dcrat | a397e931b293d6c8b17d3de47a1ea657dfbf426834a94e98d8f08fe3389ca4af

Analysis

max time kernel
94s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22/12/2024, 20:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_a397e931b293d6c8b17d3de47a1ea657dfbf426834a94e98d8f08fe3389ca4af.exe
Size

1.3MB
MD5

3c652c77f8e5bba7c0f55afce8a4d3f9
SHA1

96c019058b471ef6934d92d2b153d735e7034afa
SHA256

a397e931b293d6c8b17d3de47a1ea657dfbf426834a94e98d8f08fe3389ca4af
SHA512

35ce34a4981a532fb7d69a0d9e55510aaf85d76c0dd445afd056d9f6126738047ca2761626e9891508d5e7ea38174931896ec1f76d1ecff4d51f99986fca26ab
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 64 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1072	208	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3904	208	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	320	208	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1364	208	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3004	208	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1540	208	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4488	208	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2040	208	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3088	208	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4480	208	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3852	208	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1336	208	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	556	208	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3816	208	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2136	208	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4232	208	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3780	208	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	64	208	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	996	208	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3580	208	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3148	208	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1432	208	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1696	208	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	208	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4588	208	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4576	208	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4428	208	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3352	208	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4864	208	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	876	208	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2164	208	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5092	208	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4212	208	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	976	208	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5100	208	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	768	208	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3008	208	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3028	208	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1388	208	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2036	208	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4364	208	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2028	208	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2580	208	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3232	208	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1448	208	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5064	208	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3952	208	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5116	208	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3360	208	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3368	208	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3720	208	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3880	208	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2696	208	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2056	208	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3620	208	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4572	208	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5108	208	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3368	208	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3720	208	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5144	208	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5176	208	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5276	208	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5320	208	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5384	208	schtasks.exe	88

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x0007000000023cb6-10.dat	dcrat
behavioral2/memory/2156-13-0x00000000006F0000-0x0000000000800000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 40 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1884	powershell.exe
3564	powershell.exe
1072	powershell.exe
5612	powershell.exe
5816	powershell.exe
1444	powershell.exe
5668	powershell.exe
5716	powershell.exe
5696	powershell.exe
5736	powershell.exe
1388	powershell.exe
5704	powershell.exe
5008	powershell.exe
216	powershell.exe
320	powershell.exe
224	powershell.exe
1188	powershell.exe
1280	powershell.exe
5760	powershell.exe
1988	powershell.exe
5660	powershell.exe
4648	powershell.exe
3960	powershell.exe
5728	powershell.exe
5756	powershell.exe
2448	powershell.exe
2868	powershell.exe
5044	powershell.exe
1200	powershell.exe
2348	powershell.exe
3904	powershell.exe
628	powershell.exe
4224	powershell.exe
5652	powershell.exe
5784	powershell.exe
1120	powershell.exe
5628	powershell.exe
5692	powershell.exe
5796	powershell.exe
5820	powershell.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	JaffaCakes118_a397e931b293d6c8b17d3de47a1ea657dfbf426834a94e98d8f08fe3389ca4af.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe

Executes dropped EXE 24 IoCs

pid	Process
2156	DllCommonsvc.exe
1632	DllCommonsvc.exe
944	DllCommonsvc.exe
5660	powershell.exe
5628	powershell.exe
5668	powershell.exe
5692	powershell.exe
5704	powershell.exe
5716	powershell.exe
5696	powershell.exe
5728	powershell.exe
5760	powershell.exe
5796	powershell.exe
5816	powershell.exe
1988	powershell.exe
5820	powershell.exe
5784	powershell.exe
4648	powershell.exe
5736	powershell.exe
5756	powershell.exe
5612	powershell.exe
5652	powershell.exe
1388	powershell.exe
1404	upfc.exe

