dcrat | 45a347a1436bbef8295f9ce15b78708ec11f5c567a39db32df15503b06ab8d02

Analysis

max time kernel
148s
max time network
149s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 09:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_45a347a1436bbef8295f9ce15b78708ec11f5c567a39db32df15503b06ab8d02.exe
Size

1.3MB
MD5

524eeb5190eea493300469e693861b15
SHA1

45eab03308d7806bdc302d5e8a16cab5b5d8f463
SHA256

45a347a1436bbef8295f9ce15b78708ec11f5c567a39db32df15503b06ab8d02
SHA512

f22775fbcaae5502336f6eaf0dd477912e73944e14fe9da5ed735eaf1d6cf6b1ef576c044787a7b18a1885037588acad343bc9809c6489fd34ddd2f9c489c829
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 64 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	2080	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2456	2080	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2828	2080	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	2080	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2612	2080	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2640	2080	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3024	2080	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2060	2080	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2392	2080	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1072	2080	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2044	2080	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	784	2080	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1484	2080	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2120	2080	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1220	2080	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1660	2080	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2128	2080	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1924	2080	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1920	2080	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2008	2080	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1384	2080	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	996	2080	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1100	2080	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2068	2080	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1888	2080	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2076	2080	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1700	2080	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2588	2080	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1664	2080	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2916	2080	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1396	2080	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3028	2080	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2920	2080	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2864	2080	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1372	2080	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2476	2080	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	780	2080	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1568	2080	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1768	2080	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2996	2080	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2320	2080	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	792	2080	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	2080	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1716	2080	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1596	2080	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2752	2080	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1512	2080	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2552	2080	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2416	2080	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2800	2080	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1692	2080	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1028	2080	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1328	2080	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	2080	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2460	2080	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2436	2080	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1984	2080	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1660	2080	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1888	2080	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1696	2080	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1396	2080	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1344	2080	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2240	2080	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	716	2080	schtasks.exe	34

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000019230-12.dat	dcrat
behavioral1/memory/596-13-0x00000000002A0000-0x00000000003B0000-memory.dmp	dcrat
behavioral1/memory/2492-238-0x0000000000150000-0x0000000000260000-memory.dmp	dcrat
behavioral1/memory/2584-298-0x00000000013C0000-0x00000000014D0000-memory.dmp	dcrat
behavioral1/memory/2076-655-0x0000000000CB0000-0x0000000000DC0000-memory.dmp	dcrat
behavioral1/memory/2360-715-0x0000000000E70000-0x0000000000F80000-memory.dmp	dcrat
behavioral1/memory/3028-774-0x00000000011E0000-0x00000000012F0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 30 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1600	powershell.exe
2308	powershell.exe
1572	powershell.exe
2440	powershell.exe
1656	powershell.exe
1960	powershell.exe
2092	powershell.exe
3028	powershell.exe
2220	powershell.exe
2068	powershell.exe
2972	powershell.exe
964	powershell.exe
2160	powershell.exe
2756	powershell.exe
1724	powershell.exe
1064	powershell.exe
940	powershell.exe
2376	powershell.exe
2708	powershell.exe
2428	powershell.exe
2280	powershell.exe
2204	powershell.exe
1976	powershell.exe
576	powershell.exe
284	powershell.exe
2468	powershell.exe
844	powershell.exe
1400	powershell.exe
2908	powershell.exe
784	powershell.exe

Executes dropped EXE 13 IoCs

pid	Process
596	DllCommonsvc.exe
1552	DllCommonsvc.exe
2492	WMIADAP.exe
2584	WMIADAP.exe
1648	WMIADAP.exe
2204	WMIADAP.exe
2656	WMIADAP.exe
1692	WMIADAP.exe
2728	WMIADAP.exe
2076	WMIADAP.exe
2360	WMIADAP.exe
3028	WMIADAP.exe
1704	WMIADAP.exe

Loads dropped DLL 2 IoCs

pid	Process
2900	cmd.exe
2900	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs

Web Service

T1102

flow	ioc
24	raw.githubusercontent.com
30	raw.githubusercontent.com
33	raw.githubusercontent.com
37	raw.githubusercontent.com
4	raw.githubusercontent.com
13	raw.githubusercontent.com
16	raw.githubusercontent.com
27	raw.githubusercontent.com
40	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
20	raw.githubusercontent.com

