dcrat | c2ae0f08e0722ce59f492adb6b0490ab2208e2376a9093fd4f4f30190a92044c

Analysis

max time kernel
147s
max time network
143s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21/12/2024, 21:53 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_c2ae0f08e0722ce59f492adb6b0490ab2208e2376a9093fd4f4f30190a92044c.exe
Size

1.3MB
MD5

7171b812098bc7de8fbc3538cfa154a1
SHA1

91b70cf06220da7959f0d83afb10ad3b0fdb02c0
SHA256

c2ae0f08e0722ce59f492adb6b0490ab2208e2376a9093fd4f4f30190a92044c
SHA512

41a3bf0ad6965b5c16c9e3f314f57b2356df5199e39b96eee2086553afd6947403d0debe2cdbc9dbb37172392512b60c6be46c5c79687875acf3bb40a95039d6
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 45 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	2992	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2776	2992	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1924	2992	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	2992	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2672	2992	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2636	2992	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2140	2992	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2236	2992	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2276	2992	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	640	2992	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2960	2992	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1256	2992	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	348	2992	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1524	2992	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2676	2992	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2916	2992	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2796	2992	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1016	2992	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1540	2992	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	324	2992	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2192	2992	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1792	2992	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1152	2992	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2096	2992	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2928	2992	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2552	2992	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1632	2992	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1324	2992	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2296	2992	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2464	2992	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1160	2992	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3008	2992	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2600	2992	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	960	2992	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1876	2992	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2196	2992	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2040	2992	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1076	2992	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1680	2992	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1108	2992	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2452	2992	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1032	2992	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2488	2992	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1716	2992	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2416	2992	schtasks.exe	34

DCRat payload 11 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000016d0c-9.dat	dcrat
behavioral1/memory/2472-13-0x0000000000A40000-0x0000000000B50000-memory.dmp	dcrat
behavioral1/memory/444-132-0x0000000000970000-0x0000000000A80000-memory.dmp	dcrat
behavioral1/memory/1584-191-0x0000000000AB0000-0x0000000000BC0000-memory.dmp	dcrat
behavioral1/memory/2272-311-0x0000000000B40000-0x0000000000C50000-memory.dmp	dcrat
behavioral1/memory/1568-372-0x0000000001000000-0x0000000001110000-memory.dmp	dcrat
behavioral1/memory/2320-491-0x0000000001390000-0x00000000014A0000-memory.dmp	dcrat
behavioral1/memory/1740-551-0x0000000000240000-0x0000000000350000-memory.dmp	dcrat
behavioral1/memory/2724-611-0x0000000000090000-0x00000000001A0000-memory.dmp	dcrat
behavioral1/memory/2664-671-0x0000000000930000-0x0000000000A40000-memory.dmp	dcrat
behavioral1/memory/2708-731-0x0000000000EC0000-0x0000000000FD0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 16 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2376	powershell.exe
1724	powershell.exe
884	powershell.exe
688	powershell.exe
1204	powershell.exe
3036	powershell.exe
1980	powershell.exe
340	powershell.exe
3060	powershell.exe
1148	powershell.exe
1872	powershell.exe
1816	powershell.exe
308	powershell.exe
1072	powershell.exe
1468	powershell.exe
1400	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2472	DllCommonsvc.exe
444	wininit.exe
1584	wininit.exe
2140	wininit.exe
2272	wininit.exe
1568	wininit.exe
876	wininit.exe
2320	wininit.exe
1740	wininit.exe
2724	wininit.exe
2664	wininit.exe
2708	wininit.exe

Loads dropped DLL 2 IoCs

pid	Process
2800	cmd.exe
2800	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
37	raw.githubusercontent.com
5	raw.githubusercontent.com
12	raw.githubusercontent.com
23	raw.githubusercontent.com
30	raw.githubusercontent.com
33	raw.githubusercontent.com
4	raw.githubusercontent.com
9	raw.githubusercontent.com
16	raw.githubusercontent.com
19	raw.githubusercontent.com
26	raw.githubusercontent.com