Drops file in Program Files directory 28 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\en-US\conhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\en-US\088424020bedd6	DllCommonsvc.exe
File created	C:\Program Files\MSBuild\Microsoft\5b884080fd4f94	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\5940a34987c991	DllCommonsvc.exe
File created	C:\Program Files\Windows Multimedia Platform\5940a34987c991	DllCommonsvc.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\5940a34987c991	DllCommonsvc.exe
File created	C:\Program Files\MSBuild\Microsoft\fontdrvhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Adobe\c5b4cb5e9653cc	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\en-US\conhost.exe	DllCommonsvc.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\powershell.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\powershell.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\e978f868350d50	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Office 15\dllhost.exe	DllCommonsvc.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\e978f868350d50	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\dllhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\conhost.exe	DllCommonsvc.exe
File created	C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_neutral_split.scale-100_8wekyb3d8bbwe\microsoft.system.package.metadata\TextInputHost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Portable Devices\088424020bedd6	DllCommonsvc.exe
File created	C:\Program Files\Crashpad\reports\c82b8037eab33d	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Office 15\5940a34987c991	DllCommonsvc.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\dllhost.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Multimedia Platform\dllhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Adobe\services.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Portable Devices\conhost.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\e978f868350d50	DllCommonsvc.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\088424020bedd6	DllCommonsvc.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\powershell.exe	DllCommonsvc.exe
File created	C:\Program Files\Crashpad\reports\WaaSMedicAgent.exe	DllCommonsvc.exe

