Analysis Overview
SHA256
38529abe4880de3780b945a4015d6f8a6da474d300f55e72dcfcdc9765dd9c04
Threat Level: Known bad
The file JaffaCakes118_38529abe4880de3780b945a4015d6f8a6da474d300f55e72dcfcdc9765dd9c04 was found to be: Known bad.
Malicious Activity Summary
DCRat payload
DcRat
Process spawned unexpected child process
Dcrat family
DCRat payload
Command and Scripting Interpreter: PowerShell
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Legitimate hosting services abused for malware hosting/C2
Drops file in Windows directory
Drops file in Program Files directory
System Location Discovery: System Language Discovery
Unsigned PE
Enumerates physical storage devices
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Scheduled Task/Job: Scheduled Task
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Uses Task Scheduler COM API
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-12-30 01:49
Signatures
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Dcrat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-12-30 01:49
Reported
2024-12-30 01:52
Platform
win7-20240708-en
Max time kernel
141s
Max time network
136s
Command Line
Signatures
DcRat
Dcrat family
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Windows Photo Viewer\fr-FR\DllCommonsvc.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\audiodg.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\27d1bcfc3c54e0 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Synchronization Services\OSPPSVC.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\f3b6ecef712a24 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Windows Photo Viewer\fr-FR\a76d7bf15d8370 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\42af1c969fbb7b | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\System.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Windows Mail\088424020bedd6 | C:\providercommon\DllCommonsvc.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\spoolsv.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\System.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\spoolsv.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Synchronization Services\1610b97d3ab4a7 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Windows Mail\conhost.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\27d1bcfc3c54e0 | C:\providercommon\DllCommonsvc.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\ehome\OSPPSVC.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\ehome\1610b97d3ab4a7 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\rescache\rc0006\audiodg.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\DigitalLocker\it-IT\services.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\DigitalLocker\it-IT\c5b4cb5e9653cc | C:\providercommon\DllCommonsvc.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_38529abe4880de3780b945a4015d6f8a6da474d300f55e72dcfcdc9765dd9c04.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_38529abe4880de3780b945a4015d6f8a6da474d300f55e72dcfcdc9765dd9c04.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_38529abe4880de3780b945a4015d6f8a6da474d300f55e72dcfcdc9765dd9c04.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\providercommon\1zu9dW.bat" "
C:\providercommon\DllCommonsvc.exe
"C:\providercommon\DllCommonsvc.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Adobe\spoolsv.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\spoolsv.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Adobe\spoolsv.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Windows\ehome\OSPPSVC.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Windows\ehome\OSPPSVC.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Windows\ehome\OSPPSVC.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\sppsvc.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\sppsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\sppsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\DllCommonsvc.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\DllCommonsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\DllCommonsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\services.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\audiodg.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\audiodg.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\audiodg.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\csrss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\providercommon\services.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Users\Default\SendTo\wininit.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default\SendTo\wininit.