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\Reader 9.0\6cb0b6c459d5d3	DllCommonsvc.exe
File created	C:\Program Files\Windows Portable Devices\wininit.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Mail\it-IT\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Mail\it-IT\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\dwm.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Portable Devices\56085415360792	DllCommonsvc.exe
File created	C:\Program Files\7-Zip\Lang\cmd.exe	DllCommonsvc.exe
File created	C:\Program Files\7-Zip\Lang\ebf1f9fa8afd6d	DllCommonsvc.exe
File created	C:\Program Files (x86)\Google\WmiPrvSE.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Google\24dbde2999530e	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_c2ae0f08e0722ce59f492adb6b0490ab2208e2376a9093fd4f4f30190a92044c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1256	schtasks.exe
2676	schtasks.exe
2916	schtasks.exe
1540	schtasks.exe
1792	schtasks.exe
2552	schtasks.exe
2988	schtasks.exe
2776	schtasks.exe
1032	schtasks.exe
3008	schtasks.exe
2600	schtasks.exe
2040	schtasks.exe
1108	schtasks.exe
1924	schtasks.exe
2672	schtasks.exe
1876	schtasks.exe
2488	schtasks.exe
1016	schtasks.exe
1160	schtasks.exe
1324	schtasks.exe
2636	schtasks.exe
1632	schtasks.exe
960	schtasks.exe
1680	schtasks.exe
1716	schtasks.exe
2140	schtasks.exe
2796	schtasks.exe
2416	schtasks.exe
2236	schtasks.exe
348	schtasks.exe
2960	schtasks.exe
2296	schtasks.exe
2452	schtasks.exe
2276	schtasks.exe
640	schtasks.exe
324	schtasks.exe
2192	schtasks.exe
1152	schtasks.exe
2096	schtasks.exe
2928	schtasks.exe
2464	schtasks.exe
2780	schtasks.exe
1524	schtasks.exe
2196	schtasks.exe
1076	schtasks.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
2472	DllCommonsvc.exe
2472	DllCommonsvc.exe
2472	DllCommonsvc.exe
308	powershell.exe
2376	powershell.exe
1724	powershell.exe
1148	powershell.exe
1980	powershell.exe
1468	powershell.exe
340	powershell.exe
1872	powershell.exe
3060	powershell.exe
1204	powershell.exe
3036	powershell.exe
884	powershell.exe
1072	powershell.exe
1816	powershell.exe
688	powershell.exe
444	wininit.exe
1584	wininit.exe
2140	wininit.exe
2272	wininit.exe
1568	wininit.exe
876	wininit.exe
2320	wininit.exe
1740	wininit.exe
2724	wininit.exe
2664	wininit.exe
2708	wininit.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