Drops file in Windows directory 15 IoCs

description	ioc	Process
File created	C:\Windows\bcastdvr\WaaSMedicAgent.exe	DllCommonsvc.exe
File opened for modification	C:\Windows\bcastdvr\WaaSMedicAgent.exe	DllCommonsvc.exe
File created	C:\Windows\bcastdvr\c82b8037eab33d	DllCommonsvc.exe
File created	C:\Windows\Sun\taskhostw.exe	DllCommonsvc.exe
File created	C:\Windows\appcompat\appraiser\Telemetry\9e8d7a4ca61bd9	DllCommonsvc.exe
File created	C:\Windows\Performance\WinSAT\DataStore\a76d7bf15d8370	DllCommonsvc.exe
File created	C:\Windows\PrintDialog\microsoft.system.package.metadata\Autogen\7a0fd90576e088	DllCommonsvc.exe
File created	C:\Windows\IME\es-ES\services.exe	DllCommonsvc.exe
File created	C:\Windows\IME\es-ES\c5b4cb5e9653cc	DllCommonsvc.exe
File created	C:\Windows\appcompat\appraiser\Telemetry\RuntimeBroker.exe	DllCommonsvc.exe
File created	C:\Windows\Sun\ea9f0e6c9e2dcd	DllCommonsvc.exe
File created	C:\Windows\ServiceProfiles\taskhostw.exe	DllCommonsvc.exe
File created	C:\Windows\ServiceProfiles\ea9f0e6c9e2dcd	DllCommonsvc.exe
File created	C:\Windows\PrintDialog\microsoft.system.package.metadata\Autogen\explorer.exe	DllCommonsvc.exe
File created	C:\Windows\Performance\WinSAT\DataStore\DllCommonsvc.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_a397e931b293d6c8b17d3de47a1ea657dfbf426834a94e98d8f08fe3389ca4af.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	JaffaCakes118_a397e931b293d6c8b17d3de47a1ea657dfbf426834a94e98d8f08fe3389ca4af.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	DllCommonsvc.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5624	schtasks.exe
5864	schtasks.exe
4488	schtasks.exe
3008	schtasks.exe
5568	schtasks.exe
5460	schtasks.exe
5640	schtasks.exe
3004	schtasks.exe
5116	schtasks.exe
5176	schtasks.exe
5696	schtasks.exe
64	schtasks.exe
5444	schtasks.exe
5516	schtasks.exe
5440	schtasks.exe
5472	schtasks.exe
3816	schtasks.exe
4572	schtasks.exe
5144	schtasks.exe
2040	schtasks.exe
1696	schtasks.exe
5736	schtasks.exe
5900	schtasks.exe
6096	schtasks.exe
5320	schtasks.exe
996	schtasks.exe
3952	schtasks.exe
3620	schtasks.exe
5372	schtasks.exe
4864	schtasks.exe
5092	schtasks.exe
5488	schtasks.exe
5556	schtasks.exe
4212	schtasks.exe
5100	schtasks.exe
3368	schtasks.exe
5792	schtasks.exe
5180	schtasks.exe
5572	schtasks.exe
4480	schtasks.exe
2164	schtasks.exe
3116	schtasks.exe
2028	schtasks.exe
5140	schtasks.exe
3088	schtasks.exe
5424	schtasks.exe
2056	schtasks.exe
5276	schtasks.exe
5608	schtasks.exe
5752	schtasks.exe
3904	schtasks.exe
3780	schtasks.exe
5920	schtasks.exe
5584	schtasks.exe
3368	schtasks.exe
5832	schtasks.exe
5492	schtasks.exe
5152	schtasks.exe
5596	schtasks.exe
3028	schtasks.exe
1448	schtasks.exe
5776	schtasks.exe
976	schtasks.exe
5240	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2156	DllCommonsvc.exe
3564	powershell.exe
1120	powershell.exe
1884	powershell.exe
3564	powershell.exe
1632	DllCommonsvc.exe
1120	powershell.exe
1884	powershell.exe
1632	DllCommonsvc.exe
1632	DllCommonsvc.exe
1632	DllCommonsvc.exe
1632	DllCommonsvc.exe
1632	DllCommonsvc.exe
1632	DllCommonsvc.exe
1632	DllCommonsvc.exe
1632	DllCommonsvc.exe
1632	DllCommonsvc.exe
1632	DllCommonsvc.exe
1632	DllCommonsvc.exe
1632	DllCommonsvc.exe
1632	DllCommonsvc.exe
1632	DllCommonsvc.exe
1632	DllCommonsvc.exe
1632	DllCommonsvc.exe
1632	DllCommonsvc.exe
1632	DllCommonsvc.exe
1632	DllCommonsvc.exe
1632	DllCommonsvc.exe
1632	DllCommonsvc.exe
1632	DllCommonsvc.exe
1632	DllCommonsvc.exe
1444	powershell.exe
1444	powershell.exe
3904	powershell.exe
3904	powershell.exe
1200	powershell.exe
1200	powershell.exe
2868	powershell.exe
2868	powershell.exe
5008	powershell.exe
5008	powershell.exe
224	powershell.exe
224	powershell.exe
1072	powershell.exe
1072	powershell.exe
216	powershell.exe
216	powershell.exe
320	powershell.exe
320	powershell.exe
3960	powershell.exe
3960	powershell.exe
2348	powershell.exe
2348	powershell.exe
1280	powershell.exe
1280	powershell.exe
4224	powershell.exe
4224	powershell.exe
5044	powershell.exe
5044	powershell.exe
628	powershell.exe
628	powershell.exe
2448	powershell.exe
2448	powershell.exe
1188	powershell.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