Drops file in Program Files directory 11 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Portable Devices\taskhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Portable Devices\b75386f1303e64	DllCommonsvc.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\powershell.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Journal\ja-JP\088424020bedd6	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Office\Office14\System.exe	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Office\Office14\27d1bcfc3c54e0	DllCommonsvc.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\conhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\088424020bedd6	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Media Player\Icons\WmiPrvSE.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\e978f868350d50	DllCommonsvc.exe
File created	C:\Program Files\Windows Journal\ja-JP\conhost.exe	DllCommonsvc.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File created	C:\Windows\L2Schemas\56085415360792	DllCommonsvc.exe
File created	C:\Windows\diagnostics\scheduled\Maintenance\ja-JP\explorer.exe	DllCommonsvc.exe
File created	C:\Windows\PLA\Templates\csrss.exe	DllCommonsvc.exe
File created	C:\Windows\PLA\Templates\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Windows\ja-JP\csrss.exe	DllCommonsvc.exe
File created	C:\Windows\ja-JP\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Windows\L2Schemas\wininit.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_45a347a1436bbef8295f9ce15b78708ec11f5c567a39db32df15503b06ab8d02.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2884	schtasks.exe
2008	schtasks.exe
1372	schtasks.exe
2996	schtasks.exe
1984	schtasks.exe
912	schtasks.exe
2640	schtasks.exe
2916	schtasks.exe
1344	schtasks.exe
2800	schtasks.exe
1328	schtasks.exe
2884	schtasks.exe
1396	schtasks.exe
2052	schtasks.exe
2684	schtasks.exe
1396	schtasks.exe
1716	schtasks.exe
2436	schtasks.exe
716	schtasks.exe
2236	schtasks.exe
380	schtasks.exe
3024	schtasks.exe
2044	schtasks.exe
2120	schtasks.exe
780	schtasks.exe
1596	schtasks.exe
1692	schtasks.exe
1560	schtasks.exe
1920	schtasks.exe
1700	schtasks.exe
2460	schtasks.exe
2492	schtasks.exe
2612	schtasks.exe
784	schtasks.exe
1924	schtasks.exe
996	schtasks.exe
2320	schtasks.exe
2552	schtasks.exe
1400	schtasks.exe
2456	schtasks.exe
1384	schtasks.exe
1664	schtasks.exe
2864	schtasks.exe
2476	schtasks.exe
2736	schtasks.exe
2176	schtasks.exe
2004	schtasks.exe
2828	schtasks.exe
1660	schtasks.exe
2068	schtasks.exe
2752	schtasks.exe
2416	schtasks.exe
1960	schtasks.exe
2076	schtasks.exe
1720	schtasks.exe
1952	schtasks.exe
2392	schtasks.exe
792	schtasks.exe
1028	schtasks.exe
2948	schtasks.exe
2252	schtasks.exe
2920	schtasks.exe
1768	schtasks.exe
1696	schtasks.exe

Suspicious behavior: EnumeratesProcesses 61 IoCs

pid	Process
596	DllCommonsvc.exe
1064	powershell.exe
844	powershell.exe
940	powershell.exe
1400	powershell.exe
2428	powershell.exe
964	powershell.exe
1960	powershell.exe
1600	powershell.exe
2376	powershell.exe
1656	powershell.exe
2280	powershell.exe
1552	DllCommonsvc.exe
1552	DllCommonsvc.exe
1552	DllCommonsvc.exe
1552	DllCommonsvc.exe
1552	DllCommonsvc.exe
1552	DllCommonsvc.exe
1552	DllCommonsvc.exe
1552	DllCommonsvc.exe
1552	DllCommonsvc.exe
1552	DllCommonsvc.exe
1552	DllCommonsvc.exe
1552	DllCommonsvc.exe
1552	DllCommonsvc.exe
1552	DllCommonsvc.exe
1552	DllCommonsvc.exe
1552	DllCommonsvc.exe
1552	DllCommonsvc.exe
1552	DllCommonsvc.exe
1552	DllCommonsvc.exe
2160	powershell.exe
2092	powershell.exe
2204	powershell.exe
2972	powershell.exe
2468	powershell.exe
576	powershell.exe
2220	powershell.exe
1572	powershell.exe
284	powershell.exe
1724	powershell.exe
784	powershell.exe
2708	powershell.exe
2440	powershell.exe
3028	powershell.exe
2756	powershell.exe
2068	powershell.exe
2308	powershell.exe
1976	powershell.exe
2908	powershell.exe
2492	WMIADAP.exe
2584	WMIADAP.exe
1648	WMIADAP.exe
2204	WMIADAP.exe
2656	WMIADAP.exe
1692	WMIADAP.exe
2728	WMIADAP.exe
2076	WMIADAP.exe
2360	WMIADAP.exe
3028	WMIADAP.exe
1704	WMIADAP.exe

