dcrat | 07552345be47f967de3ae8c87d775ae88bc214f916c342deee72237a3bdb43ac

Analysis

max time kernel
146s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2024 08:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_07552345be47f967de3ae8c87d775ae88bc214f916c342deee72237a3bdb43ac.exe
Size

1.3MB
MD5

7011425b7e59e4e60969bcae2114043a
SHA1

93f425436377ed798351f9e4b8c8222cc455ce3b
SHA256

07552345be47f967de3ae8c87d775ae88bc214f916c342deee72237a3bdb43ac
SHA512

1ac93e9c03fa7ec638d394e0d5a5c11899be29b337b81edf27fdd857b7b156913d042059a43703567e0933d4356ba0d30911105f8e59e0bceabd30d72bd7ca49
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 64 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	768	1028	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2404	1028	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1228	1028	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4996	1028	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1992	1028	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	404	1028	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3252	1028	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4872	1028	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	388	1028	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4928	1028	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	752	1028	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	100	1028	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3600	1028	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4968	1028	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1008	1028	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1964	1028	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4300	1028	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3116	1028	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1872	1028	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4164	1028	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2556	1028	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	316	1028	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4532	1028	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4636	1028	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3844	1028	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5048	1028	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3580	1028	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1140	1028	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1812	1028	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5088	1028	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2408	1028	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4772	1028	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5024	1028	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2712	1028	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2208	1028	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4948	1028	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	632	1028	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1168	1028	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5116	1028	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2924	1028	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4468	1028	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4944	1028	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4048	1028	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2040	1028	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1736	1028	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	1028	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5000	1028	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1884	1028	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2584	1028	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1316	1028	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3692	1028	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1584	1028	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3012	1028	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2552	1028	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2440	1028	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3180	1028	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3364	1028	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3472	1028	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4740	1028	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1092	1028	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3196	1028	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4860	1028	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4728	1028	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4088	1028	schtasks.exe	87

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x0007000000023c79-10.dat	dcrat
behavioral2/memory/3020-13-0x0000000000D50000-0x0000000000E60000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 27 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1372	powershell.exe
4484	powershell.exe
4972	powershell.exe
4788	powershell.exe
1800	powershell.exe
3972	powershell.exe
716	powershell.exe
4976	powershell.exe
4476	powershell.exe
3004	powershell.exe
4324	powershell.exe
4984	powershell.exe
1044	powershell.exe
448	powershell.exe
4788	powershell.exe
1328	powershell.exe
3356	powershell.exe
2504	powershell.exe
4488	powershell.exe
1532	powershell.exe
2756	powershell.exe
3536	powershell.exe
5088	powershell.exe
2924	powershell.exe
3568	powershell.exe
2200	powershell.exe
4812	powershell.exe

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	JaffaCakes118_07552345be47f967de3ae8c87d775ae88bc214f916c342deee72237a3bdb43ac.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe

Executes dropped EXE 13 IoCs

pid	Process
3020	DllCommonsvc.exe
936	DllCommonsvc.exe
2932	DllCommonsvc.exe
5744	OfficeClickToRun.exe
2984	OfficeClickToRun.exe
5448	OfficeClickToRun.exe
5224	OfficeClickToRun.exe
6040	OfficeClickToRun.exe
1036	OfficeClickToRun.exe
5296	OfficeClickToRun.exe
5704	OfficeClickToRun.exe
5416	OfficeClickToRun.exe
5176	OfficeClickToRun.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
36	raw.githubusercontent.com
41	raw.githubusercontent.com
42	raw.githubusercontent.com
50	raw.githubusercontent.com
51	raw.githubusercontent.com
21	raw.githubusercontent.com
22	raw.githubusercontent.com
37	raw.githubusercontent.com
43	raw.githubusercontent.com
48	raw.githubusercontent.com
49	raw.githubusercontent.com