description	pid	Process
Token: SeDebugPrivilege	2156	DllCommonsvc.exe
Token: SeDebugPrivilege	3564	powershell.exe
Token: SeDebugPrivilege	1120	powershell.exe
Token: SeDebugPrivilege	1884	powershell.exe
Token: SeDebugPrivilege	1632	DllCommonsvc.exe
Token: SeDebugPrivilege	1444	powershell.exe
Token: SeDebugPrivilege	3904	powershell.exe
Token: SeDebugPrivilege	1200	powershell.exe
Token: SeDebugPrivilege	2868	powershell.exe
Token: SeDebugPrivilege	3960	powershell.exe
Token: SeDebugPrivilege	1188	powershell.exe
Token: SeDebugPrivilege	5008	powershell.exe
Token: SeDebugPrivilege	224	powershell.exe
Token: SeDebugPrivilege	1072	powershell.exe
Token: SeDebugPrivilege	216	powershell.exe
Token: SeDebugPrivilege	320	powershell.exe
Token: SeDebugPrivilege	2348	powershell.exe
Token: SeDebugPrivilege	1280	powershell.exe
Token: SeDebugPrivilege	4224	powershell.exe
Token: SeDebugPrivilege	5044	powershell.exe
Token: SeDebugPrivilege	628	powershell.exe
Token: SeDebugPrivilege	2448	powershell.exe
Token: SeDebugPrivilege	944	DllCommonsvc.exe
Token: SeDebugPrivilege	5668	powershell.exe
Token: SeDebugPrivilege	5628	powershell.exe
Token: SeDebugPrivilege	5704	powershell.exe
Token: SeDebugPrivilege	5716	powershell.exe
Token: SeDebugPrivilege	5696	powershell.exe
Token: SeDebugPrivilege	4648	powershell.exe
Token: SeDebugPrivilege	5760	powershell.exe
Token: SeDebugPrivilege	5820	powershell.exe
Token: SeDebugPrivilege	5692	powershell.exe
Token: SeDebugPrivilege	5660	powershell.exe
Token: SeDebugPrivilege	1988	powershell.exe
Token: SeDebugPrivilege	5736	powershell.exe
Token: SeDebugPrivilege	5756	powershell.exe
Token: SeDebugPrivilege	5796	powershell.exe
Token: SeDebugPrivilege	5612	powershell.exe
Token: SeDebugPrivilege	5816	powershell.exe
Token: SeDebugPrivilege	5652	powershell.exe
Token: SeDebugPrivilege	1388	powershell.exe
Token: SeDebugPrivilege	5784	powershell.exe
Token: SeDebugPrivilege	5728	powershell.exe
Token: SeDebugPrivilege	1404	upfc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3116 wrote to memory of 3724	3116	JaffaCakes118_a397e931b293d6c8b17d3de47a1ea657dfbf426834a94e98d8f08fe3389ca4af.exe	82
PID 3116 wrote to memory of 3724	3116	JaffaCakes118_a397e931b293d6c8b17d3de47a1ea657dfbf426834a94e98d8f08fe3389ca4af.exe	82
PID 3116 wrote to memory of 3724	3116	JaffaCakes118_a397e931b293d6c8b17d3de47a1ea657dfbf426834a94e98d8f08fe3389ca4af.exe	82
PID 3724 wrote to memory of 4396	3724	WScript.exe	83
PID 3724 wrote to memory of 4396	3724	WScript.exe	83
PID 3724 wrote to memory of 4396	3724	WScript.exe	83
PID 4396 wrote to memory of 2156	4396	cmd.exe	85
PID 4396 wrote to memory of 2156	4396	cmd.exe	85
PID 2156 wrote to memory of 1120	2156	DllCommonsvc.exe	95
PID 2156 wrote to memory of 1120	2156	DllCommonsvc.exe	95
PID 2156 wrote to memory of 1884	2156	DllCommonsvc.exe	96
PID 2156 wrote to memory of 1884	2156	DllCommonsvc.exe	96
PID 2156 wrote to memory of 3564	2156	DllCommonsvc.exe	97