description	pid	Process
Token: SeDebugPrivilege	2472	DllCommonsvc.exe
Token: SeDebugPrivilege	308	powershell.exe
Token: SeDebugPrivilege	2376	powershell.exe
Token: SeDebugPrivilege	1724	powershell.exe
Token: SeDebugPrivilege	1148	powershell.exe
Token: SeDebugPrivilege	1980	powershell.exe
Token: SeDebugPrivilege	1468	powershell.exe
Token: SeDebugPrivilege	340	powershell.exe
Token: SeDebugPrivilege	1872	powershell.exe
Token: SeDebugPrivilege	3060	powershell.exe
Token: SeDebugPrivilege	1204	powershell.exe
Token: SeDebugPrivilege	3036	powershell.exe
Token: SeDebugPrivilege	884	powershell.exe
Token: SeDebugPrivilege	1072	powershell.exe
Token: SeDebugPrivilege	1816	powershell.exe
Token: SeDebugPrivilege	688	powershell.exe
Token: SeDebugPrivilege	444	wininit.exe
Token: SeDebugPrivilege	1584	wininit.exe
Token: SeDebugPrivilege	2140	wininit.exe
Token: SeDebugPrivilege	2272	wininit.exe
Token: SeDebugPrivilege	1568	wininit.exe
Token: SeDebugPrivilege	876	wininit.exe
Token: SeDebugPrivilege	2320	wininit.exe
Token: SeDebugPrivilege	1740	wininit.exe
Token: SeDebugPrivilege	2724	wininit.exe
Token: SeDebugPrivilege	2664	wininit.exe
Token: SeDebugPrivilege	2708	wininit.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1920 wrote to memory of 2316	1920	JaffaCakes118_c2ae0f08e0722ce59f492adb6b0490ab2208e2376a9093fd4f4f30190a92044c.exe	30
PID 1920 wrote to memory of 2316	1920	JaffaCakes118_c2ae0f08e0722ce59f492adb6b0490ab2208e2376a9093fd4f4f30190a92044c.exe	30
PID 1920 wrote to memory of 2316	1920	JaffaCakes118_c2ae0f08e0722ce59f492adb6b0490ab2208e2376a9093fd4f4f30190a92044c.exe	30
PID 1920 wrote to memory of 2316	1920	JaffaCakes118_c2ae0f08e0722ce59f492adb6b0490ab2208e2376a9093fd4f4f30190a92044c.exe	30
PID 2316 wrote to memory of 2800	2316	WScript.exe	31
PID 2316 wrote to memory of 2800	2316	WScript.exe	31
PID 2316 wrote to memory of 2800	2316	WScript.exe	31
PID 2316 wrote to memory of 2800	2316	WScript.exe	31
PID 2800 wrote to memory of 2472	2800	cmd.exe	33
PID 2800 wrote to memory of 2472	2800	cmd.exe	33
PID 2800 wrote to memory of 2472	2800	cmd.exe	33
PID 2800 wrote to memory of 2472	2800	cmd.exe	33
PID 2472 wrote to memory of 3060	2472	DllCommonsvc.exe	80
PID 2472 wrote to memory of 3060	2472	DllCommonsvc.exe	80
PID 2472 wrote to memory of 3060	2472	DllCommonsvc.exe	80
PID 2472 wrote to memory of 2376	2472	DllCommonsvc.exe	81
PID 2472 wrote to memory of 2376	2472	DllCommonsvc.exe	81
PID 2472 wrote to memory of 2376	2472	DllCommonsvc.exe	81
PID 2472 wrote to memory of 688	2472	DllCommonsvc.exe	82
PID 2472 wrote to memory of 688	2472	DllCommonsvc.exe	82
PID 2472 wrote to memory of 688	2472	DllCommonsvc.exe	82
PID 2472 wrote to memory of 1072	2472	DllCommonsvc.exe	84
PID 2472 wrote to memory of 1072	2472	DllCommonsvc.exe	84
PID 2472 wrote to memory of 1072	2472	DllCommonsvc.exe	84
PID 2472 wrote to memory of 884	2472	DllCommonsvc.exe	86
PID 2472 wrote to memory of 884	2472	DllCommonsvc.exe	86
PID 2472 wrote to memory of 884	2472	DllCommonsvc.exe	86
PID 2472 wrote to memory of 340	2472	DllCommonsvc.exe	89
PID 2472 wrote to memory of 340	2472	DllCommonsvc.exe	89
PID 2472 wrote to memory of 340	2472	DllCommonsvc.exe	89
PID 2472 wrote to memory of 308	2472	DllCommonsvc.exe	90
PID 2472 wrote to memory of 308	2472	DllCommonsvc.exe	90
PID 2472 wrote to memory of 308	2472	DllCommonsvc.exe	90
PID 2472 wrote to memory of 1816	2472	DllCommonsvc.exe	92
PID 2472 wrote to memory of 1816	2472	DllCommonsvc.exe	92
PID 2472 wrote to memory of 1816	2472	DllCommonsvc.exe	92
PID 2472 wrote to memory of 1872	2472	DllCommonsvc.exe	93
PID 2472 wrote to memory of 1872	2472	DllCommonsvc.exe	93
PID 2472 wrote to memory of 1872	2472	DllCommonsvc.exe	93
PID 2472 wrote to memory of 1400	2472	DllCommonsvc.exe	94
PID 2472 wrote to memory of 1400	2472	DllCommonsvc.exe	94
PID 2472 wrote to memory of 1400	2472	DllCommonsvc.exe	94
PID 2472 wrote to memory of 1980	2472	DllCommonsvc.exe	95
PID 2472 wrote to memory of 1980	2472	DllCommonsvc.exe	95
PID 2472 wrote to memory of 1980	2472	DllCommonsvc.exe	95
PID 2472 wrote to memory of 1724	2472	DllCommonsvc.exe	97
PID 2472 wrote to memory of 1724	2472	DllCommonsvc.exe	97
PID 2472 wrote to memory of 1724	2472	DllCommonsvc.exe	97
PID 2472 wrote to memory of 1148	2472	DllCommonsvc.exe	99
PID 2472 wrote to memory of 1148	2472	DllCommonsvc.exe	99
PID 2472 wrote to memory of 1148	2472	DllCommonsvc.exe	99
PID 2472 wrote to memory of 3036	2472	DllCommonsvc.exe	100
PID 2472 wrote to memory of 3036	2472	DllCommonsvc.exe	100
PID 2472 wrote to memory of 3036	2472	DllCommonsvc.exe	100
PID 2472 wrote to memory of 1204	2472	DllCommonsvc.exe	102
PID 2472 wrote to memory of 1204	2472	DllCommonsvc.exe	102
PID 2472 wrote to memory of 1204	2472	DllCommonsvc.exe	102
PID 2472 wrote to memory of 1468	2472	DllCommonsvc.exe	103
PID 2472 wrote to memory of 1468	2472	DllCommonsvc.exe	103
PID 2472 wrote to memory of 1468	2472	DllCommonsvc.exe	103
PID 2472 wrote to memory of 2200	2472	DllCommonsvc.exe	106
PID 2472 wrote to memory of 2200	2472	DllCommonsvc.exe	106
PID 2472 wrote to memory of 2200	2472	DllCommonsvc.exe	106
PID 2200 wrote to memory of 532	2200	cmd.exe	114