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Users\Default\SendTo\wininit.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Desktop\spoolsv.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\All Users\Desktop\spoolsv.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Desktop\spoolsv.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\System.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\System.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\System.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\OSPPSVC.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\OSPPSVC.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\OSPPSVC.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Mail\conhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Mail\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Windows\DigitalLocker\it-IT\services.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\it-IT\services.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Windows\DigitalLocker\it-IT\services.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\System.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\System.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\System.exe'" /rl HIGHEST /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\spoolsv.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ehome\OSPPSVC.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\sppsvc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\DllCommonsvc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\services.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\audiodg.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\csrss.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\services.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\SendTo\wininit.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Desktop\spoolsv.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\System.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Synchronization Services\OSPPSVC.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\conhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\DigitalLocker\it-IT\services.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\sppsvc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\System.exe'
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TdvQL68WQX.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe
"C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qqpXlQnQd1.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe
"C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5eI0Zh92hY.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe
"C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MsSi1KDKJG.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe
"C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hfpeQ4JfvC.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe
"C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QLPJAVlmCt.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe
"C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oYNvu0ZNBR.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe
"C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hJP5Gj8VmP.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe
"C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kUVpzpaF2i.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe
"C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
Files
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe
| MD5 | 8088241160261560a02c84025d107592 |
| SHA1 | 083121f7027557570994c9fc211df61730455bb5 |
| SHA256 | 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1 |
| SHA512 | 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478 |
C:\providercommon\1zu9dW.bat
| MD5 | 6783c3ee07c7d151ceac57f1f9c8bed7 |
| SHA1 | 17468f98f95bf504cc1f83c49e49a78526b3ea03 |
| SHA256 | 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322 |
| SHA512 | c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8 |
\providercommon\DllCommonsvc.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/2988-13-0x00000000002C0000-0x00000000003D0000-memory.dmp
memory/2988-14-0x0000000000150000-0x0000000000162000-memory.dmp
memory/2988-15-0x0000000000250000-0x000000000025C000-memory.dmp
memory/2988-16-0x0000000000260000-0x000000000026C000-memory.dmp
memory/2988-17-0x0000000000270000-0x000000000027C000-memory.dmp
memory/2700-61-0x000000001B660000-0x000000001B942000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 49d52b4d692fd368dcb93fbfd967ed3c |
| SHA1 | b0e155faf25feb334ddad4225220ea5477560d4c |