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeDebugPrivilege	596	DllCommonsvc.exe
Token: SeDebugPrivilege	1064	powershell.exe
Token: SeDebugPrivilege	844	powershell.exe
Token: SeDebugPrivilege	940	powershell.exe
Token: SeDebugPrivilege	1400	powershell.exe
Token: SeDebugPrivilege	2428	powershell.exe
Token: SeDebugPrivilege	964	powershell.exe
Token: SeDebugPrivilege	1960	powershell.exe
Token: SeDebugPrivilege	1600	powershell.exe
Token: SeDebugPrivilege	1656	powershell.exe
Token: SeDebugPrivilege	2376	powershell.exe
Token: SeDebugPrivilege	2280	powershell.exe
Token: SeDebugPrivilege	1552	DllCommonsvc.exe
Token: SeDebugPrivilege	2160	powershell.exe
Token: SeDebugPrivilege	2092	powershell.exe
Token: SeDebugPrivilege	2204	powershell.exe
Token: SeDebugPrivilege	2972	powershell.exe
Token: SeDebugPrivilege	2468	powershell.exe
Token: SeDebugPrivilege	576	powershell.exe
Token: SeDebugPrivilege	2220	powershell.exe
Token: SeDebugPrivilege	1572	powershell.exe
Token: SeDebugPrivilege	1724	powershell.exe
Token: SeDebugPrivilege	284	powershell.exe
Token: SeDebugPrivilege	784	powershell.exe
Token: SeDebugPrivilege	2708	powershell.exe
Token: SeDebugPrivilege	2440	powershell.exe
Token: SeDebugPrivilege	3028	powershell.exe
Token: SeDebugPrivilege	2756	powershell.exe
Token: SeDebugPrivilege	2068	powershell.exe
Token: SeDebugPrivilege	2308	powershell.exe
Token: SeDebugPrivilege	1976	powershell.exe
Token: SeDebugPrivilege	2908	powershell.exe
Token: SeDebugPrivilege	2492	WMIADAP.exe
Token: SeDebugPrivilege	2584	WMIADAP.exe
Token: SeDebugPrivilege	1648	WMIADAP.exe
Token: SeDebugPrivilege	2204	WMIADAP.exe
Token: SeDebugPrivilege	2656	WMIADAP.exe
Token: SeDebugPrivilege	1692	WMIADAP.exe
Token: SeDebugPrivilege	2728	WMIADAP.exe
Token: SeDebugPrivilege	2076	WMIADAP.exe
Token: SeDebugPrivilege	2360	WMIADAP.exe
Token: SeDebugPrivilege	3028	WMIADAP.exe
Token: SeDebugPrivilege	1704	WMIADAP.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2252 wrote to memory of 1908	2252	JaffaCakes118_45a347a1436bbef8295f9ce15b78708ec11f5c567a39db32df15503b06ab8d02.exe	30
PID 2252 wrote to memory of 1908	2252	JaffaCakes118_45a347a1436bbef8295f9ce15b78708ec11f5c567a39db32df15503b06ab8d02.exe	30
PID 2252 wrote to memory of 1908	2252	JaffaCakes118_45a347a1436bbef8295f9ce15b78708ec11f5c567a39db32df15503b06ab8d02.exe	30
PID 2252 wrote to memory of 1908	2252	JaffaCakes118_45a347a1436bbef8295f9ce15b78708ec11f5c567a39db32df15503b06ab8d02.exe	30
PID 1908 wrote to memory of 2900	1908	WScript.exe	31
PID 1908 wrote to memory of 2900	1908	WScript.exe	31
PID 1908 wrote to memory of 2900	1908	WScript.exe	31
PID 1908 wrote to memory of 2900	1908	WScript.exe	31
PID 2900 wrote to memory of 596	2900	cmd.exe	33
PID 2900 wrote to memory of 596	2900	cmd.exe	33
PID 2900 wrote to memory of 596	2900	cmd.exe	33
PID 2900 wrote to memory of 596	2900	cmd.exe	33
PID 596 wrote to memory of 1064	596	DllCommonsvc.exe	65
