dcrat | 81e6c1a57860b1329d86ea2c4a16cda70617aba4c646f6d19ced442356485126

Analysis

max time kernel
150s
max time network
154s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
23/12/2024, 14:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_81e6c1a57860b1329d86ea2c4a16cda70617aba4c646f6d19ced442356485126.exe
Size

1.3MB
MD5

a57b8814af31fe44043491c1d2d1a564
SHA1

2bc5ce6a668c261ddcf81f087df1e0bc3e740f91
SHA256

81e6c1a57860b1329d86ea2c4a16cda70617aba4c646f6d19ced442356485126
SHA512

99dc8252d2327dca8fd5eec79917b89b9965f3df787a8391d157051a5c45b22614cd46082281a80c15f75eea594efedd22f532cafcfbe87b19f032e0800b838c
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 64 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1716	1520	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1696	1520	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1328	1520	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	548	1520	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2224	1520	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2196	1520	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	760	1520	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2604	1520	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3000	1520	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2428	1520	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1868	1520	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1952	1520	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	280	1520	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1376	1520	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3004	1520	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1464	1520	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	908	1520	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2540	1520	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1704	1520	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1932	1520	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	556	1520	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1548	1520	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2352	1520	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1808	1520	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	868	1520	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2292	1520	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	992	1520	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1592	1520	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2852	1520	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2492	1520	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	1520	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2788	1520	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2664	1520	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2700	1520	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2752	1520	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1180	1520	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1524	1520	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2336	1520	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2440	1520	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	760	1520	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2968	1520	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2344	1520	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	364	1520	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1088	1520	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2144	1520	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2100	1520	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2684	1520	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1712	1520	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	1520	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2820	1520	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2996	1520	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2348	1520	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3060	1520	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2576	1520	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1852	1520	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	548	1520	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2996	1520	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1308	1520	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1764	1520	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2024	1520	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2760	1520	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1272	1520	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2248	1520	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2788	1520	schtasks.exe	34

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000016458-9.dat	dcrat
behavioral1/memory/2660-13-0x0000000000210000-0x0000000000320000-memory.dmp	dcrat
behavioral1/memory/2532-51-0x00000000003F0000-0x0000000000500000-memory.dmp	dcrat
behavioral1/memory/2160-233-0x0000000000B70000-0x0000000000C80000-memory.dmp	dcrat
behavioral1/memory/2832-292-0x00000000011C0000-0x00000000012D0000-memory.dmp	dcrat
behavioral1/memory/2708-353-0x0000000001220000-0x0000000001330000-memory.dmp	dcrat
behavioral1/memory/2564-532-0x0000000000310000-0x0000000000420000-memory.dmp	dcrat
behavioral1/memory/2788-593-0x00000000002F0000-0x0000000000400000-memory.dmp	dcrat
behavioral1/memory/2148-710-0x0000000001390000-0x00000000014A0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 29 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1904	powershell.exe
1644	powershell.exe
564	powershell.exe
2624	powershell.exe
592	powershell.exe
1484	powershell.exe
2992	powershell.exe
2972	powershell.exe
1924	powershell.exe
744	powershell.exe
1236	powershell.exe
764	powershell.exe
1608	powershell.exe
1360	powershell.exe
2144	powershell.exe
820	powershell.exe
2096	powershell.exe
2660	powershell.exe
2220	powershell.exe
812	powershell.exe
2976	powershell.exe
1572	powershell.exe
2624	powershell.exe
2852	powershell.exe
2052	powershell.exe
2960	powershell.exe
1736	powershell.exe
2984	powershell.exe
2696	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2660	DllCommonsvc.exe
2532	DllCommonsvc.exe
1336	DllCommonsvc.exe
2160	schtasks.exe
2832	schtasks.exe
2708	schtasks.exe
1596	schtasks.exe
2408	schtasks.exe
2564	schtasks.exe
2788	schtasks.exe
1948	schtasks.exe
2148	schtasks.exe

Loads dropped DLL 2 IoCs

pid	Process
2672	cmd.exe
2672	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs

Web Service

T1102

flow	ioc
16	raw.githubusercontent.com
26	raw.githubusercontent.com
29	raw.githubusercontent.com
13	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
19	raw.githubusercontent.com
22	raw.githubusercontent.com
4	raw.githubusercontent.com