| SHA256 | 338289d1c9b6756726b3d02b708eff36f16b3971ca2241b6debc4c92139ff18c |
| SHA512 | b457d7b1ca07c7a3f3e3b0f42b0cf46c65bb600bada008c55ec489d7a6a19c35795de7afd15fda7c66f25cf3d1b1d064e1215f7599c2b38ba6482cce096f9b10 |
memory/2700-62-0x0000000000340000-0x0000000000348000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TdvQL68WQX.bat
| MD5 | 12fd04a2b286a331afd74ae2351ad5fb |
| SHA1 | fa70385cb5cea73445f42e5f983b0b86a27d8199 |
| SHA256 | 9559241758f39b8316be96829809368ed5596abcff21122183257e0fc3ac70d7 |
| SHA512 | 50f658fb253f4ac9bcb7bcda441316adee54bbf56ae0dee2747c4df5bc4ae93f951938dd91a78b05aeb6cee0b85155445cb6d27e64205d9e9b6825a1c2b0d65d |
memory/1824-150-0x0000000000870000-0x0000000000980000-memory.dmp
memory/1824-151-0x0000000000240000-0x0000000000252000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CabBAAA.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\TarBACC.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\Local\Temp\qqpXlQnQd1.bat
| MD5 | ee16c0d79b3ed8ae2f5a15a928eba92a |
| SHA1 | 7a036489989c77013535e66bf57e25a1efef047f |
| SHA256 | eebacbe44c9b3211d29b8106a3f2bf855021185bcdffd8ca82b36696602b7c80 |
| SHA512 | 8e3d05e27bdd87bc825a41a0656dc56ee46c5de7ed220bb6fe102a595aeb71c0bb79e386a1ee9f3d6ed2f38525f23d3e25b9372ddd4b9acc7dfd3d155b8d0a50 |
memory/2128-210-0x0000000000960000-0x0000000000A70000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 632d3a98bfc6cfaff5643a484673d92e |
| SHA1 | 72974a34f36ee8ff9c6d20c52036cfca37f264ec |
| SHA256 | 8892d8c715d499527a534040d28c68a36c8346d9c21df21f845b7bc6378f80f5 |
| SHA512 | 8e7894fb79488cf7bf24e228bda413693c022cbf75277be56afb7ee8a77b87c296ef0f0817fd619ea9c984f5e9db797bba82563bfcef665bdc5bfcd04e7b4023 |
C:\Users\Admin\AppData\Local\Temp\5eI0Zh92hY.bat
| MD5 | d9aed5e720fc264c40bf0a5cd1b1a119 |
| SHA1 | 49ed171691c8cc7e404d3f0390292c262e96fbc5 |
| SHA256 | 221ac36ef9cedb17dd47a96670f2460b1381a382a531087da9a0a5799f786ef2 |
| SHA512 | 6672334b3a6f55568d0d0049955cb1ec8bf1745abc588e661fc766f98b4ce1536b97ea2cf7d606a7e1a641f513d1b8deff819ea6caf2c7732a713db0b9eb1f66 |
memory/264-270-0x00000000002B0000-0x00000000003C0000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f19f9ef308740b9925bd40fd8e9b88ab |
| SHA1 | 9644fd7e1df5b13df453eaa8e0941cb0d76d569a |
| SHA256 | a6807d701bc8bb4a7db9989995e055586c657e81a545666581d8ae7ab1974902 |
| SHA512 | 2ec967bf78fc2cd6ef93c08d25999219ea970b885966e7aafc378f479c88f2fd6f2ffea87b075a65bc59c72d56d02daeb6a5e8005b64f625b074082d44cacbcf |
C:\Users\Admin\AppData\Local\Temp\MsSi1KDKJG.bat
| MD5 | 66a764f61eb8fc2db47985a3a9dde0aa |
| SHA1 | ee4f5bc2f488649e8b351e3bfeb28b3a1c9962c4 |
| SHA256 | 2dce675c63aadd131dd09a8ce5f87ab4a4e9b06de013bad490727fe27d14e5a9 |
| SHA512 | 9e9e78d1d2553af64a7ac681b64f838d35df3377237deb324d3fb491c06fc2576dc63c69f911a07517bf4ad5215a0443e0eff8fe25b9f3fd3c5b6fb87409e6ea |
memory/1152-330-0x0000000000C10000-0x0000000000D20000-memory.dmp
memory/1152-331-0x0000000000240000-0x0000000000252000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 31829ded67aa96f0e05b041e3f92ab6e |
| SHA1 | 349a2bfd9c762b1d47d6f271066a2cdeb7fa2fe8 |
| SHA256 | c16aa2b385c46cb1095684fd1d86985b0aa925c9b2b712ac4abc6b4a075ad103 |
| SHA512 | df981f2e3afad54104e6af33a6ac6706ed60e4205c87d122b31f71045350ed11f6a15902339055ae770ef8117ee0db9c186ce0f2eea38aef356dab961238e8ac |
C:\Users\Admin\AppData\Local\Temp\hfpeQ4JfvC.bat
| MD5 | a8c1d50cd2dde414c132911b58d12e91 |
| SHA1 | 0c397388383055c87114950bc8ab17c61fdec591 |
| SHA256 | 7b0d1a470f1e1c3452fed0aead52b45a6fdc9bb18c605b295c43316f2562fbde |
| SHA512 | 9e9d1f2cac78e5cce620edf2c8832d309b917266f4f21df81b64ba85247fb5d9a9f082532636f948f2cefc79114ee385beac15a5833bafb035d8e6c1fab03a45 |
memory/2580-391-0x0000000000FF0000-0x0000000001100000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 966c2dbec10315632bcec791298144b0 |
| SHA1 | 0af216b37866b032c5df25a919fcfbc534bbd888 |
| SHA256 | 697639d8389766745162b0334f6dbad422ac5118fdbd986c15c307db51cb309b |
| SHA512 | 6ee78e8cdd1d752709e13249ee440e07a262b96fe093e0dc8258feb3f327fb188a7208d7d683d7bda2979852429d2ed6032088a198e3c1047eb1b97d390a65b9 |
C:\Users\Admin\AppData\Local\Temp\QLPJAVlmCt.bat
| MD5 | b961b76d1d54d41df78b65365a2014a4 |
| SHA1 | b0623f00ed3bdff08f189159d05dac8096add1ec |
| SHA256 | 7611347e6c55a917331892272be0fb31393cfc5aca008e4d2c176c9372fa72d4 |
| SHA512 | 41e222dc01678fb1f4954e807ad26ff470d8c03d801e7161e4262ba376555108479230b2ecb79965a8ce5352ff15c7814ab04124baf6255ea88ec8c617870776 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c0934006a797e92bf6b4e26fbd25e8d3 |
| SHA1 | 2fee85dfeec07c9ab5df04b90a381fb7c88c1321 |
| SHA256 | a61dadb0f2a3a7ee4a7985028361bda32f729b50a5dc3ec0db410506c1812616 |