PID 596 wrote to memory of 1064	596	DllCommonsvc.exe	65
PID 596 wrote to memory of 1064	596	DllCommonsvc.exe	65
PID 596 wrote to memory of 844	596	DllCommonsvc.exe	66
PID 596 wrote to memory of 844	596	DllCommonsvc.exe	66
PID 596 wrote to memory of 844	596	DllCommonsvc.exe	66
PID 596 wrote to memory of 1600	596	DllCommonsvc.exe	67
PID 596 wrote to memory of 1600	596	DllCommonsvc.exe	67
PID 596 wrote to memory of 1600	596	DllCommonsvc.exe	67
PID 596 wrote to memory of 1656	596	DllCommonsvc.exe	68
PID 596 wrote to memory of 1656	596	DllCommonsvc.exe	68
PID 596 wrote to memory of 1656	596	DllCommonsvc.exe	68
PID 596 wrote to memory of 964	596	DllCommonsvc.exe	69
PID 596 wrote to memory of 964	596	DllCommonsvc.exe	69
PID 596 wrote to memory of 964	596	DllCommonsvc.exe	69
PID 596 wrote to memory of 1400	596	DllCommonsvc.exe	70
PID 596 wrote to memory of 1400	596	DllCommonsvc.exe	70
PID 596 wrote to memory of 1400	596	DllCommonsvc.exe	70
PID 596 wrote to memory of 940	596	DllCommonsvc.exe	71
PID 596 wrote to memory of 940	596	DllCommonsvc.exe	71
PID 596 wrote to memory of 940	596	DllCommonsvc.exe	71
PID 596 wrote to memory of 2428	596	DllCommonsvc.exe	72
PID 596 wrote to memory of 2428	596	DllCommonsvc.exe	72
PID 596 wrote to memory of 2428	596	DllCommonsvc.exe	72
PID 596 wrote to memory of 1960	596	DllCommonsvc.exe	73
PID 596 wrote to memory of 1960	596	DllCommonsvc.exe	73
PID 596 wrote to memory of 1960	596	DllCommonsvc.exe	73
PID 596 wrote to memory of 2280	596	DllCommonsvc.exe	74
PID 596 wrote to memory of 2280	596	DllCommonsvc.exe	74
PID 596 wrote to memory of 2280	596	DllCommonsvc.exe	74
PID 596 wrote to memory of 2376	596	DllCommonsvc.exe	75
PID 596 wrote to memory of 2376	596	DllCommonsvc.exe	75
PID 596 wrote to memory of 2376	596	DllCommonsvc.exe	75
PID 596 wrote to memory of 1552	596	DllCommonsvc.exe	82
PID 596 wrote to memory of 1552	596	DllCommonsvc.exe	82
PID 596 wrote to memory of 1552	596	DllCommonsvc.exe	82
PID 1552 wrote to memory of 2092	1552	DllCommonsvc.exe	143
PID 1552 wrote to memory of 2092	1552	DllCommonsvc.exe	143
PID 1552 wrote to memory of 2092	1552	DllCommonsvc.exe	143
PID 1552 wrote to memory of 2468	1552	DllCommonsvc.exe	144
PID 1552 wrote to memory of 2468	1552	DllCommonsvc.exe	144
PID 1552 wrote to memory of 2468	1552	DllCommonsvc.exe	144
PID 1552 wrote to memory of 1724	1552	DllCommonsvc.exe	145
PID 1552 wrote to memory of 1724	1552	DllCommonsvc.exe	145
PID 1552 wrote to memory of 1724	1552	DllCommonsvc.exe	145
PID 1552 wrote to memory of 576	1552	DllCommonsvc.exe	148
PID 1552 wrote to memory of 576	1552	DllCommonsvc.exe	148
PID 1552 wrote to memory of 576	1552	DllCommonsvc.exe	148
PID 1552 wrote to memory of 2708	1552	DllCommonsvc.exe	149
PID 1552 wrote to memory of 2708	1552	DllCommonsvc.exe	149
PID 1552 wrote to memory of 2708	1552	DllCommonsvc.exe	149
PID 1552 wrote to memory of 2204	1552	DllCommonsvc.exe	150