Drops file in Program Files directory 22 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\dllhost.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Journal\en-US\27d1bcfc3c54e0	DllCommonsvc.exe
File created	C:\Program Files (x86)\MSBuild\3a6fe29a7ceee6	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Sidebar\de-DE\explorer.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\dwm.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Portable Devices\24dbde2999530e	DllCommonsvc.exe
File created	C:\Program Files\Windows Journal\en-US\System.exe	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\dwm.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\MSBuild\schtasks.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\088424020bedd6	DllCommonsvc.exe
File created	C:\Program Files (x86)\Common Files\5940a34987c991	DllCommonsvc.exe
File created	C:\Program Files\Internet Explorer\SIGNUP\services.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\6cb0b6c459d5d3	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Sidebar\de-DE\7a0fd90576e088	DllCommonsvc.exe
File created	C:\Program Files\Internet Explorer\it-IT\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files\Internet Explorer\it-IT\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Program Files\Windows Portable Devices\WmiPrvSE.exe	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\6cb0b6c459d5d3	DllCommonsvc.exe
File opened for modification	C:\Program Files (x86)\Common Files\dllhost.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files\Internet Explorer\SIGNUP\services.exe	DllCommonsvc.exe
File created	C:\Program Files\Internet Explorer\SIGNUP\c5b4cb5e9653cc	DllCommonsvc.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\conhost.exe	DllCommonsvc.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\PLA\System\6203df4a6bafc7	DllCommonsvc.exe
File created	C:\Windows\Migration\WTR\lsass.exe	DllCommonsvc.exe
File created	C:\Windows\Migration\WTR\6203df4a6bafc7	DllCommonsvc.exe
File created	C:\Windows\ServiceProfiles\LocalService\Favorites\powershell.exe	DllCommonsvc.exe
File created	C:\Windows\ServiceProfiles\LocalService\Favorites\e978f868350d50	DllCommonsvc.exe
File created	C:\Windows\tracing\lsass.exe	DllCommonsvc.exe
File created	C:\Windows\tracing\6203df4a6bafc7	DllCommonsvc.exe
File created	C:\Windows\PLA\System\lsass.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_81e6c1a57860b1329d86ea2c4a16cda70617aba4c646f6d19ced442356485126.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1376	schtasks.exe
1712	schtasks.exe
1696	schtasks.exe
2196	schtasks.exe
2428	schtasks.exe
280	schtasks.exe
2852	schtasks.exe
2144	schtasks.exe
1272	schtasks.exe
1328	schtasks.exe
1704	schtasks.exe
556	schtasks.exe
1808	schtasks.exe
1716	schtasks.exe
2780	schtasks.exe
1088	schtasks.exe
548	schtasks.exe
1592	schtasks.exe
2724	schtasks.exe
2996	schtasks.exe
2172	schtasks.exe
2540	schtasks.exe
2664	schtasks.exe
760	schtasks.exe
2684	schtasks.exe
1952	schtasks.exe
1852	schtasks.exe
2512	schtasks.exe
992	schtasks.exe
2344	schtasks.exe
2788	schtasks.exe
2964	schtasks.exe
2608	schtasks.exe
1464	schtasks.exe
1548	schtasks.exe
1180	schtasks.exe
2760	schtasks.exe
648	schtasks.exe
1932	schtasks.exe
2996	schtasks.exe
1144	schtasks.exe
2936	schtasks.exe
2820	schtasks.exe
1308	schtasks.exe
2248	schtasks.exe
548	schtasks.exe
3004	schtasks.exe
2788	schtasks.exe
2440	schtasks.exe
760	schtasks.exe
1764	schtasks.exe
2024	schtasks.exe
2492	schtasks.exe
1524	schtasks.exe
364	schtasks.exe
2968	schtasks.exe
2100	schtasks.exe
868	schtasks.exe
2792	schtasks.exe
2224	schtasks.exe
2604	schtasks.exe
1868	schtasks.exe
868	schtasks.exe
2504	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2660	DllCommonsvc.exe
592	powershell.exe
2624	powershell.exe
2096	powershell.exe
2696	powershell.exe
2532	DllCommonsvc.exe
2532	DllCommonsvc.exe
2532	DllCommonsvc.exe
2532	DllCommonsvc.exe
2532	DllCommonsvc.exe
2532	DllCommonsvc.exe
2532	DllCommonsvc.exe
2972	powershell.exe
1904	powershell.exe
1644	powershell.exe
2992	powershell.exe
2984	powershell.exe
1484	powershell.exe
764	powershell.exe
2976	powershell.exe
2660	powershell.exe
2052	powershell.exe
1608	powershell.exe
1572	powershell.exe
1336	DllCommonsvc.exe
1360	powershell.exe
1924	powershell.exe
2624	powershell.exe
1336	DllCommonsvc.exe
1336	DllCommonsvc.exe
1336	DllCommonsvc.exe
1336	DllCommonsvc.exe
1336	DllCommonsvc.exe
1336	DllCommonsvc.exe
1336	DllCommonsvc.exe
1336	DllCommonsvc.exe
1336	DllCommonsvc.exe
1336	DllCommonsvc.exe
1336	DllCommonsvc.exe
1336	DllCommonsvc.exe
1336	DllCommonsvc.exe
1336	DllCommonsvc.exe
1336	DllCommonsvc.exe
1336	DllCommonsvc.exe
1336	DllCommonsvc.exe
1336	DllCommonsvc.exe
1336	DllCommonsvc.exe
1336	DllCommonsvc.exe
1336	DllCommonsvc.exe
1336	DllCommonsvc.exe
1336	DllCommonsvc.exe
1336	DllCommonsvc.exe
744	powershell.exe
564	powershell.exe
812	powershell.exe
2220	powershell.exe
1236	powershell.exe
2852	powershell.exe
1736	powershell.exe
820	powershell.exe
2960	powershell.exe
2144	powershell.exe
2160	schtasks.exe
2832	schtasks.exe