PID 2156 wrote to memory of 3564	2156	DllCommonsvc.exe	97
PID 2156 wrote to memory of 1632	2156	DllCommonsvc.exe	100
PID 2156 wrote to memory of 1632	2156	DllCommonsvc.exe	100
PID 1632 wrote to memory of 1444	1632	DllCommonsvc.exe	151
PID 1632 wrote to memory of 1444	1632	DllCommonsvc.exe	151
PID 1632 wrote to memory of 2448	1632	DllCommonsvc.exe	152
PID 1632 wrote to memory of 2448	1632	DllCommonsvc.exe	152
PID 1632 wrote to memory of 3960	1632	DllCommonsvc.exe	153
PID 1632 wrote to memory of 3960	1632	DllCommonsvc.exe	153
PID 1632 wrote to memory of 2868	1632	DllCommonsvc.exe	154
PID 1632 wrote to memory of 2868	1632	DllCommonsvc.exe	154
PID 1632 wrote to memory of 5008	1632	DllCommonsvc.exe	155
PID 1632 wrote to memory of 5008	1632	DllCommonsvc.exe	155
PID 1632 wrote to memory of 1072	1632	DllCommonsvc.exe	156
PID 1632 wrote to memory of 1072	1632	DllCommonsvc.exe	156
PID 1632 wrote to memory of 216	1632	DllCommonsvc.exe	157
PID 1632 wrote to memory of 216	1632	DllCommonsvc.exe	157
PID 1632 wrote to memory of 3904	1632	DllCommonsvc.exe	158
PID 1632 wrote to memory of 3904	1632	DllCommonsvc.exe	158
PID 1632 wrote to memory of 628	1632	DllCommonsvc.exe	159
PID 1632 wrote to memory of 628	1632	DllCommonsvc.exe	159
PID 1632 wrote to memory of 320	1632	DllCommonsvc.exe	160
PID 1632 wrote to memory of 320	1632	DllCommonsvc.exe	160
PID 1632 wrote to memory of 224	1632	DllCommonsvc.exe	161
PID 1632 wrote to memory of 224	1632	DllCommonsvc.exe	161
PID 1632 wrote to memory of 4224	1632	DllCommonsvc.exe	162
PID 1632 wrote to memory of 4224	1632	DllCommonsvc.exe	162
PID 1632 wrote to memory of 1188	1632	DllCommonsvc.exe	163
PID 1632 wrote to memory of 1188	1632	DllCommonsvc.exe	163
PID 1632 wrote to memory of 5044	1632	DllCommonsvc.exe	164
PID 1632 wrote to memory of 5044	1632	DllCommonsvc.exe	164
PID 1632 wrote to memory of 1200	1632	DllCommonsvc.exe	165
PID 1632 wrote to memory of 1200	1632	DllCommonsvc.exe	165
PID 1632 wrote to memory of 2348	1632	DllCommonsvc.exe	166
PID 1632 wrote to memory of 2348	1632	DllCommonsvc.exe	166
PID 1632 wrote to memory of 1280	1632	DllCommonsvc.exe	167
PID 1632 wrote to memory of 1280	1632	DllCommonsvc.exe	167
PID 1632 wrote to memory of 944	1632	DllCommonsvc.exe	185
PID 1632 wrote to memory of 944	1632	DllCommonsvc.exe	185
PID 944 wrote to memory of 5612	944	DllCommonsvc.exe	245
PID 944 wrote to memory of 5612	944	DllCommonsvc.exe	245
PID 944 wrote to memory of 5652	944	DllCommonsvc.exe	246
PID 944 wrote to memory of 5652	944	DllCommonsvc.exe	246
PID 944 wrote to memory of 5628	944	DllCommonsvc.exe	247
PID 944 wrote to memory of 5628	944	DllCommonsvc.exe	247
PID 944 wrote to memory of 1388	944	DllCommonsvc.exe	248
PID 944 wrote to memory of 1388	944	DllCommonsvc.exe	248
PID 944 wrote to memory of 5660	944	DllCommonsvc.exe	249
PID 944 wrote to memory of 5660	944	DllCommonsvc.exe	249
PID 944 wrote to memory of 5668	944	DllCommonsvc.exe	250
PID 944 wrote to memory of 5668	944	DllCommonsvc.exe	250