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_45a347a1436bbef8295f9ce15b78708ec11f5c567a39db32df15503b06ab8d02.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_45a347a1436bbef8295f9ce15b78708ec11f5c567a39db32df15503b06ab8d02.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2252
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1908
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2900
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:596
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1064
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:844
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1600
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\Office14\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1656
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:964
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1400
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:940
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2428
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PLA\Templates\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1960
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ja-JP\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2280
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2376
    - - C:\providercommon\DllCommonsvc.exe
        
        "C:\providercommon\DllCommonsvc.exe"
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1552
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2092
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\WMIADAP.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2468
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\System.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1724
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\My Documents\conhost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:576
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\conhost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2708
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\powershell.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2204
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\conhost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3028
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\conhost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2908
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2756
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\conhost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2972
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\taskhost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1976
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\conhost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:784
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\powershell.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2068
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\conhost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2160
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\conhost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2440
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\spoolsv.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1572
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Journal\ja-JP\conhost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2308
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\L2Schemas\wininit.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2220
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\conhost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:284
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SYxdD1qoul.bat"
        6⤵
        
        PID:1384
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:1828
        
        C:\Users\Default User\WMIADAP.exe
        
        "C:\Users\Default User\WMIADAP.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2492
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\a1lJXnITmE.bat"
        8⤵
        
        PID:1484
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:3064
        
        C:\Users\Default User\WMIADAP.exe
        
        "C:\Users\Default User\WMIADAP.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2584
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kNGCBu7dv8.bat"
        10⤵
        
        PID:2320
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2760
        
        C:\Users\Default User\WMIADAP.exe
        
        "C:\Users\Default User\WMIADAP.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1648
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BmKXfVMxAz.bat"
        12⤵
        
        PID:2300
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:2448
        
        C:\Users\Default User\WMIADAP.exe
        
        "C:\Users\Default User\WMIADAP.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2204
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tbw0avzYF4.bat"
        14⤵
        
        PID:684
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2236
        
        C:\Users\Default User\WMIADAP.exe
        
        "C:\Users\Default User\WMIADAP.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2656
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sWmtPUST1G.bat"
        16⤵
        
        PID:1512
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:1760
        
        C:\Users\Default User\WMIADAP.exe
        
        "C:\Users\Default User\WMIADAP.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1692
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0rnbwo7iYS.bat"
        18⤵
        
        PID:2856
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:1880
        
        C:\Users\Default User\WMIADAP.exe
        
        "C:\Users\Default User\WMIADAP.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2728
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\n3vYZhDjEH.bat"
        20⤵
        
        PID:1112
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:1768
        
        C:\Users\Default User\WMIADAP.exe
        
        "C:\Users\Default User\WMIADAP.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2076
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\q2cXKRfm9B.bat"
        22⤵
        
        PID:2008
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:1372
        
        C:\Users\Default User\WMIADAP.exe
        
        "C:\Users\Default User\WMIADAP.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2360
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\be8zRZs4e0.bat"
        24⤵
        
        PID:780
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:2100
        
        C:\Users\Default User\WMIADAP.exe
        
        "C:\Users\Default User\WMIADAP.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3028
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GKRF07RVHS.bat"
        26⤵
        
        PID:2736
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:380
        
        C:\Users\Default User\WMIADAP.exe
        
        "C:\Users\Default User\WMIADAP.exe"
        27⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1704
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZHEG9SYztW.bat"
        28⤵
        
        PID:1644
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        29⤵
        
        PID:1716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\services.exe'" /f
1⤵
- Process spawned unexpected child process
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Microsoft Office\Office14\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Office\Office14\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\providercommon\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
PID:1072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
PID:1484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Windows\PLA\Templates\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\PLA\Templates\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Windows\PLA\Templates\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Windows\ja-JP\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
PID:1888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\ja-JP\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Windows\ja-JP\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
PID:2588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Users\Default User\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:3028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\My Documents\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Admin\My Documents\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\My Documents\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\providercommon\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 6 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\powershell.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 11 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\providercommon\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Admin\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Portable Devices\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
PID:1660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Portable Devices\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\powershell.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\powershell.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\powershell.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\conhost.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\conhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\conhost.exe'" /rl HIGHEST /f
1⤵
PID:2396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\conhost.exe'" /f
1⤵
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\providercommon\spoolsv.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Journal\ja-JP\conhost.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\ja-JP\conhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Journal\ja-JP\conhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Windows\L2Schemas\wininit.exe'" /f
1⤵
PID:900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\L2Schemas\wininit.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Windows\L2Schemas\wininit.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\conhost.exe'" /f
1⤵
PID:1444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\conhost.exe'" /rl HIGHEST /f
1⤵
PID:1892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\conhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\088424020bedd6