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeDebugPrivilege	2660	DllCommonsvc.exe
Token: SeDebugPrivilege	592	powershell.exe
Token: SeDebugPrivilege	2624	powershell.exe
Token: SeDebugPrivilege	2096	powershell.exe
Token: SeDebugPrivilege	2696	powershell.exe
Token: SeDebugPrivilege	2532	DllCommonsvc.exe
Token: SeDebugPrivilege	2972	powershell.exe
Token: SeDebugPrivilege	1904	powershell.exe
Token: SeDebugPrivilege	1644	powershell.exe
Token: SeDebugPrivilege	2992	powershell.exe
Token: SeDebugPrivilege	2984	powershell.exe
Token: SeDebugPrivilege	1336	DllCommonsvc.exe
Token: SeDebugPrivilege	1484	powershell.exe
Token: SeDebugPrivilege	764	powershell.exe
Token: SeDebugPrivilege	2976	powershell.exe
Token: SeDebugPrivilege	2660	powershell.exe
Token: SeDebugPrivilege	2052	powershell.exe
Token: SeDebugPrivilege	1608	powershell.exe
Token: SeDebugPrivilege	1572	powershell.exe
Token: SeDebugPrivilege	1360	powershell.exe
Token: SeDebugPrivilege	1924	powershell.exe
Token: SeDebugPrivilege	2624	powershell.exe
Token: SeDebugPrivilege	744	powershell.exe
Token: SeDebugPrivilege	564	powershell.exe
Token: SeDebugPrivilege	812	powershell.exe
Token: SeDebugPrivilege	2220	powershell.exe
Token: SeDebugPrivilege	1236	powershell.exe
Token: SeDebugPrivilege	2852	powershell.exe
Token: SeDebugPrivilege	1736	powershell.exe
Token: SeDebugPrivilege	820	powershell.exe
Token: SeDebugPrivilege	2960	powershell.exe
Token: SeDebugPrivilege	2144	powershell.exe
Token: SeDebugPrivilege	2160	schtasks.exe
Token: SeDebugPrivilege	2832	schtasks.exe
Token: SeDebugPrivilege	2708	schtasks.exe
Token: SeDebugPrivilege	1596	schtasks.exe
Token: SeDebugPrivilege	2408	schtasks.exe
Token: SeDebugPrivilege	2564	schtasks.exe
Token: SeDebugPrivilege	2788	schtasks.exe
Token: SeDebugPrivilege	1948	schtasks.exe
Token: SeDebugPrivilege	2148	schtasks.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2740 wrote to memory of 2180	2740	JaffaCakes118_81e6c1a57860b1329d86ea2c4a16cda70617aba4c646f6d19ced442356485126.exe	30
PID 2740 wrote to memory of 2180	2740	JaffaCakes118_81e6c1a57860b1329d86ea2c4a16cda70617aba4c646f6d19ced442356485126.exe	30
PID 2740 wrote to memory of 2180	2740	JaffaCakes118_81e6c1a57860b1329d86ea2c4a16cda70617aba4c646f6d19ced442356485126.exe	30
PID 2740 wrote to memory of 2180	2740	JaffaCakes118_81e6c1a57860b1329d86ea2c4a16cda70617aba4c646f6d19ced442356485126.exe	30
PID 2180 wrote to memory of 2672	2180	WScript.exe	31
PID 2180 wrote to memory of 2672	2180	WScript.exe	31
PID 2180 wrote to memory of 2672	2180	WScript.exe	31
PID 2180 wrote to memory of 2672	2180	WScript.exe	31
PID 2672 wrote to memory of 2660	2672	cmd.exe	33
PID 2672 wrote to memory of 2660	2672	cmd.exe	33
PID 2672 wrote to memory of 2660	2672	cmd.exe	33
PID 2672 wrote to memory of 2660	2672	cmd.exe	33
PID 2660 wrote to memory of 2096	2660	DllCommonsvc.exe	44
PID 2660 wrote to memory of 2096	2660	DllCommonsvc.exe	44