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c2ae0f08e0722ce59f492adb6b0490ab2208e2376a9093fd4f4f30190a92044c.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c2ae0f08e0722ce59f492adb6b0490ab2208e2376a9093fd4f4f30190a92044c.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1920
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2316
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2800
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2472
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3060
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2376
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\Lang\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:688
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Recent\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1072
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:884
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:340
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:308
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1816
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Start Menu\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1872
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1400
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Reader 9.0\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1980
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1724
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Pictures\Sample Pictures\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1148
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3036
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\it-IT\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1204
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1468
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7Vjk6pFV6a.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2200
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:532
      - C:\Program Files\Windows Portable Devices\wininit.exe
        
        "C:\Program Files\Windows Portable Devices\wininit.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:444
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rmFq19iy8Y.bat"
        7⤵
        
        PID:1864
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:1380
        
        C:\Program Files\Windows Portable Devices\wininit.exe
        
        "C:\Program Files\Windows Portable Devices\wininit.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1584
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8tyQ25hERL.bat"
        9⤵
        
        PID:2424
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2336
        
        C:\Program Files\Windows Portable Devices\wininit.exe
        
        "C:\Program Files\Windows Portable Devices\wininit.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2140
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\goxiuQmrpE.bat"
        11⤵
        
        PID:2164
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:1608
        
        C:\Program Files\Windows Portable Devices\wininit.exe
        
        "C:\Program Files\Windows Portable Devices\wininit.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2272
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NDsGBfOUR3.bat"
        13⤵
        
        PID:1612
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2040
        
        C:\Program Files\Windows Portable Devices\wininit.exe
        
        "C:\Program Files\Windows Portable Devices\wininit.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1568
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6x2cfOw3ED.bat"
        15⤵
        
        PID:1724
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:1468
        
        C:\Program Files\Windows Portable Devices\wininit.exe
        
        "C:\Program Files\Windows Portable Devices\wininit.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:876
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BHs9KC1JDp.bat"
        17⤵
        
        PID:2372
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:1744
        
        C:\Program Files\Windows Portable Devices\wininit.exe
        
        "C:\Program Files\Windows Portable Devices\wininit.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2320
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\etpQuxQFPn.bat"
        19⤵
        
        PID:2200
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:324
        
        C:\Program Files\Windows Portable Devices\wininit.exe
        
        "C:\Program Files\Windows Portable Devices\wininit.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1740
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OMb46N11BK.bat"
        21⤵
        