Filesize
33B

MD5
0981ea1b05fe423c865e6a33240eb2fc

SHA1
49b8479ad686c0ebab2d7f844e2b22d089abbf90

SHA256
58053a25aa576afcef6f30161e6bc143ade56c1d89e5205a14e05d75297b1c6d

SHA512
89bfb7652e3e8995abc9bd6e3bff8ce7a9e77e6bec143e15878a8348b0301bfbc1823f24d04426edf32c7f2a3ca0eca8cd31127c0f127cd08f0edde1c274dc4f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0c465e7eaa63bb5ec0d3c639607950c7

SHA1
839de852feb9b5713bd7cb091225c92dc339ecca

SHA256
af469d04a718c9ceacd297d4fab7eb027193a9039a132f6e304af1e9fb9075c2

SHA512
05c2212174bcfc27162ec5b30ca18f78a71ea0477066ddaff86daad6f38a592a10f0acd54fabb3848f78ddc08c96c9b7adf420bf7680319db21219d1e07723e4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bed7dd9fd8dcdd1a74c1461189feffcf

SHA1
f69ded8d092e24a8bdf983422e8e6ead0f2775c9

SHA256
a2447ad6c0f3520fcca41727167a12c485d3784fc19120d482cd10cadaf74b23

SHA512
856eb3419667be7d48c71b503a797d81dd82942bc82f1c8bccf858d968a1706806181031eebdc0897507a8d6ccc3ad1918bf78027819b622850f5448bdb42e40

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8b06f9321996cdad89a384be022dbf51

SHA1
c0ad9c8cb467a4eb9b0bbf91001709f3e060726c

SHA256
9a46d85c3381038d8ad14b5c1eddf132e45bc0f548eba6e2480c1728cac5ee38

SHA512
ebf5db489a6869f530301bb3326dc0f694f7d06e8168bc66a6741f11cbde2869f9fa309306fe09f7f9df68f3c370f58dc428dcd1b111d6402a1bd754f81884fc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
829389bcc9deea5f8d359bf64cf0d57e

SHA1
64a931138545d91d6c6bb07731c33f1427d40276

SHA256
7ab7db5d11e4c2dbaa53141ddee2b5a893ff4558c153c60063e00cf0bd28b4eb

SHA512
916d30de8c609e0740199296d8eaf927390c69f504c1074bae2d173691df9c45d035547b33b7add88f1bc5f3504302159e51267638bed80c37e63b7576f7140d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
986c314b40657eb976ca29004ae0fb66

SHA1
663d29bfc430f0172e6eef0ec365be0ae2538f31

SHA256
76ca583121535797a1bdb06c404adc1e82929bfab0477acb652b98eb3de5c1df

SHA512
4054483d243b41b2dbf73bb47f34218997e0c2e0e3b96868dceea38642192dcf2045360b00a88238cf3b5a635b32d1b653280629968522f2fa4edf545863cb54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
471cc242c78a8641a8255ec8d1877bfe

SHA1
241e7e06c14b006da0563fff91315a212bea424a

SHA256
7a1a5e11a0aeed4686e03265c27cdb43d0d16b7dfdef2ab528d6a54922b7c136

SHA512
b03d5f494b61746b0b82f81e241aabcf107c722b891dbd1c5f85d433c4bd395028a01bb9a4bd698909d70644bb172d5d59f0e1c1d3a258a3ab375a4576e663e3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
324add54162771f0677c2d3d6ee57b89

SHA1
05a84808493dd8d99fcc789c335175bee2babef0

SHA256
a0409d4b584e145cde49cc33b60308ef45b81d13bdf6b379fe4ff9f1948c16ed

SHA512
e2a2ac7e48bdf87a738f3fe087aa3a87ae12c4d24a6792025c825e9b4a234e3d7598adca0cc41af7141b11d99dddc37f428ca1b71ee6f49084df55dc416cb7b0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fe034fe5ab5a2efb5806c28211bcecdd

SHA1
a10b6a14faff42be4fd0ef43e8ba6a444c0692b0

SHA256
37b3a3f40152eb6103056b593236db52271a55b292aa02ce094fec97578e4411

SHA512
d2ee64868c612cdee60dd163bea587d1fbfbb109180b39040564f430db78292a785ac743494433b69125ced33129552d59945ecd4d2cdac13be83fc9fdbda0b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\0rnbwo7iYS.bat