PID 2660 wrote to memory of 2096	2660	DllCommonsvc.exe	44
PID 2660 wrote to memory of 592	2660	DllCommonsvc.exe	45
PID 2660 wrote to memory of 592	2660	DllCommonsvc.exe	45
PID 2660 wrote to memory of 592	2660	DllCommonsvc.exe	45
PID 2660 wrote to memory of 2696	2660	DllCommonsvc.exe	47
PID 2660 wrote to memory of 2696	2660	DllCommonsvc.exe	47
PID 2660 wrote to memory of 2696	2660	DllCommonsvc.exe	47
PID 2660 wrote to memory of 2624	2660	DllCommonsvc.exe	48
PID 2660 wrote to memory of 2624	2660	DllCommonsvc.exe	48
PID 2660 wrote to memory of 2624	2660	DllCommonsvc.exe	48
PID 2660 wrote to memory of 1900	2660	DllCommonsvc.exe	52
PID 2660 wrote to memory of 1900	2660	DllCommonsvc.exe	52
PID 2660 wrote to memory of 1900	2660	DllCommonsvc.exe	52
PID 1900 wrote to memory of 2396	1900	cmd.exe	54
PID 1900 wrote to memory of 2396	1900	cmd.exe	54
PID 1900 wrote to memory of 2396	1900	cmd.exe	54
PID 1900 wrote to memory of 2532	1900	cmd.exe	56
PID 1900 wrote to memory of 2532	1900	cmd.exe	56
PID 1900 wrote to memory of 2532	1900	cmd.exe	56
PID 2532 wrote to memory of 1644	2532	DllCommonsvc.exe	99
PID 2532 wrote to memory of 1644	2532	DllCommonsvc.exe	99
PID 2532 wrote to memory of 1644	2532	DllCommonsvc.exe	99
PID 2532 wrote to memory of 1904	2532	DllCommonsvc.exe	100
PID 2532 wrote to memory of 1904	2532	DllCommonsvc.exe	100
PID 2532 wrote to memory of 1904	2532	DllCommonsvc.exe	100
PID 2532 wrote to memory of 2984	2532	DllCommonsvc.exe	101
PID 2532 wrote to memory of 2984	2532	DllCommonsvc.exe	101
PID 2532 wrote to memory of 2984	2532	DllCommonsvc.exe	101
PID 2532 wrote to memory of 2972	2532	DllCommonsvc.exe	102
PID 2532 wrote to memory of 2972	2532	DllCommonsvc.exe	102
PID 2532 wrote to memory of 2972	2532	DllCommonsvc.exe	102
PID 2532 wrote to memory of 2992	2532	DllCommonsvc.exe	103
PID 2532 wrote to memory of 2992	2532	DllCommonsvc.exe	103
PID 2532 wrote to memory of 2992	2532	DllCommonsvc.exe	103
PID 2532 wrote to memory of 764	2532	DllCommonsvc.exe	105
PID 2532 wrote to memory of 764	2532	DllCommonsvc.exe	105
PID 2532 wrote to memory of 764	2532	DllCommonsvc.exe	105
PID 2532 wrote to memory of 2624	2532	DllCommonsvc.exe	111
PID 2532 wrote to memory of 2624	2532	DllCommonsvc.exe	111
PID 2532 wrote to memory of 2624	2532	DllCommonsvc.exe	111
PID 2532 wrote to memory of 1572	2532	DllCommonsvc.exe	112
PID 2532 wrote to memory of 1572	2532	DllCommonsvc.exe	112
PID 2532 wrote to memory of 1572	2532	DllCommonsvc.exe	112
PID 2532 wrote to memory of 2052	2532	DllCommonsvc.exe	113
PID 2532 wrote to memory of 2052	2532	DllCommonsvc.exe	113
PID 2532 wrote to memory of 2052	2532	DllCommonsvc.exe	113
PID 2532 wrote to memory of 2976	2532	DllCommonsvc.exe	114
PID 2532 wrote to memory of 2976	2532	DllCommonsvc.exe	114
PID 2532 wrote to memory of 2976	2532	DllCommonsvc.exe	114
PID 2532 wrote to memory of 2660	2532	DllCommonsvc.exe	115