Drops file in Program Files directory 13 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Mail\9e8d7a4ca61bd9	DllCommonsvc.exe
File created	C:\Program Files\Java\conhost.exe	DllCommonsvc.exe
File created	C:\Program Files\Java\088424020bedd6	DllCommonsvc.exe
File created	C:\Program Files\Uninstall Information\ee2ad38f3d4382	DllCommonsvc.exe
File created	C:\Program Files\Windows Photo Viewer\it-IT\9e8d7a4ca61bd9	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\taskhostw.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\ea9f0e6c9e2dcd	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\upfc.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\ea1d8f6d871115	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Media Player\Icons\RuntimeBroker.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Photo Viewer\it-IT\RuntimeBroker.exe	DllCommonsvc.exe
File created	C:\Program Files\Uninstall Information\Registry.exe	DllCommonsvc.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\WaaS\System.exe	DllCommonsvc.exe
File created	C:\Windows\de-DE\22eafd247d37c3	DllCommonsvc.exe
File created	C:\Windows\schemas\CodeIntegrity\ExamplePolicies\WmiPrvSE.exe	DllCommonsvc.exe
File created	C:\Windows\schemas\CodeIntegrity\ExamplePolicies\24dbde2999530e	DllCommonsvc.exe
File created	C:\Windows\it-IT\WaaSMedicAgent.exe	DllCommonsvc.exe
File created	C:\Windows\OCR\fr-fr\explorer.exe	DllCommonsvc.exe
File created	C:\Windows\TAPI\WmiPrvSE.exe	DllCommonsvc.exe
File created	C:\Windows\TAPI\24dbde2999530e	DllCommonsvc.exe
File created	C:\Windows\de-DE\TextInputHost.exe	DllCommonsvc.exe
File opened for modification	C:\Windows\de-DE\TextInputHost.exe	DllCommonsvc.exe
File created	C:\Windows\it-IT\c82b8037eab33d	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_07552345be47f967de3ae8c87d775ae88bc214f916c342deee72237a3bdb43ac.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 14 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	JaffaCakes118_07552345be47f967de3ae8c87d775ae88bc214f916c342deee72237a3bdb43ac.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	OfficeClickToRun.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4636	schtasks.exe
316	schtasks.exe
4532	schtasks.exe
1812	schtasks.exe
4468	schtasks.exe
4944	schtasks.exe
3180	schtasks.exe
1008	schtasks.exe
3116	schtasks.exe
3580	schtasks.exe
2040	schtasks.exe
5000	schtasks.exe
1884	schtasks.exe
1584	schtasks.exe
1228	schtasks.exe
4996	schtasks.exe
2584	schtasks.exe
3692	schtasks.exe
2440	schtasks.exe
4828	schtasks.exe
1964	schtasks.exe
4948	schtasks.exe
4872	schtasks.exe
5048	schtasks.exe
1736	schtasks.exe
3468	schtasks.exe
768	schtasks.exe
404	schtasks.exe
2556	schtasks.exe
388	schtasks.exe
100	schtasks.exe
2408	schtasks.exe
3012	schtasks.exe
1092	schtasks.exe
3252	schtasks.exe
1872	schtasks.exe
2880	schtasks.exe
4048	schtasks.exe
3364	schtasks.exe
5108	schtasks.exe
752	schtasks.exe
3844	schtasks.exe
5024	schtasks.exe
2552	schtasks.exe
2288	schtasks.exe
4300	schtasks.exe
1140	schtasks.exe
4860	schtasks.exe
4728	schtasks.exe
220	schtasks.exe
1168	schtasks.exe
5116	schtasks.exe
2208	schtasks.exe
2316	schtasks.exe
2404	schtasks.exe
4164	schtasks.exe
632	schtasks.exe
2924	schtasks.exe
1316	schtasks.exe
3196	schtasks.exe
1992	schtasks.exe
5088	schtasks.exe
3472	schtasks.exe
4088	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3020	DllCommonsvc.exe
3020	DllCommonsvc.exe
3020	DllCommonsvc.exe
5088	powershell.exe
4488	powershell.exe
2924	powershell.exe
4972	powershell.exe
5088	powershell.exe
4488	powershell.exe
2924	powershell.exe
4972	powershell.exe
936	DllCommonsvc.exe
936	DllCommonsvc.exe
936	DllCommonsvc.exe
936	DllCommonsvc.exe
936	DllCommonsvc.exe
3004	powershell.exe
4788	powershell.exe
1532	powershell.exe
3004	powershell.exe
4788	powershell.exe
1532	powershell.exe
2932	DllCommonsvc.exe
2932	DllCommonsvc.exe
2932	DllCommonsvc.exe
2932	DllCommonsvc.exe
2932	DllCommonsvc.exe
2932	DllCommonsvc.exe
2932	DllCommonsvc.exe
2932	DllCommonsvc.exe
4324	powershell.exe
4324	powershell.exe
1044	powershell.exe
1044	powershell.exe
448	powershell.exe
448	powershell.exe
2756	powershell.exe
2756	powershell.exe
3356	powershell.exe
3356	powershell.exe
1800	powershell.exe
1800	powershell.exe
4812	powershell.exe
4812	powershell.exe
2504	powershell.exe
2504	powershell.exe
4984	powershell.exe
4984	powershell.exe
4976	powershell.exe
4976	powershell.exe
4484	powershell.exe
4484	powershell.exe
1372	powershell.exe
1372	powershell.exe
2200	powershell.exe
2200	powershell.exe
3972	powershell.exe
3972	powershell.exe
4476	powershell.exe
4476	powershell.exe
1328	powershell.exe
1328	powershell.exe
3568	powershell.exe
3568	powershell.exe