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a397e931b293d6c8b17d3de47a1ea657dfbf426834a94e98d8f08fe3389ca4af.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a397e931b293d6c8b17d3de47a1ea657dfbf426834a94e98d8f08fe3389ca4af.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3116
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3724
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4396
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2156
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1120
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\bcastdvr\WaaSMedicAgent.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1884
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office 15\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3564
    - - C:\providercommon\DllCommonsvc.exe
        
        "C:\providercommon\DllCommonsvc.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1632
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1444
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\en-US\conhost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2448
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\regid.1991-06.com.microsoft\dllhost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3960
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Sun\taskhostw.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2868
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\sysmon.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5008
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\services.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1072
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\taskhostw.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:216
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Performance\WinSAT\DataStore\DllCommonsvc.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3904
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\dllhost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:628
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ServiceProfiles\taskhostw.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:320
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\TextInputHost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:224
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Libraries\fontdrvhost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4224
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\fontdrvhost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1188
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\powershell.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5044
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dllhost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1200
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Desktop\cmd.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2348
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office 15\ClientX64\dllhost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1280
      - C:\providercommon\DllCommonsvc.exe
        
        "C:\providercommon\DllCommonsvc.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Program Files directory
        Drops file in Windows directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:944
        
        C:\providercommon\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5612
        
        C:\providercommon\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\powershell.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5652
        
        C:\providercommon\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\conhost.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5628
        
        C:\providercommon\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\conhost.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1388
        
        C:\providercommon\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\conhost.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5660
        
        C:\providercommon\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\StartMenuExperienceHost.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5668
        
        C:\providercommon\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\Shared Gadgets\powershell.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5692
        
        C:\providercommon\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Multimedia Platform\dllhost.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5704
        
        C:\providercommon\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\conhost.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5716
        
        C:\providercommon\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\services.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5696
        
        C:\providercommon\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5728
        
        C:\providercommon\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PrintDialog\microsoft.system.package.metadata\Autogen\explorer.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5760
        
        C:\providercommon\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\powershell.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5736
        
        C:\providercommon\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\IME\es-ES\services.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5756
        
        C:\providercommon\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Crashpad\reports\WaaSMedicAgent.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4648
        
        C:\providercommon\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\powershell.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5784
        
        C:\providercommon\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\appcompat\appraiser\Telemetry\RuntimeBroker.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5796
        
        C:\providercommon\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\powershell.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5820
        
        C:\providercommon\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\services.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1988
        
        C:\providercommon\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\upfc.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5816
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lzRrjJdiIL.bat"
        7⤵
        
        PID:3724
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:5360
        
        C:\Recovery\WindowsRE\upfc.exe
        
        "C:\Recovery\WindowsRE\upfc.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 8 /tr "'C:\Windows\bcastdvr\WaaSMedicAgent.exe'" /f
1⤵
- Process spawned unexpected child process
PID:1072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\Windows\bcastdvr\WaaSMedicAgent.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 9 /tr "'C:\Windows\bcastdvr\WaaSMedicAgent.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Office 15\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
PID:1364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Office 15\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\regid.1991-06.com.microsoft\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\All Users\regid.1991-06.com.microsoft\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:3852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\regid.1991-06.com.microsoft\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 10 /tr "'C:\Windows\Sun\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
PID:556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Windows\Sun\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 13 /tr "'C:\Windows\Sun\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
PID:4232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:64