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_81e6c1a57860b1329d86ea2c4a16cda70617aba4c646f6d19ced442356485126.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_81e6c1a57860b1329d86ea2c4a16cda70617aba4c646f6d19ced442356485126.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2740
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2180
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2672
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2660
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2096
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:592
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Desktop\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2696
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\tracing\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2624
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mqKWPsdws2.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1900
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2396
      - C:\providercommon\DllCommonsvc.exe
        
        "C:\providercommon\DllCommonsvc.exe"
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2532
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1644
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\SIGNUP\services.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1904
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Videos\Sample Videos\WmiPrvSE.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2984
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\dwm.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2972
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\de-DE\explorer.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2992
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\wininit.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:764
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\it-IT\csrss.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2624
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Microsoft\Idle.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1572
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\dwm.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2052
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\WmiPrvSE.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2976
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dwm.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2660
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PLA\System\lsass.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1924
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Pictures\WmiPrvSE.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1360
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Journal\en-US\System.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1484
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\Office14\1033\dwm.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1608
        
        C:\providercommon\DllCommonsvc.exe
        
        "C:\providercommon\DllCommonsvc.exe"
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1336
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:564
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Libraries\powershell.exe'
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:744
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\DllCommonsvc.exe'
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2144
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\conhost.exe'
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2220
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Migration\WTR\lsass.exe'
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:812
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ServiceProfiles\LocalService\Favorites\powershell.exe'
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2960
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\schtasks.exe'
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1236
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\schtasks.exe'
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2852
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\conhost.exe'
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1736
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\Shared Gadgets\conhost.exe'
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:820
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AvGBYmjZie.bat"
        8⤵
        
        PID:2664
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:992
        
        C:\Program Files (x86)\MSBuild\schtasks.exe
        
        "C:\Program Files (x86)\MSBuild\schtasks.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2160
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4NR89d4K3E.bat"
        10⤵
        
        PID:3004
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2848
        
        C:\Program Files (x86)\MSBuild\schtasks.exe
        
        "C:\Program Files (x86)\MSBuild\schtasks.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2832
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EUl4QLAvAv.bat"
        12⤵
        
        PID:1112
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:1288
        
        C:\Program Files (x86)\MSBuild\schtasks.exe
        
        "C:\Program Files (x86)\MSBuild\schtasks.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2708
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EOPCJ2Obyf.bat"
        14⤵
        
        PID:1928
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2884
        
        C:\Program Files (x86)\MSBuild\schtasks.exe
        
        "C:\Program Files (x86)\MSBuild\schtasks.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1596
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HGlJwS3LgK.bat"
        16⤵
        
        PID:3004
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:1688
        
        C:\Program Files (x86)\MSBuild\schtasks.exe
        
        "C:\Program Files (x86)\MSBuild\schtasks.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2408
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ap6i2Y3psm.bat"
        18⤵
        
        PID:1112
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2464
        
        C:\Program Files (x86)\MSBuild\schtasks.exe
        
        "C:\Program Files (x86)\MSBuild\schtasks.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2564
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2wrSnsL5gc.bat"
        20⤵
        
        PID:1572
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2264
        
        C:\Program Files (x86)\MSBuild\schtasks.exe
        
        "C:\Program Files (x86)\MSBuild\schtasks.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2788
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eXOrkcF5G0.bat"
        22⤵
        
        PID:324
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2816
        
        C:\Program Files (x86)\MSBuild\schtasks.exe
        
        "C:\Program Files (x86)\MSBuild\schtasks.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1948
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ay7XDWEJg9.bat"
        24⤵
        