Suspicious use of AdjustPrivilegeToken 40 IoCs

description	pid	Process
Token: SeDebugPrivilege	3020	DllCommonsvc.exe
Token: SeDebugPrivilege	5088	powershell.exe
Token: SeDebugPrivilege	4488	powershell.exe
Token: SeDebugPrivilege	2924	powershell.exe
Token: SeDebugPrivilege	4972	powershell.exe
Token: SeDebugPrivilege	936	DllCommonsvc.exe
Token: SeDebugPrivilege	3004	powershell.exe
Token: SeDebugPrivilege	4788	powershell.exe
Token: SeDebugPrivilege	1532	powershell.exe
Token: SeDebugPrivilege	2932	DllCommonsvc.exe
Token: SeDebugPrivilege	4324	powershell.exe
Token: SeDebugPrivilege	1044	powershell.exe
Token: SeDebugPrivilege	448	powershell.exe
Token: SeDebugPrivilege	2756	powershell.exe
Token: SeDebugPrivilege	3356	powershell.exe
Token: SeDebugPrivilege	1800	powershell.exe
Token: SeDebugPrivilege	4812	powershell.exe
Token: SeDebugPrivilege	2504	powershell.exe
Token: SeDebugPrivilege	4788	powershell.exe
Token: SeDebugPrivilege	4984	powershell.exe
Token: SeDebugPrivilege	4976	powershell.exe
Token: SeDebugPrivilege	4476	powershell.exe
Token: SeDebugPrivilege	4484	powershell.exe
Token: SeDebugPrivilege	1372	powershell.exe
Token: SeDebugPrivilege	2200	powershell.exe
Token: SeDebugPrivilege	3568	powershell.exe
Token: SeDebugPrivilege	3972	powershell.exe
Token: SeDebugPrivilege	1328	powershell.exe
Token: SeDebugPrivilege	716	powershell.exe
Token: SeDebugPrivilege	3536	powershell.exe
Token: SeDebugPrivilege	5744	OfficeClickToRun.exe
Token: SeDebugPrivilege	2984	OfficeClickToRun.exe
Token: SeDebugPrivilege	5448	OfficeClickToRun.exe
Token: SeDebugPrivilege	5224	OfficeClickToRun.exe
Token: SeDebugPrivilege	6040	OfficeClickToRun.exe
Token: SeDebugPrivilege	1036	OfficeClickToRun.exe
Token: SeDebugPrivilege	5296	OfficeClickToRun.exe
Token: SeDebugPrivilege	5704	OfficeClickToRun.exe
Token: SeDebugPrivilege	5416	OfficeClickToRun.exe
Token: SeDebugPrivilege	5176	OfficeClickToRun.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3708 wrote to memory of 224	3708	JaffaCakes118_07552345be47f967de3ae8c87d775ae88bc214f916c342deee72237a3bdb43ac.exe	82
PID 3708 wrote to memory of 224	3708	JaffaCakes118_07552345be47f967de3ae8c87d775ae88bc214f916c342deee72237a3bdb43ac.exe	82
PID 3708 wrote to memory of 224	3708	JaffaCakes118_07552345be47f967de3ae8c87d775ae88bc214f916c342deee72237a3bdb43ac.exe	82
PID 224 wrote to memory of 452	224	WScript.exe	84
PID 224 wrote to memory of 452	224	WScript.exe	84
PID 224 wrote to memory of 452	224	WScript.exe	84
PID 452 wrote to memory of 3020	452	cmd.exe	86
PID 452 wrote to memory of 3020	452	cmd.exe	86
PID 3020 wrote to memory of 5088	3020	DllCommonsvc.exe	98
PID 3020 wrote to memory of 5088	3020	DllCommonsvc.exe	98
PID 3020 wrote to memory of 4972	3020	DllCommonsvc.exe	99
PID 3020 wrote to memory of 4972	3020	DllCommonsvc.exe	99
PID 3020 wrote to memory of 4488	3020	DllCommonsvc.exe	100
PID 3020 wrote to memory of 4488	3020	DllCommonsvc.exe	100
PID 3020 wrote to memory of 2924	3020	DllCommonsvc.exe	101
PID 3020 wrote to memory of 2924	3020	DllCommonsvc.exe	101
PID 3020 wrote to memory of 4100	3020	DllCommonsvc.exe	106
PID 3020 wrote to memory of 4100	3020	DllCommonsvc.exe	106
PID 4100 wrote to memory of 4316	4100	cmd.exe	108
PID 4100 wrote to memory of 4316	4100	cmd.exe	108
PID 4100 wrote to memory of 936	4100	cmd.exe	109
PID 4100 wrote to memory of 936	4100	cmd.exe	109
PID 936 wrote to memory of 3004	936	DllCommonsvc.exe	116
PID 936 wrote to memory of 3004	936	DllCommonsvc.exe	116
PID 936 wrote to memory of 1532	936	DllCommonsvc.exe	117
PID 936 wrote to memory of 1532	936	DllCommonsvc.exe	117
PID 936 wrote to memory of 4788	936	DllCommonsvc.exe	118
PID 936 wrote to memory of 4788	936	DllCommonsvc.exe	118
PID 936 wrote to memory of 4352	936	DllCommonsvc.exe	122
PID 936 wrote to memory of 4352	936	DllCommonsvc.exe	122
PID 4352 wrote to memory of 2284	4352	cmd.exe	124
PID 4352 wrote to memory of 2284	4352	cmd.exe	124
PID 4352 wrote to memory of 2932	4352	cmd.exe	133
PID 4352 wrote to memory of 2932	4352	cmd.exe	133
PID 2932 wrote to memory of 1800	2932	DllCommonsvc.exe	191
PID 2932 wrote to memory of 1800	2932	DllCommonsvc.exe	191
PID 2932 wrote to memory of 4812	2932	DllCommonsvc.exe	192
PID 2932 wrote to memory of 4812	2932	DllCommonsvc.exe	192
PID 2932 wrote to memory of 4324	2932	DllCommonsvc.exe	193
PID 2932 wrote to memory of 4324	2932	DllCommonsvc.exe	193
PID 2932 wrote to memory of 4984	2932	DllCommonsvc.exe	194
PID 2932 wrote to memory of 4984	2932	DllCommonsvc.exe	194
PID 2932 wrote to memory of 716	2932	DllCommonsvc.exe	195
PID 2932 wrote to memory of 716	2932	DllCommonsvc.exe	195
PID 2932 wrote to memory of 3568	2932	DllCommonsvc.exe	196
PID 2932 wrote to memory of 3568	2932	DllCommonsvc.exe	196
PID 2932 wrote to memory of 448	2932	DllCommonsvc.exe	197
PID 2932 wrote to memory of 448	2932	DllCommonsvc.exe	197
PID 2932 wrote to memory of 2504	2932	DllCommonsvc.exe	198
PID 2932 wrote to memory of 2504	2932	DllCommonsvc.exe	198
PID 2932 wrote to memory of 2756	2932	DllCommonsvc.exe	199
PID 2932 wrote to memory of 2756	2932	DllCommonsvc.exe	199
PID 2932 wrote to memory of 4976	2932	DllCommonsvc.exe	200
PID 2932 wrote to memory of 4976	2932	DllCommonsvc.exe	200
PID 2932 wrote to memory of 1328	2932	DllCommonsvc.exe	201
PID 2932 wrote to memory of 1328	2932	DllCommonsvc.exe	201
PID 2932 wrote to memory of 4476	2932	DllCommonsvc.exe	202
PID 2932 wrote to memory of 4476	2932	DllCommonsvc.exe	202
PID 2932 wrote to memory of 4788	2932	DllCommonsvc.exe	203
PID 2932 wrote to memory of 4788	2932	DllCommonsvc.exe	203
PID 2932 wrote to memory of 3536	2932	DllCommonsvc.exe	204
PID 2932 wrote to memory of 3536	2932	DllCommonsvc.exe	204
PID 2932 wrote to memory of 3972	2932	DllCommonsvc.exe	205
PID 2932 wrote to memory of 3972	2932	DllCommonsvc.exe	205