        PID:2392
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:940
        
        C:\Program Files\Windows Portable Devices\wininit.exe
        
        "C:\Program Files\Windows Portable Devices\wininit.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2724
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\T3kbcxG26A.bat"
        23⤵
        
        PID:1028
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:772
        
        C:\Program Files\Windows Portable Devices\wininit.exe
        
        "C:\Program Files\Windows Portable Devices\wininit.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2664
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JhFjyqSsxH.bat"
        25⤵
        
        PID:3020
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:2940
        
        C:\Program Files\Windows Portable Devices\wininit.exe
        
        "C:\Program Files\Windows Portable Devices\wininit.exe"
        26⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\providercommon\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\providercommon\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\providercommon\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Program Files\7-Zip\Lang\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Program Files\7-Zip\Lang\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Recent\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Admin\Recent\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Recent\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\providercommon\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\providercommon\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Google\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Google\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Start Menu\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\All Users\Start Menu\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Start Menu\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Pictures\Sample Pictures\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Public\Pictures\Sample Pictures\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Pictures\Sample Pictures\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Portable Devices\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Portable Devices\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Mail\it-IT\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\it-IT\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Mail\it-IT\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2416

Network

DNS

raw.githubusercontent.com

wininit.exe

Remote address:

8.8.8.8:53

Request

raw.githubusercontent.com

IN A

Response

raw.githubusercontent.com

IN A

185.199.109.133

raw.githubusercontent.com

IN A

185.199.111.133

raw.githubusercontent.com

IN A

185.199.110.133

raw.githubusercontent.com

IN A

185.199.108.133

185.199.109.133:443

raw.githubusercontent.com

tls

wininit.exe

793 B
4.2kB
10
11
185.199.109.133:443

raw.githubusercontent.com

tls

wininit.exe

793 B
4.2kB
10
11
185.199.109.133:443

raw.githubusercontent.com

tls

wininit.exe

793 B
4.2kB
10
11
185.199.109.133:443

raw.githubusercontent.com

tls

wininit.exe

741 B
4.1kB
9
10
185.199.109.133:443

raw.githubusercontent.com

tls

wininit.exe

793 B
4.2kB
10
11
185.199.109.133:443

raw.githubusercontent.com

tls

wininit.exe

793 B
4.2kB
10
11
185.199.109.133:443

raw.githubusercontent.com

tls

wininit.exe

741 B
4.1kB
9
10
185.199.109.133:443

raw.githubusercontent.com

tls

wininit.exe

793 B
4.2kB
10
11
185.199.109.133:443

raw.githubusercontent.com

tls

wininit.exe

793 B
4.2kB
10
11
185.199.109.133:443

raw.githubusercontent.com

tls

wininit.exe

793 B
4.2kB
10
11

8.8.8.8:53

raw.githubusercontent.com

dns

wininit.exe

71 B
135 B
1
1

DNS Request

raw.githubusercontent.com

DNS Response

185.199.109.133

185.199.111.133

185.199.110.133

185.199.108.133

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3ec44eed7c3e1445287d8213a2c71cf4

SHA1
05a0588ba147f52678c55e61d2d568f61e331516

SHA256
07a15bc156fa6ab9fbb7962d87d7da663eb8ea5a3f3533308c280fa526448e09

SHA512
d428ac8bb8dab83df5a14e90cedf0039a4709991b7f2a106acb5aab57fcaa500cd3733f17cd1b722131240ba3d9b32b853289ca335eb3ce183360c9898117c99

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7c77494c2ea17f546596cebc6f7dcacb

SHA1
92eb38f5418a657759adf26c844e2dbe66108db1

SHA256
de2ad308dce74974399071715227779eceba4eba7571e0ef88b50ad24d25434b

SHA512
02ed5a92f1049a47be3084ff7c81bb84bed4d51749eea7c787b846412eaf6a72330582cead09607385838de419276f56fb1cc692826f81239e2d60a63e72e6ac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
77ac3b788e8d7c7756c105188f36d7f6