        PID:2740
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:1772
        
        C:\Program Files (x86)\MSBuild\schtasks.exe
        
        "C:\Program Files (x86)\MSBuild\schtasks.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Common Files\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Common Files\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Desktop\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Users\Public\Desktop\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Desktop\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Windows\tracing\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\tracing\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Windows\tracing\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:3000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files\Internet Explorer\SIGNUP\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\SIGNUP\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files\Internet Explorer\SIGNUP\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Videos\Sample Videos\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Public\Videos\Sample Videos\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Videos\Sample Videos\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Sidebar\de-DE\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\de-DE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Sidebar\de-DE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default User\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Internet Explorer\it-IT\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\it-IT\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Internet Explorer\it-IT\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Microsoft\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Microsoft\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Portable Devices\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
PID:2700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Portable Devices\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Windows\PLA\System\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\PLA\System\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Windows\PLA\System\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Pictures\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Default\Pictures\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Pictures\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Journal\en-US\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\en-US\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Journal\en-US\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Office\Office14\1033\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Office\Office14\1033\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Libraries\powershell.exe'" /f
1⤵
- Process spawned unexpected child process
PID:2348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Users\Public\Libraries\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:3060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Libraries\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 10 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 8 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Windows\Migration\WTR\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Windows\Migration\WTR\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 14 /tr "'C:\Windows\ServiceProfiles\LocalService\Favorites\powershell.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Windows\ServiceProfiles\LocalService\Favorites\powershell.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 11 /tr "'C:\Windows\ServiceProfiles\LocalService\Favorites\powershell.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 5 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\schtasks.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtasks" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\schtasks.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 14 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\schtasks.exe'" /rl HIGHEST /f
1⤵
PID:3012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\MSBuild\schtasks.exe'" /f
1⤵
PID:1760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtasks" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\schtasks.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\MSBuild\schtasks.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\conhost.exe'" /f
1⤵
PID:1688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\conhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\conhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\conhost.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\conhost.exe'" /rl HIGHEST /f
1⤵
PID:2064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\conhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4ca4e6a73ebfe0d53ce61619abde1c0b

SHA1
01e997cf367db232b40f3b17a67de5df8dcd188e

SHA256
0a99a9d246bc813ab0098deff97a33bd4b188ab45b23f1c3cb53cc3588188bcf

SHA512
3f0294655bbc28106853f69745c14675c084c298853a5e862309a0ded7fe0dca70281b7ff091ead5e8a96f2300644cec3ebc5ba4b5386712dc7f92ec9e3d2200

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
73e7f3b6d67ccdb10734369e1e2d95d1

SHA1
5d7b8d39000107abd6e8e025797925f9631b6ff2

SHA256
bfa7553cba9813e662751d381087977c7e7c444624bdd928dc0a7387e694ccee

SHA512
545be6ce76c5a0b32bdff0fda168f6b3909220d29374c2db3e3d11aae99425dbc5a6f6ad69fbc2ffa5b5d0856c04ee3ee21da21d174084abbbaf3359797cb012

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7401237e5f1caaa2296d3c492c8a36eb

SHA1
545d97890204947540589d0d8b63b3efeb12d969

SHA256
dc44b466ac0748b2416b13ff7db38fb1108d85e7eb3ea6826e95f0f0ecebcd2d

SHA512
f83ad02e45f39453edadf7217a3939adab9f466b5bc8e3ba3dbb504e20a70d8c189efb2992d26ed76ef45df440b2a42574b0c7c9dff4732a2f544ef0bfecc6e3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d052f8b24e4d34b723e63134be77f0dc

SHA1
d35cbb6518443db3a043d9b2ef92b2b8332ef1db

SHA256
f175002124e43a1a854868690552ad3fa1808bb193d94ed7ed8107c8a7c3d025

SHA512
58c97dd0d0017d2c9c7e581a5257b6316d570d45948591ed33c8d9d2d4aa9ceb154680262972855f296f1cd686b924e37798fdf9017aa01e14e3c522ef8e7f78

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b7386dd2a9c77c35775e6c5703743e52

SHA1
4362b3a704761fa1f59dd44d6d32840c00cfa893

SHA256
55c28879a15edaf71b5cc2af6189bb66bee364c08677944458f748b976573a0e

SHA512
c5b65d02f2033199d4dc26125f9c792e802ca2de73cf6f0c5d7cf1579831e2feb319b435b75c363e0b3b0a3362c39386c396dc24d9abb796c7d22d0988a38956

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
abc6a852149e8797e8bb5ee6f4c447db

SHA1
68d9277fc0562d7d4166500417f0f5f17e76d860

SHA256
1d92916cbc847c899c5680c679f4b8ccbc031534dcec9111b8ad663ab8b001bf

SHA512
e5958df837d759aba2f1f03b775465241706283797464c74a3e7338c66841458c316974a9c775730be926b26b1f62e81188496a3649ead3eb7803f9a89fd6044

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c0962e3af4a6840eb33a4d5a995b5ad2