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_07552345be47f967de3ae8c87d775ae88bc214f916c342deee72237a3bdb43ac.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_07552345be47f967de3ae8c87d775ae88bc214f916c342deee72237a3bdb43ac.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3708
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:224
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:452
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3020
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5088
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\de-DE\TextInputHost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4972
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\taskhostw.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4488
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\upfc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2924
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PhtJ9SjUaT.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4100
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:4316
      - C:\providercommon\DllCommonsvc.exe
        
        "C:\providercommon\DllCommonsvc.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Program Files directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:936
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3004
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Music\sppsvc.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1532
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4788
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1XDIfH43c8.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4352
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2284
        
        C:\providercommon\DllCommonsvc.exe
        
        "C:\providercommon\DllCommonsvc.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Program Files directory
        Drops file in Windows directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2932
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1800
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\Registry.exe'
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4812
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\schemas\CodeIntegrity\ExamplePolicies\WmiPrvSE.exe'
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4324
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\OfficeClickToRun.exe'
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4984
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\it-IT\RuntimeBroker.exe'
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:716
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\RuntimeBroker.exe'
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3568
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\smss.exe'
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:448
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\it-IT\WaaSMedicAgent.exe'
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2504
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\RuntimeBroker.exe'
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2756
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\wininit.exe'
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4976
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\smss.exe'
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1328
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\conhost.exe'
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4476
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\OfficeClickToRun.exe'
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4788
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\TableTextService\taskhostw.exe'
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3536
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\SppExtComObj.exe'
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3972
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Application Data\smss.exe'
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1044
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Start Menu\spoolsv.exe'
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4484
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\RuntimeBroker.exe'
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3356
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\Registry.exe'
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1372
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\TAPI\WmiPrvSE.exe'
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2200
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8jKB6iiPpA.bat"
        9⤵
        