SHA1
553fb493b90e761fc29bb637e5fd6ebbd7e9822e

SHA256
f8efec0b0ad9b48e34419ef80a6400d25e5c9d90553db4d2bc6114011d4ff830

SHA512
365671104292057730a39edca3a754f85dfe300c53d63e29e640d9b7a02aa75da691e7dc5c55ef215eaa99ce71749ed8d00be42e49ff321a357d68b8f35a369d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f965aa7ef912658f908a1e962fa03e2f

SHA1
e81cf8cf5fee71ec1cdc16a3a28060bc0e9ecc0c

SHA256
527719a389785a9487ca0c8754bec8abcd128bf2fa69bf7be64971c3c2f64cce

SHA512
82fe678bac237a29709763d4a51da771bb0c05e0f7f71cbaa758aab1278edc05b2fea2a30ba6cfa78f9a6672723707f7ef627233769a57211ac8d415eba3a2dc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7bcc033949e24402e8d6cd25e55145a3

SHA1
94c5767c2a03933a99e5423a8e32db492f8e527a

SHA256
d2a73b09c4b7899946b1e21a086c63a1e84548d828c97e4c30911007da5d0b79

SHA512
9c83986f1217c468a2f98280ee0817de4b0e583fb18432e3f5899758d3da8e7e5d91cf0cf73012711c306517e6b990d7989ec21d43395941c09cda3c4b6ee5e2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9559244d368505109216c475aa227590

SHA1
6b4ba398fbe43fb06b9f9d6833282d8e247859f6

SHA256
9842b0e31eb008fd0e2cc5677a50e53d4e105ab398532d2d5c04adbd25fc94c9

SHA512
7428ca94b5da5edb632287086eaf1ed01e6b94e9e0213e3e3adfd1493cf9198156a597df9b97f07e5fab6940d7ef26e2cfba39770f6c1b124568477395e84770

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
00d87c27f9d6fa0bd470b78c556362c5

SHA1
9f7ec5c86191a908b41426181035cc9425f33b5e

SHA256
aa4f248cabbe8be865c7f2ed2606434e5aec5108c10bf89fc71ee966d222bf14

SHA512
b6c6bf21fa38270d455c58b88303432f7c7f3081c0f24d9c0de5ed4de371266407e9bf4b74fa2916282e786c541cbe37f53b015dd5c9b0e2415c79304e25ad08

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f3bb36ebb4f98c8b1ce41b682bd5ba83

SHA1
5f4e20ac45bad9a49f9734589c362e30346ce112

SHA256
c0dae0de9cb9b22d0833410358f446aa5d6991848835b8b386e944898f4ac5ce

SHA512
d836fe998cd63d4177bd7c070e064093c7970b99b68ba26bd16dc4d49af358360174bfd12c24ee14fa45c1b346212b95be56d7e6c86089069e79aad55663f70f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5513888c59f30bbec132843fbcf27de5

SHA1
0aed45bc8ef3f9269751ac8a5eeba86d7b5d4551

SHA256
a5c3564906f557ae0312f312f7c60d022df3798a9b271c79f06d5c6cf5370d57

SHA512
2e4440b09b99ab0b1a09249eaf111d49e31600ca4dc4de4d6dfdb75bac0f87e335b4fd8ed7f9254151b1abf2207119dadbaaadd0ffb5ac6506d3abaff5dcb21a

Download Submit
C:\Users\Admin\AppData\Local\Temp\6x2cfOw3ED.bat

Filesize
218B

MD5
432a6f1716d85d25e61daa7a173a758a

SHA1
e2ac0509009cf05d1d44d7c032dca6b8015461ab

SHA256
1964f2a730af348b62ea03bc9f8935bc695c88ba6c042b2a3ca8ea25b682017e

SHA512
c2f7bf2e066212c3c2fe0a1a0e6c496b0d38dc275817c3b39ac863ef3ea5732dd15b1648b60987ba9b4be95ef1ac063f6a8856469f68e87c780baa17bd45bdb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7Vjk6pFV6a.bat