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:3580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:3148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
PID:1432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 14 /tr "'C:\Windows\Performance\WinSAT\DataStore\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
PID:4588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Windows\Performance\WinSAT\DataStore\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 13 /tr "'C:\Windows\Performance\WinSAT\DataStore\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
PID:3352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 13 /tr "'C:\Windows\ServiceProfiles\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Windows\ServiceProfiles\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\Windows\ServiceProfiles\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 9 /tr "'C:\providercommon\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\providercommon\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 9 /tr "'C:\providercommon\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Libraries\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Public\Libraries\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Libraries\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Program Files\MSBuild\Microsoft\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
PID:2036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Program Files\MSBuild\Microsoft\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 12 /tr "'C:\Program Files\Reference Assemblies\Microsoft\powershell.exe'" /f
1⤵
- Process spawned unexpected child process
PID:2580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:3232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 7 /tr "'C:\Program Files\Reference Assemblies\Microsoft\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
PID:5064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Desktop\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
PID:3360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\Public\Desktop\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Desktop\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:3720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
PID:3880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 5 /tr "'C:\providercommon\powershell.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\providercommon\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 10 /tr "'C:\providercommon\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:5108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\providercommon\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:3720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\providercommon\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Portable Devices\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
PID:5384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\conhost.exe'" /rl HIGHEST /f
1⤵
PID:5408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Portable Devices\conhost.exe'" /rl HIGHEST /f
1⤵
PID:5436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\StartMenuExperienceHost.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:5460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Users\Admin\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:5488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:5516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\powershell.exe'" /f
1⤵
PID:5548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\powershell.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:5568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\powershell.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:5584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Multimedia Platform\dllhost.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:5608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\dllhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:5624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Multimedia Platform\dllhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:5640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\conhost.exe'" /f
1⤵
PID:5664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\conhost.exe'" /rl HIGHEST /f
1⤵
PID:5680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\conhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:5696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Adobe\services.exe'" /f
1⤵
PID:5720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\services.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:5736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Adobe\services.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:5752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\providercommon\csrss.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:5776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:5792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
PID:5808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Windows\PrintDialog\microsoft.system.package.metadata\Autogen\explorer.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:5832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\PrintDialog\microsoft.system.package.metadata\Autogen\explorer.exe'" /rl HIGHEST /f
1⤵
PID:5848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Windows\PrintDialog\microsoft.system.package.metadata\Autogen\explorer.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:5864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\powershell.exe'" /f
1⤵
PID:5888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\powershell.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:5900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\powershell.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:5920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Windows\IME\es-ES\services.exe'" /f
1⤵
PID:6004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\IME\es-ES\services.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:6096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Windows\IME\es-ES\services.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:5152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 13 /tr "'C:\Program Files\Crashpad\reports\WaaSMedicAgent.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:5140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\Program Files\Crashpad\reports\WaaSMedicAgent.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:5180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 9 /tr "'C:\Program Files\Crashpad\reports\WaaSMedicAgent.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:5240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\powershell.exe'" /f
1⤵
PID:544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\powershell.exe'" /rl HIGHEST /f
1⤵
PID:5280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\powershell.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Windows\appcompat\appraiser\Telemetry\RuntimeBroker.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:5372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\appcompat\appraiser\Telemetry\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
PID:1016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Windows\appcompat\appraiser\Telemetry\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:5444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\powershell.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:5424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\powershell.exe'" /rl HIGHEST /f
1⤵
PID:3940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\powershell.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:5440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\providercommon\services.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:5472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:5492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f
1⤵
PID:5460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:5556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:5572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:5596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\DllCommonsvc.exe.log

Filesize
1KB

MD5
7f3c0ae41f0d9ae10a8985a2c327b8fb

SHA1
d58622bf6b5071beacf3b35bb505bde2000983e3

SHA256
519fceae4d0dd4d09edd1b81bcdfa8aeab4b59eee77a4cd4b6295ce8e591a900

SHA512
8a8fd17eef071f86e672cba0d8fc2cfed6118aff816100b9d7c06eb96443c04c04bc5692259c8d7ecb1563e877921939c61726605af4f969e3f586f0913ed125

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
fe9b96bc4e29457b2d225a5412322a52

SHA1
551e29903e926b5d6c52a8f57cf10475ba790bd0

SHA256
e81b9bfd38a5199813d703d5caf75baa6f62847b2b9632302b5d6f10dd6cf997

SHA512
ff912526647f6266f37749dfdc3ed5fd37c35042ba481331434168704c827d128c22093ba73d7ad0cecde10365f0978fcd3f3e2af1a1c280cd2e592a62d5fa80

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
057e7742b25e65a341d1341da25b54a8

SHA1
65c874ac4f429a4172bdf89a73922e39873ecab6

SHA256
f8cf996545599e442f94820af5c724fca27d22de96bcef6aa308d0520c3a1468

SHA512
94b461e3705336b9ebf10df506f4a436cee20ac60540cfb6fd2f36c48e011836bf1f9e3f00e5b254ad6e6f1338a976dba495d398b4459687f518e815afde04e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
30556bf0f907d99ce6d6a9041db4ebcf