SHA1
ded9a7db26e92e288f4eef52e379554d037e4983

SHA256
b61969c0dbfc56297ab249b0b298909dfdc5b985c236d3c7fbe3b52b0d63334f

SHA512
5f6f8bb2fb652b445e2aebfc6f5d7b9577365c5df8cf73feed4f4b4016c034ce5b5e7c9bbaa58aa1b46da67ef9fb1af74acd8cfdb98cf021df31f399f64d55c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\2wrSnsL5gc.bat

Filesize
208B

MD5
f3a1350905d1cc1fbd6c1053f823e53a

SHA1
ed9ecb9068fb5a2170b54b78cb3d4810fe637d76

SHA256
bf18ae88f57c186182a284aaff5cbf8954d881d065fc17be0db74f50a4fe9c25

SHA512
d265c0e68ef997ed9559b8282f80c91f947065ce12b2dbaeac57ab07d673bf7a8a2b1aa394e0ad11b45b1a701bfa665725c89d9e403a67e2a55dcbba7a9c855b

Download Submit
C:\Users\Admin\AppData\Local\Temp\4NR89d4K3E.bat

Filesize
208B

MD5
037bf75e16eb027a9f71bf7fd0f8fbef

SHA1
144aad241c7b7389e653afdffaed5c08f6ab2504

SHA256
57dc58168d9a9f1b3e61c41410811d282f987e5db849f0258fd321f2ed787142

SHA512
531d575e6d3cb44060fbbeabba6c6dde6c280f5d9f689689ffacfabd7c5423f5c6f8fb87ba35752da1301db14c5f6bf4e4236061af0e94c22105f4b8ce423cc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ap6i2Y3psm.bat

Filesize
208B

MD5
a9734294071656517face4c561870b4d

SHA1
46ee058e12f62508684cd4d22fab42d7968faf35

SHA256
405b64e2210088f0ad451924353059b6649af2c77fcee2c0711424ed2235bb19

SHA512
e459b400ae6df468faed3fa4a3063f9ab6f2e78b8a4abe4e0e9af0b3c0caa885b55b1e97c352ed4e6035ba6296d13b120f23dbe1718eda1afa070f9e31591c6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\AvGBYmjZie.bat

Filesize
208B

MD5
8d92ea6efaa402d04da6ed378e517960

SHA1
eee3aedba5d6cda5c8b1c5ca43ec61d8836f2a2c

SHA256
0ee529a31c8dab24bd8d1b425a2bf374d5612e6906e45c1bce8e5c54377d4bc4

SHA512
7dced84a5f91c65fe4fa4fa97ad920fc26dabb34465aa5f75da36406ec01b833defd62812e394ca98a0813fe4ec287459987456ac9d784489d341e67becc4423

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabEACE.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\EOPCJ2Obyf.bat

Filesize
208B

MD5
db1c4641d60601a0e096f6478528ff61

SHA1
2e1bae8574f086da2ca97f6348d490a6f2f04350

SHA256
e6d4ae277ea362d38bfa2f86147a2c61e430784fc94128e4324b52602df92a9f

SHA512
a8aaa2067a79b4dca98d634df1778641756969884333c81cb7ed5d7e01fe2fcd3a9f625aad57f16ed7890845e3535f5e63650db5aef9d5b489b396abb3add82b

Download Submit
C:\Users\Admin\AppData\Local\Temp\EUl4QLAvAv.bat

Filesize
208B

MD5
ddad8e9cb06ab6c7ba2922cf8481236f

SHA1
bd45dc4c2241900139f37c157aea89d364aa4361

SHA256
4362ab24f219d94c15e566ab817161cb1ed99f0d8f1666c74d4d55d0249c18ac

SHA512
3bc81cff187bb9263996568faa49a0a796f60913ff54c8c3b1df1a565e74d552ab72fb37001295a948ef4b05d81db7defd2826d83c6cc206b77448d3fe7a8138

Download Submit
C:\Users\Admin\AppData\Local\Temp\HGlJwS3LgK.bat

Filesize
208B

MD5
fe042d94c183a73916ab4d5d53eb9890

SHA1
e0bc27e3c7fc549774de0c2be22c362d55a049e9

SHA256
443b74ae1b298a499a100fae2206810ca5cadfec6ed99d090bc3cfe572e12bdb

SHA512
c9d583c52360c3f393af6b2ee44998d676484ec63a9dec6ccce8f29bad8e43c376df496678a193d6183440d11a060f0425769cb56649f43a06d601574be50438

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarEB6D.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\eXOrkcF5G0.bat