Filesize
218B

MD5
bcbecbaa3fb598ddfb76849a187bc237

SHA1
37fa98ef20a6f40385282eca992669f4ffad4425

SHA256
17c0f24f0b0ab5c29fac48fa9ed72f641f52622a4faf08e01a00ff5612f69035

SHA512
a0fd30dda2a8eaed123f858b8ef15025f4bee4be0bbbf73f1f082546f1ad29f6df5571aa612d536a6222099357f7cf68647a05397e86f8727f1e0c37f7baebbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\8tyQ25hERL.bat

Filesize
218B

MD5
f93897c1e85b43d27099043939320b35

SHA1
4e09d8bcad3f4533893604268a53186cc3e719ae

SHA256
d97d3023f3f71034a912317726bb1add0cc440107bb409bf7effe5fbd8886c28

SHA512
2d6b39347ead6b7b4998c5955e2a6e541a2caa3079d23d4c84d9fa6b04c02b85f039482b877f3cb1040f8bdacb0abcd0c1ec270f79dc299a131db87fe8008317

Download Submit
C:\Users\Admin\AppData\Local\Temp\BHs9KC1JDp.bat

Filesize
218B

MD5
fd65168b44dcd7c3651609d0125c13a6

SHA1
3327ab783b2c433ffdb6b03a0c1dbb9f42d9731e

SHA256
faef0097b824fc8b0631b1f8e297d55e383a6a8aaba239a46ac56096058155a2

SHA512
be479f49c7b8d07fb9f0e99d3e1a295565c34ff1ec0ef656e07c160ec6e1df73245838306983fee9c31f52139ba6feb1a7b0138870f5c16d9f06796cd72c2429

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabF430.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\JhFjyqSsxH.bat

Filesize
218B

MD5
d72ca9b37ff81238915f85891d8cb17c

SHA1
7decb4f0aed05ad6579522b1b344b3515c05e028

SHA256
c9b366d40d7faf112e39f628bbfb5a849605f1ce83ab1070efa30c6491d40c18

SHA512
ebe3242eb038f9459c27d028b108327a293ead0aac740b9566338764a8840684dcc59af05dfd88a76f95b2a7c1b9047a97294ccb10460dd0ee040d40def7147b

Download Submit
C:\Users\Admin\AppData\Local\Temp\NDsGBfOUR3.bat

Filesize
218B

MD5
0f22335ef8a83bd563fdfbdd5a6c9ab4

SHA1
189652f3caf7b72fba0635a6e578145a4d3fab12

SHA256
49ae136d430c767c25123955f39729ae94a04139510d66d1793ca0a2991f1f09

SHA512
0c39361cadc12ab5770adbb8fbfb3ae6bab88dba97851e89900fcb08d76ffd93cbe288e7d20d517076d690979a30a19d492afaa0d3a4c78f118dff8b5d972d1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\OMb46N11BK.bat

Filesize
218B

MD5
fdc3aa0c2a67d4e15821ccc845478442

SHA1
417ed62ab6d08a756c4816b0a4e1f0274b9c09e6

SHA256
b23841a173b96afac209f305e10c099b4637acdc820f9fb811455c5e7f1eac11

SHA512
73880bac866ed0dcc1966f46e30c5a323820049b063642d425d85df8b9c3c048c4dcd03e8daa802a09f62b15c500cb9f79f5535ec209563f9057347499008f3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\T3kbcxG26A.bat

Filesize
218B

MD5
1b97f207d77aaf68b1ee8061b617a08b

SHA1
ab29b240cfb6e34d8f8e771ecdf700028fdee249

SHA256
8ec1592e3ca148ff34ec348c386e75a76c4053bb8dc74a15d4ca5d654f9b9ea1

SHA512
8b45a3ea68c4706388dc3bbe80e573b619185e6543894de376a41722328a7330010046875708696ccf432173fac89b40b9b10c8e0b29b3274f27e953e72d0f49

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF453.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\etpQuxQFPn.bat

Filesize
218B

MD5
3ee654c58c68ee7336778e56733df1ca

SHA1
acc39f5178cfbed9d8ecfbde27eb712d24ad71ef

SHA256
3e9c222bfe25d0d61ddfed9a0cbbf401917eac704648b8e8ce8d0e1d13996d8e

SHA512
10e041105fb9bdf30f64b4e030581ce85ada303131acb4c429eeffb2d6b75518cc676eb3898b3d29ae63b0293369843605a2700761a1f4bba40fb38b9a7ac7c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\goxiuQmrpE.bat

