57f2726dc808e2a6319dcea75ed4be819316a4bc3c2f85c1

SHA512
05986414ab12b9b52335528dc4dc1ef6fee378afa09a2858b0ea77cb0c9aaf4339ccae272bbc760ff63d31ad27e8a8206ae0152be82015f49c177cb62b515f32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
89b9b22e2cb6f0b903e7f8755f49d7be

SHA1
e13b62b19dccdbacb5fec9227e34f21e34fe5cad

SHA256
17b31393e036af7d83e6ea288a0bbad0278c404f5e0698b3a28f2fa1faa99537

SHA512
f4817348aa7f297c7c81db010bc0ce09c9193c32f0f7c2b0592df0c7731921830b5a3868486f986edfd863d7d82815e67598392b94782b9d317b7066b9fb7064

Download Submit
C:\Users\Admin\AppData\Local\Temp\2qVagYZlTM.bat

Filesize
232B

MD5
30fdb2ce34dce0e65fdc0850de0dc5d2

SHA1
905cdd4af5f9e3ae0c641280db09b4b9ce729ec7

SHA256
2b1dc117ead5d81fb2bf08c25b67b4624dc2abe50111a58339439355599f5576

SHA512
1d21a4c4b325f23471cb7a7f8c928b05555c4f7ebe6c762f75e06c1cf682715cb2a99fe43ddd728dbf08f0ae90ed0c48cbf5e2d058e551a0cdb63c2b539c56d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\9dbjknkRRi.bat

Filesize
232B

MD5
0d2b34a905cb75a9285b0755fb77eed5

SHA1
fc61be0d5ab44b297c7764fd95ddb768a50aa5e6

SHA256
431548e34cfa4d973931c298067d57e034aad6918068456a57921f3f277d7714

SHA512
c098054d65eed373ce41bc1678e09e9c647ab8f83cde4b2386ac3719c6c4600409dc7dd6cd54d60d61a84b9c98ba7d6fe51f1100b5d6a4ca02f6b8f4bb6e8d63

Download Submit
C:\Users\Admin\AppData\Local\Temp\BikqvEHWfW.bat

Filesize
232B

MD5
9f97f0d56596a1a3e904aa1a1bd4e26c

SHA1
259cc14649181c7c323da996a1a2ed4e63632429

SHA256
012b9ccf2f5c22b67986681e410c94e35dc33d1383fd5660182712d76c08ad0a

SHA512
8e9e9e540240c7d3d2627b8576707bd97af846aed77b56dcb956c106aee6be439e650ad36d91a85e9060c78a0019122c0337a475ee90c047372bdadb1db193e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\CZdmQsnKkU.bat

Filesize
232B

MD5
74220fe12bc06e353819367089e46cab

SHA1
397a23994534e8d0a10e2e58d345ae092bd196af

SHA256
253b428ae60a7733dc624214f586f462fcfe854981486a467c13ab3070af00f0

SHA512
15d866016a0f409e43bb5bb7b289f4245e8b318911474d45862e208f4d2a2fd7dea2eaa161819d10bae68560831489361c1cf1e9f723a01a61747a83546fe778

Download Submit
C:\Users\Admin\AppData\Local\Temp\MUFyTxLHSg.bat

Filesize
232B

MD5
0eeb5a938bce0dd491fe432c23f18ad3

SHA1
f6bc062a3fd7e909c4e37aa1fc1fd04752e79b4e

SHA256
58af2539630bc1ebcf70a91c47e3e49d93da2ef0922b8bf983f7a657d75237fc

SHA512
db5e093ad2204acf599ab317f72be77d45202d6d71148e242115def81d5b05228b1830cce45528f3dfb624349cc513ad3fedb6d3a42737b11655efb52ec5f053

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nflxmifgtk.bat

Filesize
232B

MD5
b085ae77a9d6e9f24def1d835676c7f4

SHA1
9adc05cc62697d24b53e98b1b69a98380fa8c46e

SHA256
a948cb2f17353a26fb69b36a17c58dd71b4aeda8263deb599b84c2059d030f72

SHA512
e5161ae8355186277e9db4f5d2ce332d0476220b953a420debe103f497383a44e1553b45352fda9d49ae17e72b2d0321943a88fa4f98804f261c29d29dd7a7c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pbn0SniZDX.bat

Filesize
232B

MD5
fa29faa02d045d2c0c139e12d955a355

SHA1
d8c150befedb1d9e70a8bce51f0f70ae708e0384

SHA256
0d1750217b365eefb2caa3c4dbce20edb21d1a434ee76ee27468dd60751307b6

SHA512
d998fe5ec35d6d9aefb5e45b5d9b1c2b8c3cf8740bd8ee00861985a8d975931c35f53602e8045945c64bf76966cf5c4c57c471c1eaff3d48ee8e0dbaf74880d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\SXo39smTXJ.bat