| SHA512 | bb0e3936f735f4edcd6229c6a49fa92cef8e32bc7b3b04988a986d5e59876ad96a3bdf733a301bc633b16ca671d0ecfa6b65688570b673b90a7c7787d1a239b1 |
C:\Users\Admin\AppData\Local\Temp\oYNvu0ZNBR.bat
| MD5 | cd7b5ffa115c6b813dc834fc71ed7c4b |
| SHA1 | b045267d7c60ee56826b763d794c759e344ac7c6 |
| SHA256 | ccfab1a288a34085aad6a02e280a9d10c6f155f9a13a998eeb7699603cc3c945 |
| SHA512 | 5f9b87f2b05ffff4c702cb780514b15a7a75469bcd07c4ed71b0e889a934210e156465579496bbdc473f0645d67ebe2c1d4a974a8854e2e232bb26e661f72138 |
memory/764-510-0x00000000011E0000-0x00000000012F0000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6d210a677ae83a54bed4c1addcc1f508 |
| SHA1 | bd52e5ffb46df5b1cc75f944473579c439a6ae8b |
| SHA256 | 83f6127891411af38b8f25cd6789e6720236c2eb7f90af4dfd99db0b869e7e16 |
| SHA512 | 2ab073379dddfe2438116ed33ac111f5008c197fdac09c39d52cabb865158a83f8d0fcd14cb5f8f833b1fa98b0734c1ba89fd4ea268d305dbf9150b5d9e6c981 |
C:\Users\Admin\AppData\Local\Temp\hJP5Gj8VmP.bat
| MD5 | 586b87feb3e214a187c07c829009e5ab |
| SHA1 | bb93f38202f1d2edcd4a10cb423aa486de27b89a |
| SHA256 | 7a62e9335c236d634e2570a87bea42d8ea332b6a8c81fd94b280c49ae80fd80f |
| SHA512 | 15effaec8ebe237b2d4564dc73c27d6401e644e676c740566cd588bcd0ddf50f43c13a60b08e24a0cde8c3c7a2b7a19254b5effa53c13723af3f516b7da8f66c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e774e32abba504f418f9c392b93d9cf0 |
| SHA1 | 1ffebd65c622b579ea958255ad25dcc5cdbe005b |
| SHA256 | ff5512a3386e6f77c94ce931a33b36fbe4fc450f2e0d13f905c00df914686584 |
| SHA512 | 145e938eb08b2d729858f3da5a1092805aaeef10321786697dbc13f3d74040da53be2a0da3f5a2090f5656789b659093facbc3a50a68aacd25f7d828e77dc913 |
C:\Users\Admin\AppData\Local\Temp\kUVpzpaF2i.bat
| MD5 | 2a6566155144eee9108a7e515030e28a |
| SHA1 | 9ff641fe474e8a0544b285b6002bbe02abb65d29 |
| SHA256 | 1c93097e752c9e410921fcc660f55fafa807e13968e7624c5560c18fe12f8ae1 |
| SHA512 | 4c29de08a2e86d05366b9301e45ddcdd99cf4d5f6722aa7ea281bc8a570af2c5b2cb717bf6ede091daf69e4c680e465b30651d3611e297b35370b00f12803200 |
memory/1884-629-0x0000000000100000-0x0000000000210000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-12-30 01:49
Reported
2024-12-30 01:52
Platform
win10v2004-20241007-en
Max time kernel
147s
Max time network
149s
Command Line
Signatures
DcRat
Dcrat family
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_38529abe4880de3780b945a4015d6f8a6da474d300f55e72dcfcdc9765dd9c04.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\providercommon\conhost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\providercommon\conhost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\providercommon\conhost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\providercommon\conhost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\providercommon\DllCommonsvc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\providercommon\conhost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\providercommon\conhost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\providercommon\conhost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\providercommon\conhost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\providercommon\conhost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\providercommon\conhost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\providercommon\conhost.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\providercommon\DllCommonsvc.exe | N/A |
| N/A | N/A | C:\providercommon\conhost.exe | N/A |
| N/A | N/A | C:\providercommon\conhost.exe | N/A |
| N/A | N/A | C:\providercommon\conhost.exe | N/A |
| N/A | N/A | C:\providercommon\conhost.exe | N/A |
| N/A | N/A | C:\providercommon\conhost.exe | N/A |
| N/A | N/A | C:\providercommon\conhost.exe | N/A |
| N/A | N/A | C:\providercommon\conhost.exe | N/A |
| N/A | N/A | C:\providercommon\conhost.exe | N/A |
| N/A | N/A | C:\providercommon\conhost.exe | N/A |
| N/A | N/A | C:\providercommon\conhost.exe | N/A |
| N/A | N/A | C:\providercommon\conhost.exe | N/A |