Filesize
208B

MD5
2bbf15e08e1a15844e6c063cd413a0ee

SHA1
55316ad1d2150efaae066e18686e6c902d96db53

SHA256
a8d5928855953a00291c9c96e56f5974e6ecf6ed7f0b62a3388035edcdb5c2ab

SHA512
31c81784e0293fb96f5703cc3dd1c9ae575535e5a65f47c125ccf5c7f990744e9c276af542b71e7a50600221cdbf5edc62c2132c0f4147350ba85eaa9ae9c3e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\mqKWPsdws2.bat

Filesize
199B

MD5
9bc80f842bdfdee5b63e1319a06a03d4

SHA1
c49bf9e1949fcc6c78e00c90c23842e8b000ca02

SHA256
a6d3ef08cc021e58bc857f3231a25806657034b45d8a6b7038bb6208278e9bba

SHA512
5fd168e8d98361c600e6c88cc614d851630adfca365fc8cb69a8369ae27c140a4428fd26130b2a2a176f1ffd164f3b486f0a0c43a3eb6ef94284931d8c07dd0a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
71b11f36b68b98ffe34f858f34962f28

SHA1
c16977f011407bf79ae4c1aca216a1883b0edda2

SHA256
4216d32a7da75a9f11d10fb8c0aa45e671b7c74d0a4b1b3a6d497672ff613c16

SHA512
f3d6ffc0fdf65b2dcddbde6a6d31d69a66530f6cf6a38bfce4ddaeff5fb7b10a8ae7b9a97a6f5b50cb1827567e56381ca1eb9c6455b18e7ad1cf7d11e05ea1ca

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\AZENA5WE86CZT6HJEKXK.temp

Filesize
7KB

MD5
78fa05bacd97e7c2112c633fc2723d4a

SHA1
1197907c69255f7e9c26878d9b4e3b2040775c2f

SHA256
c0572d9416378c5db2811a4491d536dc894a4c9510a79ae024049e4de27714ec

SHA512
0cff1a3999fb2fba3452d7c397821e8709cb6161dcd7bbd97488f5a826d7ae003787a04fd4e3ae508848b413f45019f22215248951d454b22c855df746e12878

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/592-47-0x000000001B3F0000-0x000000001B6D2000-memory.dmp

Filesize
2.9MB

Download
memory/592-48-0x00000000025E0000-0x00000000025E8000-memory.dmp

Filesize
32KB

Download
memory/744-195-0x0000000001ED0000-0x0000000001ED8000-memory.dmp

Filesize
32KB

Download
memory/2148-710-0x0000000001390000-0x00000000014A0000-memory.dmp

Filesize
1.1MB

Download
memory/2160-233-0x0000000000B70000-0x0000000000C80000-memory.dmp

Filesize
1.1MB

Download
memory/2532-51-0x00000000003F0000-0x0000000000500000-memory.dmp

Filesize
1.1MB

Download
memory/2564-533-0x0000000000300000-0x0000000000312000-memory.dmp

Filesize
72KB

Download
memory/2564-532-0x0000000000310000-0x0000000000420000-memory.dmp

Filesize
1.1MB

Download
memory/2660-16-0x00000000001F0000-0x00000000001FC000-memory.dmp

Filesize
48KB

Download
memory/2660-15-0x00000000001D0000-0x00000000001DC000-memory.dmp

Filesize
48KB

Download
memory/2660-14-0x00000000001C0000-0x00000000001D2000-memory.dmp

Filesize
72KB

Download
memory/2660-13-0x0000000000210000-0x0000000000320000-memory.dmp

Filesize
1.1MB

Download
memory/2660-17-0x0000000000200000-0x000000000020C000-memory.dmp

Filesize
48KB

Download
memory/2708-353-0x0000000001220000-0x0000000001330000-memory.dmp

Filesize
1.1MB

Download
memory/2708-354-0x00000000003C0000-0x00000000003D2000-memory.dmp

Filesize
72KB

Download
memory/2788-593-0x00000000002F0000-0x0000000000400000-memory.dmp

Filesize
1.1MB

Download
memory/2832-292-0x00000000011C0000-0x00000000012D0000-memory.dmp

Filesize
1.1MB

Download
memory/2832-293-0x0000000000490000-0x00000000004A2000-memory.dmp

Filesize
72KB

Download
memory/2972-87-0x000000001B4F0000-0x000000001B7D2000-memory.dmp

Filesize
2.9MB

Download
memory/2972-92-0x0000000002420000-0x0000000002428000-memory.dmp

Filesize
32KB

Download