        PID:4568
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:5832
        
        C:\Recovery\WindowsRE\OfficeClickToRun.exe
        
        "C:\Recovery\WindowsRE\OfficeClickToRun.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5744
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cqXkQwtlzQ.bat"
        11⤵
        
        PID:3488
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:5976
        
        C:\Recovery\WindowsRE\OfficeClickToRun.exe
        
        "C:\Recovery\WindowsRE\OfficeClickToRun.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2984
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CPhDZIwY3l.bat"
        13⤵
        
        PID:5984
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:3116
        
        C:\Recovery\WindowsRE\OfficeClickToRun.exe
        
        "C:\Recovery\WindowsRE\OfficeClickToRun.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5448
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wRWwqJyPGw.bat"
        15⤵
        
        PID:3580
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:4180
        
        C:\Recovery\WindowsRE\OfficeClickToRun.exe
        
        "C:\Recovery\WindowsRE\OfficeClickToRun.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5224
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YyUd3mmyLr.bat"
        17⤵
        
        PID:2440
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:4072
        
        C:\Recovery\WindowsRE\OfficeClickToRun.exe
        
        "C:\Recovery\WindowsRE\OfficeClickToRun.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:6040
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qX4ufk0Q6M.bat"
        19⤵
        
        PID:4704
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:3480
        
        C:\Recovery\WindowsRE\OfficeClickToRun.exe
        
        "C:\Recovery\WindowsRE\OfficeClickToRun.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1036
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\F5GJdikwFG.bat"
        21⤵
        
        PID:1900
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:5492
        
        C:\Recovery\WindowsRE\OfficeClickToRun.exe
        
        "C:\Recovery\WindowsRE\OfficeClickToRun.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5296
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0Sh6ipYOoX.bat"
        23⤵
        
        PID:5464
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:3084
        
        C:\Recovery\WindowsRE\OfficeClickToRun.exe
        
        "C:\Recovery\WindowsRE\OfficeClickToRun.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5704
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1JZ2DT5CuV.bat"
        25⤵
        
        PID:5900
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:4480
        
        C:\Recovery\WindowsRE\OfficeClickToRun.exe
        
        "C:\Recovery\WindowsRE\OfficeClickToRun.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5416
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BDCDGXc9ch.bat"
        27⤵
        
        PID:2528
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        28⤵
        
        PID:5444
        
        C:\Recovery\WindowsRE\OfficeClickToRun.exe
        
        "C:\Recovery\WindowsRE\OfficeClickToRun.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5176
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2Oj9OucH8K.bat"
        29⤵
        
        PID:4692
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        30⤵
        
        PID:2512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 8 /tr "'C:\Windows\de-DE\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Windows\de-DE\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 11 /tr "'C:\Windows\de-DE\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 11 /tr "'C:\providercommon\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\providercommon\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 10 /tr "'C:\providercommon\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Music\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
PID:4928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Admin\Music\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Music\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
PID:3600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 12 /tr "'C:\providercommon\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\providercommon\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 5 /tr "'C:\providercommon\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Windows\schemas\CodeIntegrity\ExamplePolicies\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\schemas\CodeIntegrity\ExamplePolicies\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Windows\schemas\CodeIntegrity\ExamplePolicies\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Photo Viewer\it-IT\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\it-IT\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Photo Viewer\it-IT\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\All Users\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default User\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 6 /tr "'C:\Windows\it-IT\WaaSMedicAgent.exe'" /f
1⤵
- Process spawned unexpected child process
PID:2712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\Windows\it-IT\WaaSMedicAgent.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 7 /tr "'C:\Windows\it-IT\WaaSMedicAgent.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\providercommon\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\providercommon\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\providercommon\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\providercommon\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Java\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Java\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Java\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Users\Default User\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Users\All Users\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Application Data\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Admin\Application Data\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Application Data\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Start Menu\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Admin\Start Menu\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Start Menu\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Admin\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:5108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 12 /tr "'C:\Program Files\Uninstall Information\Registry.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\Registry.exe'" /rl HIGHEST /f
1⤵
PID:1084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 10 /tr "'C:\Program Files\Uninstall Information\Registry.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Windows\TAPI\WmiPrvSE.exe'" /f
1⤵
PID:1016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\TAPI\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Windows\TAPI\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\DllCommonsvc.exe.log