Filesize
232B

MD5
894af619fc629d28a2e4eeaf133b662d

SHA1
1113ca9675323cebcc3c9cb206f9b8f889071293

SHA256
6317089cb4bc8549746171685ba9b7f616384671a818827085456739b7cbc85d

SHA512
8b96113f1a102a772590a8590a9ab2f98fb52ccaeaeac50d9f49ad21e809126618a065c59799ab363d539b8a0782b1856f5af05575282162a2c5536d70589737

Download Submit
C:\Users\Admin\AppData\Local\Temp\YKuCD7w8Ue.bat

Filesize
232B

MD5
89bbcf25c56b9964d9aaed7b1fda44e7

SHA1
5c47363f805c311f4f50b3e5cf973157027b9edb

SHA256
1d13eb65c3fbbc27711909d6ebd8512664cb059fee8afdea8732eb10155f2742

SHA512
1d134d1f646e4de9817452117142408734e63d83c923c68bdc6526f88c311f929d26434a97fc61c37441b4695ced853fffc1e13033e8dcdd056a5121d50b004f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zwjkmwb3.5zl.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tpXWVAFTZv.bat

Filesize
232B

MD5
c7d569fa42bf42c8a932d3c2ffc81c60

SHA1
b0ce3be2c2fc73098646974ce3922c8f78a6c770

SHA256
932c6d4d88964efb4cf9c64b817367af87b8d506ff004e01b0b47ebdfcb91f07

SHA512
0e37bc4d6f47b9be8545be8c6a58c3590dd3669d99a5d7c861f02c8b1e30ba68d2a60fe2ec6f947dfe08ef444b7fcc0916e17819bba4ad604629972eb3b5b745

Download Submit
C:\Users\Admin\AppData\Local\Temp\ww4YVzclJm.bat

Filesize
232B

MD5
e1f5dee0cf3fce958c6f9550b8cdfe73

SHA1
1066b781e1273616f69b9d5f111c7a726413cd23

SHA256
570d728dce9aefe46ff74c12ffd3219cd84cf82a7fb7738dfb477185e3e419d7

SHA512
61f07e9138c8894747f2673698c5e12f7e7803a9556d952f0aa03a50d5b414ecb7ae3cc407d791afa37ef003b2df6bfebfb29a23b57bdc40add19b337b53b274

Download Submit
C:\Users\Admin\AppData\Local\Temp\x7ZYnkvAkq.bat

Filesize
232B

MD5
fca7bd78bfb7771b5ae59d5604728797

SHA1
f5563519a33350249b7cb27a8cebf9c1a28eecd8

SHA256
1d285e3fe82a95d005cf93ce4e766e65dc821bbb21e0ad63a86014a0e3050c4d

SHA512
8be78dcfddb1facc66e21777b893aa40ee5451288efc2b02d5c5e43f1db3f7eaf223f05c8629fd534cb8d859b67e70cf18570afe3b89dd8c5677e4b27ea398ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\z3bbUpz34c.bat

Filesize
232B

MD5
9388e11066ac96bf1fe0a514ed49cad3

SHA1
773f3148d70375643309b6c1bc67892dd350d12c

SHA256
49aa10bd296a5d14711e7aa05514de9847ba03b69ee69ee193adcf37f7b35956

SHA512
d0c8768f0fafc9f354b20a5edd2945ff24819c1a02270e76b3fa3c31751d2270b1c831edc0619d09e3f918dbd2c5c80ee5220eb62e4378c1ebc4146d40b458c8

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/464-353-0x0000000002390000-0x00000000023A2000-memory.dmp

Filesize
72KB

Download
memory/980-378-0x0000000001620000-0x0000000001632000-memory.dmp

Filesize
72KB

Download
memory/1608-46-0x000001894DB80000-0x000001894DBA2000-memory.dmp

Filesize
136KB

Download
memory/1692-418-0x0000000002E60000-0x0000000002E72000-memory.dmp

Filesize
72KB

Download
memory/1716-13-0x0000000000520000-0x0000000000630000-memory.dmp

Filesize
1.1MB

Download
memory/1716-14-0x0000000002740000-0x0000000002752000-memory.dmp

Filesize
72KB

Download
memory/1716-15-0x0000000002760000-0x000000000276C000-memory.dmp

Filesize
48KB

Download
memory/1716-16-0x0000000002750000-0x000000000275C000-memory.dmp

Filesize
48KB

Download
memory/1716-12-0x00007FFFFBCA3000-0x00007FFFFBCA5000-memory.dmp

Filesize
8KB

Download
memory/1716-17-0x0000000002770000-0x000000000277C000-memory.dmp

Filesize
48KB

Download
memory/3156-391-0x000000001B0B0000-0x000000001B0C2000-memory.dmp

Filesize
72KB

Download
memory/4576-404-0x00000000016A0000-0x00000000016B2000-memory.dmp

Filesize
72KB

Download
memory/4760-411-0x0000000002870000-0x0000000002882000-memory.dmp

Filesize
72KB

Download