Filesize
198B

MD5
3cf7bb6807804f130f78d6528ea9f230

SHA1
169521c5c6aa477e0999a6f9eb975aff5b926fa6

SHA256
9569efa846c6dc3acb5ac90e1e7d76ddb646aa37169b789a2b9ad62ae549d437

SHA512
3c52d5609f49ef844685c3f5b990b7208523156bc447a4a4120d8849f8d802d56c5fd5249c16dd4ad3dfc5d5fbcd43a4fd096a177818fb52abad7763d261fb6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\BmKXfVMxAz.bat

Filesize
198B

MD5
d8e8e5e22390b9119553e3e969c30361

SHA1
c43fbb20fe3e31c9b270bc169034177867302501

SHA256
9d2a02e21dc60f55d2615093a61f30154e75ca3b0a67ab70653e5866142ec006

SHA512
0c0e6b27169ed06fa2173071f08489d1cd3373aa72d388631a955938b791aeed81d2ee49c6b890d91ebec441e33ca5be2f8dc6389230a9363e299b6b84e145f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab17D6.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\SYxdD1qoul.bat

Filesize
198B

MD5
e6e8ff32dacd69aaf57e903367003730

SHA1
1a505559fde03664eb25baaf3c45a6c4acfe8728

SHA256
896b2c086ec2e86431b9c5e950fdde662cea91ba07a1c0003bb56c0249e02ca3

SHA512
844e1f4713ca1218be21f2a2f95afc25cb59df517a5bc2cc0ee760525ac4ce3446b2e95c473fe8076a29388971426b544e68d07e533c1caded2e05b106d718fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1818.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\a1lJXnITmE.bat

Filesize
198B

MD5
3fbcca0099c6c6207272123ec8e2e213

SHA1
a952215de0cf7c2718d3cdecd7cd809835eda3ec

SHA256
88e091ae8b37d0daf61b4f8fb3698fc1806c87be5aa37e65a3e4f2c2e6e01936

SHA512
d270d2490baa03dbeb0fa4dc65afd10ec1aadb37fc24effd40df82204020767ccc2f3dab4a8b9a3466b5c0945b95fb26a7255adb34db0aa71ac8bd1d62103693

Download Submit
C:\Users\Admin\AppData\Local\Temp\be8zRZs4e0.bat

Filesize
198B

MD5
cfa7275a443202ec93068644b75dd9e9

SHA1
939d3f8e6e232eddcd11408747b8625ced69fad4

SHA256
110d69476c276dc1be48a5fb0d7b37235485f2490f061b80cebdaa5d2e59c55d

SHA512
8209aa90762a56b0d88a99762ddcd172c647a0c2bf283d3e57e247dd4023777f845aab5f6cd60d071c053058523495a3d6a99603afa316f539d84d4d69ea00ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\kNGCBu7dv8.bat

Filesize
198B

MD5
911c9408256c0fa647d8b3c04383b2f0

SHA1
2df9388859daf98dec4b18b69a63ffb0da8be754

SHA256
b834d98867dabe2363c478b24562dae6ee003c68372df84ed35f205e634336a1

SHA512
3fd4f28103c6671bb2d7134f5bc41d14003a1b2d1c3310adf555e70d4a0f173fd463e20cae0ce38df9e8c9be7cc5109b59184c5e6ea251d8a14c13a900603088

Download Submit
C:\Users\Admin\AppData\Local\Temp\n3vYZhDjEH.bat

Filesize
198B

MD5
9555691301051813907431272cca6faa

SHA1
50392b9962bb94942c9bc700bd77081efd3fd8ef

SHA256
5496c2c97d43fb5929dee20936b976c6f742098d8c6282a758ab24f32be39b55

SHA512
3c63790ec8d962b694d94a3da82b36ea8a01e35f5c6b9089cd705d343b4896beabbbbca62a7a0fb77c14f56fdacf147b0ae8976470925f15c0fe4006d4961617

Download Submit
C:\Users\Admin\AppData\Local\Temp\q2cXKRfm9B.bat

Filesize
198B

MD5
eb8426fb34eec0c71aec7d868d50daa7

SHA1
261255ff1d517a7b476a765659471e3cd8cff6e6

SHA256
12b4f66c597c7b154fb89a2ba1e602068ac8fcc5a9c7d1812403bcbefe8e8c49

SHA512
fe707a46a45fdb58dc4b5cc8f4229800198f83b86b405ba6bf9a1fd8575ee518884473f566cfe34752190462c171b6e04e7be8765c81500c17cfdc9740668dc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\sWmtPUST1G.bat