SHA1
01bc8afb6ff0468f9774f2a64b95c84da80f547c

SHA256
2f13d0496db771701d1963aa359573f3fdf0cfaeb7cefbe87945d139ec60a845

SHA512
7d1e9f09e5c094bff542ae8664e9244102026c580b673c5a8a5bcb646dc04c8ca8453f4bcb4408b59e945ed570d6f11b085481681f5f05d009193fe8d157c699

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
08526e4d8fed0a382c243c9aa8b1fe45

SHA1
f3da4b97529aaa38230db8bfa34a345bbc211622

SHA256
b5044625d66b7835745c7c4efa14d21aaf4ee42bf971f8bbc44f04416b91441f

SHA512
cbeb569db60eabd89c13b073f1bdf7ba991b6206e75f548396a150b08a0ffed1962d88d664e069c64ac740afbb69941df2f43e81a3f138e2185934967898941d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
8fbdf20dd30b6ccf91308090184986d8

SHA1
fde6e3a60582552e322af16289c63d6943a18a78

SHA256
3b67692f7e6b5569626ecbf266289b9ae7cb4dc40ee5165eb6c6ea70c5f1f78b

SHA512
3ceefad823f555c522d46b266a6c77ea51002f1fb7426992f8a4ea70f0b9cf1ab6979db319c480cfcd51dc393407d3de5e111368b951a6d15766aa296045ffee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3c625954a51c4bbd8141206b00f6fc0a

SHA1
4128cb2f9d2984844e303e2e330e448334e5c273

SHA256
952515feb4929cfad2435c679a5fad19242e938e8a7c97afebb1f3d996bd3ec4

SHA512
3f7c4ea0551de5b6237ca13419413e6e73e85632e9bb09b5354d6310b5969f9c3a2dc27142e75e8572c2c65b2bc7615269fad27dcea2f91c389b6758e2630517

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
15ecf7befdd61e392069b89a6ff3e696

SHA1
450d56925e14ab39b358398925155d29858ede4a

SHA256
55ed29ae021ba87ef7fbe4994236ec27fdb5b45729233671d7c94500968a22e8

SHA512
25a2fae95346688b82429d15b024b1c2fe41e74fbc2239c7f6853b10d95892109234c433959c2e01b2bbba7815f5428b7e8b4cbce1d0ab1deb863475c2cc0e6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_c51jhr2f.a5h.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\lzRrjJdiIL.bat

Filesize
195B

MD5
69e2bd631e2a20e205133cfa0a5076ea

SHA1
e9b40957f4d4e64fe171d31cfc5e9fd33a8c65a0

SHA256
b29e2ea93522d253321487720d534a9986d46773d359dfb5eb20ae6bc3dcad72

SHA512
109be84620bc90aa6da7b00fdcaddf5f2fbc620712965df67ca8c2fca15e9282624ced88d4bb9af611f3bdc5684e29d92c961e23d33f37c14168234c3918bbe7

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/944-185-0x0000000002B50000-0x0000000002B62000-memory.dmp

Filesize
72KB

Download
memory/1632-49-0x0000000003190000-0x00000000031A2000-memory.dmp

Filesize
72KB

Download
memory/2156-17-0x0000000002920000-0x000000000292C000-memory.dmp

Filesize
48KB

Download
memory/2156-16-0x0000000002910000-0x000000000291C000-memory.dmp

Filesize
48KB

Download
memory/2156-15-0x0000000002930000-0x000000000293C000-memory.dmp

Filesize
48KB

Download
memory/2156-14-0x00000000028F0000-0x0000000002902000-memory.dmp

Filesize
72KB

Download
memory/2156-13-0x00000000006F0000-0x0000000000800000-memory.dmp

Filesize
1.1MB

Download
memory/2156-12-0x00007FF857033000-0x00007FF857035000-memory.dmp

Filesize
8KB

Download
memory/3564-30-0x0000020C564A0000-0x0000020C564C2000-memory.dmp

Filesize
136KB

Download