Filesize
1KB

MD5
7f3c0ae41f0d9ae10a8985a2c327b8fb

SHA1
d58622bf6b5071beacf3b35bb505bde2000983e3

SHA256
519fceae4d0dd4d09edd1b81bcdfa8aeab4b59eee77a4cd4b6295ce8e591a900

SHA512
8a8fd17eef071f86e672cba0d8fc2cfed6118aff816100b9d7c06eb96443c04c04bc5692259c8d7ecb1563e877921939c61726605af4f969e3f586f0913ed125

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\OfficeClickToRun.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
54522d22658e4f8f87ecb947b71b8feb

SHA1
6a6144bdf9c445099f52211b6122a2ecf72b77e9

SHA256
af18fc4864bc2982879aed928c960b6266f372c928f8c9632c5a4eecd64e448a

SHA512
55f2c5a455be20dcb4cb93a29e5389e0422237bdd7ac40112fec6f16a36e5e19df50d25d39a6d5acb2d41a96514c7ecd8631ce8e67c4ff04997282f49d947aba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
da5c82b0e070047f7377042d08093ff4

SHA1
89d05987cd60828cca516c5c40c18935c35e8bd3

SHA256
77a94ef8c4258445d538a6006ffadb05afdf888f6f044e1e5466b981a07f16c5

SHA512
7360311a3c97b73dd3f6d7179cd979e0e20d69f380d38292447e17e369087d9dd5acb66cd0cbdd95ac4bfb16e5a1b86825f835a8d45b14ea9812102cff59704b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
272dc716c99407615cc54be63824cd1e

SHA1
6aeeeee0a254473427af394b161c1020cf74ec0a

SHA256
0e772f1d15426881d1c79b319c8d52919383d1c1b861d1893a94c0e8bd472f06

SHA512
5a32034ea515f358ef4ec2e2f198fdc0dd0c5900645c4a8e8e1da7922ee19836d735ee726ce7d60b3015ab7abc10ebec2602fec24dca4f4e0798db2a7bf5aaf2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5fc9ed5242e842e6224e159f456c2f42

SHA1
d5c7d361fc1d931d10b1db42d738d564d615e183

SHA256
8d15130f33a27cc560da8e9ad384e9cb08a1ef2534ed714c7f337fb2e6152d1e

SHA512
830c300f4d375eac6bed363de90fbc4f01f4885a4f880a989dc1a03890c1e00321145a19d2e0254a4fc328a13e15ac4e83288ba54fd918cc213fe28592a00dbc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
0f6a77860cd9c5289dd6e45bbc36a982

SHA1
750d55b0d394bc5716fc3e3204975b029d3dc43b

SHA256
a8388051b43fdc7a50ee51047ef4076c4b6502a6e53befe8131efcb71aa700a4

SHA512
e4e4473383243a71d7bebffb8bf4bf449201e1aee752426044e81bdc12c3aaf284ce003a859b0ac96d5fd75063376485dc5b5ac0caad189577bf394f104cdd06

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
8320aeea03d40a74715d8b9613f9d0cc

SHA1
09fcf3cf06de496b434aaf3181f5aed78731425e

SHA256
54d89ac6af0379f2fa8afc5137450f796cd22f70da2b6b68a299b23c521eb205

SHA512
7d6fd85c54a4c8a63069fa02cd8b892f448be8b11b97190653864a076bfe5f2d4061b354ce2e3ad8b49a0e482ee90992493bb823f5e6f664dc7ac3937a547dba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d06cdca43854615c2f4158d9123cd34c

SHA1
0f8915650d5fe7d927ecae585db7bd6836e86c09

SHA256
ea2c29f8db33d6a5810fcb7d0280c8e0ee8ead3783dda94b0664f6526e47fa3b

SHA512
d72d8b21b07456395522ec255f90aa8ffdf48c350ba6f927889c54c178a1dee34ef8449c13cde10ab4eac5d013f78d4070c13ed34b57217907c2e9d318e3dba4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
c249d1546fa74aeda0e13ad7d0dc2815

SHA1
3fc3ae47b0d7fa3a2acb9347cb94e70c89c2467d

SHA256
9d30870071199e5fd2f9b6c73cec8ac9fe1503c3d60dbcb5591b775e9d166414

SHA512
2eb90f4da8fa278eaf6f46c13fd2477af3ea428d688049a45643c1c047203adee2389e42943b327f52b808cf7cac583f70ffef20f827908d59fc30af97ffc988

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
979cd0c58b412e6faaf5f1a004fe0efb

SHA1
f5b61b68a560e751704e114d0b08634352dad623

SHA256
76b7fb61c2fc86ffa8c59632d66a5a8c6ce21cc19838c9b3fee8d246ba1dbc17

SHA512
78f02c29d4b8b588e81e2abe6fdb5ae022bb97867c3d13a7acd4a58cf6cc14a5f56c57f95730bb342fefa0acdc539c9a07ca06a294727d9815feae32f01c58c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
06ac741759229a7560289a6696924995