Filesize
198B

MD5
637d091a4c5b94e4e993437c26bfe09e

SHA1
01858283fe8a85750eac6e4f46f546475d13ca64

SHA256
53090e34f909a0c0651f64d1f79935fb69915b012933090a6e6e8780c66ca4ad

SHA512
73ea7bb609a6c84283a72eb4f5d162adf4d7b7ef24762ebc7c5a7718142cb3dd4c00577abbb7d084f4e1a3f74dba625f1588e40045444410eb81239f85f4663b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tbw0avzYF4.bat

Filesize
198B

MD5
2881290da1469def2535655e6b05437b

SHA1
3874df0813f781baeb6cfcff092fe906f3d4179c

SHA256
d81d02aea8ce25b90df518d632f1f064e55333b3d45d054d4b0caa1fff6170cf

SHA512
75700109a01fb5eb47defd3e7b57071cb30e74e2ba9ac19ae604f7df72d4bab0db4790b6b894a44f6d75b0d9d93f2b5771c4ee76e6af9ed4cecbc79725813a8a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
6ca8e6442b3d31c92b8713816b1bf1a0

SHA1
89912e80f878ee77b7b30f56c3c603a89dacb7a9

SHA256
371520b54895b43d5312d4af12a594efbbf5aadd9a472e3d2769d874dfe05c59

SHA512
2f92a9fa2ae9ece393e8ec69b7d792f07fc748acb25361dce0dcf8a90444a865b756e4e962fc3093320c6a0f97d21cf573ab61272281832dc5dcc82fa5b4278a

Download Submit
C:\providercommon\088424020bedd6

Filesize
311B

MD5
1d67f88993da9bea7c7cb73ff56c2dae

SHA1
a8febacabe25d2714d19e0be87a4061dbfdc85f7

SHA256
0e2125216d13622800d3ed24eaba5067fd73d0b39b03efd3d2a7ccfb7b87445e

SHA512
03642d7f5d354851684b644991edc0edda02f5cad07324f7b4e23c79ac4fca5b5cb7472ce61350e78a32a3562ee3dd3945ab8309596491f8bee72b25e5a4ad5a

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/596-13-0x00000000002A0000-0x00000000003B0000-memory.dmp

Filesize
1.1MB

Download
memory/596-14-0x00000000003D0000-0x00000000003E2000-memory.dmp

Filesize
72KB

Download
memory/596-15-0x0000000000470000-0x000000000047C000-memory.dmp

Filesize
48KB

Download
memory/596-16-0x0000000000460000-0x000000000046C000-memory.dmp

Filesize
48KB

Download
memory/596-17-0x0000000002090000-0x000000000209C000-memory.dmp

Filesize
48KB

Download
memory/844-49-0x00000000023A0000-0x00000000023A8000-memory.dmp

Filesize
32KB

Download
memory/1064-48-0x000000001B590000-0x000000001B872000-memory.dmp

Filesize
2.9MB

Download
memory/1552-95-0x0000000001FE0000-0x0000000001FF2000-memory.dmp

Filesize
72KB

Download
memory/1648-359-0x00000000003D0000-0x00000000003E2000-memory.dmp

Filesize
72KB

Download
memory/2076-655-0x0000000000CB0000-0x0000000000DC0000-memory.dmp

Filesize
1.1MB

Download
memory/2160-166-0x0000000001E30000-0x0000000001E38000-memory.dmp

Filesize
32KB

Download
memory/2360-715-0x0000000000E70000-0x0000000000F80000-memory.dmp

Filesize
1.1MB

Download
memory/2468-154-0x000000001B5D0000-0x000000001B8B2000-memory.dmp

Filesize
2.9MB

Download
memory/2492-239-0x0000000000260000-0x0000000000272000-memory.dmp

Filesize
72KB

Download
memory/2492-238-0x0000000000150000-0x0000000000260000-memory.dmp

Filesize
1.1MB

Download
memory/2584-299-0x0000000000630000-0x0000000000642000-memory.dmp

Filesize
72KB

Download
memory/2584-298-0x00000000013C0000-0x00000000014D0000-memory.dmp

Filesize
1.1MB

Download
memory/3028-774-0x00000000011E0000-0x00000000012F0000-memory.dmp

Filesize
1.1MB

Download