Filesize
218B

MD5
291320e788d8159b7f769bbcbb255d24

SHA1
00bf1fa4522054670bedbd892f9b87d445c276cb

SHA256
c255004fc1a63dff62ff637ca03cc5238fc33908f758ca3984103e21c4202721

SHA512
c60cb2a8705ee7a09dbf80be9fd716bcb14df0324aba90fa6370dbd14c48cd99cc5869962df2136793b8f583c43961cbf440e7086046df854ae8e4ec0d4ba4fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\rmFq19iy8Y.bat

Filesize
218B

MD5
ce36bc8e83f1c21b07139a867d7e6b77

SHA1
87b3d99c08366977b3448ac3f4df9d38a1a70a46

SHA256
db6c701d555480baf9930d847564b8a4d618529aa51f3b3f266e9d1f46c7b4a0

SHA512
9bf656dbca9e8d1e771dff640fdbf2c38f1b48d28f31aebfd19572474f6d89116efc14dd7e99cfc201a39e799b71b4dc3d76476d58947a944e6befc03deb6e5f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
4c14e1318dead110d5534a5c08538639

SHA1
27259adec8d19717a725c48e96c2ba2bea553631

SHA256
cf91f8001b995c5f1d1dfd15dbe7d4e12707c9c54b15abee4f14c2f01f178417

SHA512
822813ffbf11fd69aa6736c028c6b68b32b9a16f94926160f03fed4d7a76f469a6804018b2096665080229272056282d110d956b7a5bce64925378c4c68ea1ea

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/308-62-0x0000000001FC0000-0x0000000001FC8000-memory.dmp

Filesize
32KB

Download
memory/444-132-0x0000000000970000-0x0000000000A80000-memory.dmp

Filesize
1.1MB

Download
memory/1568-372-0x0000000001000000-0x0000000001110000-memory.dmp

Filesize
1.1MB

Download
memory/1584-191-0x0000000000AB0000-0x0000000000BC0000-memory.dmp

Filesize
1.1MB

Download
memory/1740-551-0x0000000000240000-0x0000000000350000-memory.dmp

Filesize
1.1MB

Download
memory/1872-100-0x0000000002760000-0x0000000002768000-memory.dmp

Filesize
32KB

Download
memory/2140-251-0x00000000003E0000-0x00000000003F2000-memory.dmp

Filesize
72KB

Download
memory/2272-311-0x0000000000B40000-0x0000000000C50000-memory.dmp

Filesize
1.1MB

Download
memory/2272-312-0x0000000000550000-0x0000000000562000-memory.dmp

Filesize
72KB

Download
memory/2320-491-0x0000000001390000-0x00000000014A0000-memory.dmp

Filesize
1.1MB

Download
memory/2376-61-0x000000001B640000-0x000000001B922000-memory.dmp

Filesize
2.9MB

Download
memory/2472-14-0x00000000002C0000-0x00000000002D2000-memory.dmp

Filesize
72KB

Download
memory/2472-13-0x0000000000A40000-0x0000000000B50000-memory.dmp

Filesize
1.1MB

Download
memory/2472-15-0x00000000002D0000-0x00000000002DC000-memory.dmp

Filesize
48KB

Download
memory/2472-16-0x00000000002E0000-0x00000000002EC000-memory.dmp

Filesize
48KB

Download
memory/2472-17-0x00000000002F0000-0x00000000002FC000-memory.dmp

Filesize
48KB

Download
memory/2664-671-0x0000000000930000-0x0000000000A40000-memory.dmp

Filesize
1.1MB

Download
memory/2708-731-0x0000000000EC0000-0x0000000000FD0000-memory.dmp

Filesize
1.1MB

Download
memory/2708-732-0x00000000003C0000-0x00000000003D2000-memory.dmp

Filesize
72KB

Download
memory/2724-611-0x0000000000090000-0x00000000001A0000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

DNS Request

DNS Response

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.