SHA1
e1808432385699095a0761c601437ebe3e0ec256

SHA256
d1d2ad030d1a8aee9d8147ea16c8753c946155300339c6e63803a5f7419f9e3d

SHA512
3f97e1649f3241a64f6cc0e80e9d605c36b5ab658f766066a9326b93db3703710e2bb9e2dd1398bd45a7a854533fed4475d9a61f52d9f092fcb9307853599e85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
2d45daa9e9acea96d8a2cadfd38aeb47

SHA1
a1d49dfe3b7ff32a914f4e5c6fca696878d7227c

SHA256
96341c1835589a0a0075c7cae08feb06a96c1a125fdbc650effc39b8ae36fbf5

SHA512
b6228fa8931b8a5bb5fba99ff706bb77aa21cfc03248c5d208c24e2a141c8cb79b4988eadf985441fa9d02e9525589ab69335315d604994a33ec92fe640731f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\0Sh6ipYOoX.bat

Filesize
207B

MD5
1d933f3c5a69d44292f7a4eade30ac18

SHA1
832447984a3f36149ee0917445c12ef6c26eb691

SHA256
b6b3bdb6165aa58db6272b81090dead6f9ec1a4c3172aa7466032b0bf3d05ae6

SHA512
5ba11e4c4e27bf5c7d816cf01a6977d078691c43e4fd38226ba36b9484a84da2df518da1aa8b419d013cb391ef5f378037b15dd2739c14392740dde952337348

Download Submit
C:\Users\Admin\AppData\Local\Temp\1JZ2DT5CuV.bat

Filesize
207B

MD5
070fcb9b61bb77ba07d53e0c071092ed

SHA1
231ddafde293907079cc7c5fb8257e8cc6b95121

SHA256
25e69a021e0e0a32a32ea67a4e92f6a21895ceae273a8bb7c1ab35ff1b67aec5

SHA512
5b4f9f49c65f36ebf11d96d0455221c2fd14f1866acac329d4c0bdc4bbad0e277377fb370e634792f6907510f080a5c7c9a24c7b5dd198f5d8a3db6a7ee6313f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1XDIfH43c8.bat

Filesize
199B

MD5
c9a49fa3f2d980e52a215b9d2bc0873b

SHA1
5eff4f021e9b41a71c751ee22fceabac398b406a

SHA256
ddc376e2fcdbe9f827f665b3f54981a6a7a7973b9c892cda179aa20ef90ae583

SHA512
e1a581f9046a9d88f945f6ed60cc97973769d153af1df51faa04686166ee426312c3067a8deea8d3c3040956d21c3be3b98bd6ca3888bc146a05e6e221ee2989

Download Submit
C:\Users\Admin\AppData\Local\Temp\2Oj9OucH8K.bat

Filesize
207B

MD5
d7a9d84b97f4f4e90064a29cb94cc3d8

SHA1
8009dad05324ca6c86df1a6cb48fd9c8bbe82e56

SHA256
5e9f5423c2f376f9c97804c9c35e80015016885da80bd4be902a03a000916d00

SHA512
1cc8749f6006f3b983f73b993646de2ff344897c59396247be86bcc156743a1a221e6646c6ef7357cd2af5ba75421d549195237a6220b3f8e3fac3a6856c0cdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\8jKB6iiPpA.bat

Filesize
207B

MD5
b7c334678888dfbc8714cf58bee1d1f0

SHA1
03cb3cdb28e954614c27e6021d9e7dd735fea852

SHA256
75b9c37a6a4a856641bbcefb8459e7d8f3dab3384c88c593c8c29466ff0c21e1

SHA512
cef4c993d112c20f5d8e0bea1268c1393300f490b6f4fc6ed498ae6fb8379b999546db101abb7afc15ce0b009086132c413d8a238548fbdf8ae29c520280a72a

Download Submit
C:\Users\Admin\AppData\Local\Temp\BDCDGXc9ch.bat

Filesize
207B

MD5
5b251d6457d0817fef0a70328904cd45

SHA1
8aa9ebae0c372e2e7ba0607281f8bf0f239ef1fe

SHA256
328c8d8e327a496d9af538ad0646f10b941b53c1866ad82c3116a4e850985370

SHA512
50323b37d1a6337536413ebebd91bba67a76b60a353e4b14ceedfea3b5a480024e2f361b781a6f5d85d2e73c1a0867aad6c56428731f4ffdecf46bebf1f383b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\CPhDZIwY3l.bat

Filesize
207B

MD5
3c93c910e68592c4706601586e943a7f

SHA1
ef90406fbd0c80187bad162bb0c58657c2052bec

SHA256
3c694059ae02c50728d5cfc574842beb4ed5616722ed74adb26a4121d45e7c93

SHA512
87aa7e718145cba85971d0591317681aabb10a55d02b9e5548f02cdf00df4995a37beeab89bf962deb3bb0c9a2f5295209c26213bd6c63233f374b4c8d311523

Download Submit
C:\Users\Admin\AppData\Local\Temp\F5GJdikwFG.bat

Filesize
207B

MD5
09569e6d90f74b10a9164f7822740274

SHA1
4b879608c0a2aa1a0ea57f4bdbdbcb459adcbc3f

SHA256
69403f071df503b0bac61c6785a8618d3be5006a46f959d45431697a2e74baaa

SHA512
0858a91d6aa9dbdab531871e53c46816636d450800a089633a2fe45803eb6d2146c0ece3310cf8e4c86747408c1a9e15793c796ee0e891fae7509f359c9004b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\PhtJ9SjUaT.bat

Filesize
199B

MD5
c69219310e8889e9c90f6b7f63ea5362

SHA1
288f673620a69017b8681876eae1269f4b61d27f

SHA256
61c84b75de4b3327bb326f1c1e5d9dcc8557bbc60566284a56a4a8e805b4e000

SHA512
a685b8e153c7e057f01737b20cf8f365e79a9a7bfe43f4214296c1b24cc3d22fbf664bd58e8804ce1cecc9bd984598a817e74802a5c126f88173b5fb51ed0f8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\YyUd3mmyLr.bat

Filesize
207B

MD5
90ab0c93f7a55080582835c4d3e44ded

SHA1
b6ac7516836a47f961cabd3f0199a1468ea71d51

SHA256
0c00deed488eff2fa69e23611c89aaeec027d952f9d0911250f6ef8b0ad7dce3

SHA512
7603802d07619773e6b706103be33cdde02f13f73b47bc7651faefb09d487ae4f6ff52ce1f5fad9762e55af411be08676b2075e4b048999592aae92731c0a837

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_r0n5qgf5.1uy.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\cqXkQwtlzQ.bat

Filesize
207B

MD5
daa077bd97c99efe4da74c8f01a666f6

SHA1
341e7931d3c3743305fba551fd14e185e12c189a

SHA256
33a5d16a7099b91718b0388b6c6c46a8e5ac4fe978a138e901079e0cdffd5d7c

SHA512
973679a288b592a8e4e3c7fd990a2ea00c4a7a451448aa3605f5d4972b9671f30a67520cafc03de39c75ab84f2cf1d455440e0560417954970de82cda93adc1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\qX4ufk0Q6M.bat

Filesize
207B

MD5
c22481ef5c8352ebb5b829c38c93ccf4

SHA1
f705a4060329c5650d692e5ba0d1761e192419a3

SHA256
55bff0a2bc8d0b4a1e79bfe69a1caed46b0022e7a1177098c49c549126d774bb

SHA512
c3d79fd533e563336aa3673037233f7a5c67ab6b7e4e5b474e4c9b5c01dd07db3b427db659c0d84fe314222a057130884ba7e1c2fb21ac7f6037f1b248f44843

Download Submit
C:\Users\Admin\AppData\Local\Temp\wRWwqJyPGw.bat

Filesize
207B

MD5
80f87590b089543c78cacc7c6371beb9

SHA1
a5edd053b9469758768c5e09973cbdd8b20d0e2b

SHA256
84971a0c9cdfd63dbb18bdc52cfcb395d2dccb50a47b775422b70c55c7df88c3

SHA512
05439056c54feb3a3712e8836207f39f94cfc88645b0f728448f54444affdf002aab736486766a301eca7b49867c486f094c96f9bbaa825bff76c478a63d68ec

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/936-78-0x000000001BBB0000-0x000000001BBC2000-memory.dmp

Filesize
72KB

Download
memory/1036-421-0x00000000029B0000-0x00000000029C2000-memory.dmp

Filesize
72KB

Download
memory/2984-396-0x0000000000E60000-0x0000000000E72000-memory.dmp

Filesize
72KB

Download
memory/3020-15-0x0000000002F80000-0x0000000002F8C000-memory.dmp

Filesize
48KB

Download
memory/3020-16-0x0000000002F90000-0x0000000002F9C000-memory.dmp

Filesize
48KB

Download
memory/3020-14-0x0000000001720000-0x0000000001732000-memory.dmp

Filesize
72KB

Download
memory/3020-13-0x0000000000D50000-0x0000000000E60000-memory.dmp

Filesize
1.1MB

Download
memory/3020-12-0x00007FFFE6AE3000-0x00007FFFE6AE5000-memory.dmp

Filesize
8KB

Download
memory/3020-17-0x0000000002FA0000-0x0000000002FAC000-memory.dmp

Filesize
48KB

Download
memory/5088-37-0x0000022A40B80000-0x0000022A40BA2000-memory.dmp

Filesize
136KB

Download