| N/A | N/A | C:\providercommon\conhost.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Common Files\System\fr-FR\TextInputHost.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\System\fr-FR\22eafd247d37c3 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Windows Photo Viewer\it-IT\spoolsv.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Windows Photo Viewer\it-IT\f3b6ecef712a24 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Windows Multimedia Platform\smss.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Windows Multimedia Platform\69ddcba757bf72 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft.NET\RedistList\explorer.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft.NET\RedistList\7a0fd90576e088 | C:\providercommon\DllCommonsvc.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\OCR\ja-jp\OfficeClickToRun.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\CbsTemp\explorer.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\CbsTemp\7a0fd90576e088 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\security\audit\services.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File opened for modification | C:\Windows\security\audit\services.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\security\audit\c5b4cb5e9653cc | C:\providercommon\DllCommonsvc.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_38529abe4880de3780b945a4015d6f8a6da474d300f55e72dcfcdc9765dd9c04.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings | C:\providercommon\conhost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings | C:\providercommon\conhost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings | C:\providercommon\conhost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings | C:\providercommon\conhost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings | C:\providercommon\conhost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings | C:\providercommon\conhost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings | C:\providercommon\conhost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_38529abe4880de3780b945a4015d6f8a6da474d300f55e72dcfcdc9765dd9c04.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings | C:\providercommon\conhost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings | C:\providercommon\conhost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings | C:\providercommon\conhost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings | C:\providercommon\conhost.exe | N/A |
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_38529abe4880de3780b945a4015d6f8a6da474d300f55e72dcfcdc9765dd9c04.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_38529abe4880de3780b945a4015d6f8a6da474d300f55e72dcfcdc9765dd9c04.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
C:\providercommon\DllCommonsvc.exe
"C:\providercommon\DllCommonsvc.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Windows\security\audit\services.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\security\audit\services.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Windows\security\audit\services.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\explorer.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Common Files\System\fr-FR\TextInputHost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\System\fr-FR\TextInputHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Common Files\System\fr-FR\TextInputHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Photo Viewer\it-IT\spoolsv.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\it-IT\spoolsv.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Photo Viewer\it-IT\spoolsv.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Multimedia Platform\smss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\smss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Multimedia Platform\smss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\providercommon\conhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Windows\CbsTemp\explorer.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\CbsTemp\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Windows\CbsTemp\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\security\audit\services.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\RedistList\explorer.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\System\fr-FR\TextInputHost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\it-IT\spoolsv.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Multimedia Platform\smss.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\conhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\CbsTemp\explorer.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\wininit.exe'
C:\providercommon\conhost.exe
"C:\providercommon\conhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jFXOGCU6Cq.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\conhost.exe
"C:\providercommon\conhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KYEunsIO9t.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\conhost.exe
"C:\providercommon\conhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7hZg3igX7v.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\conhost.exe
"C:\providercommon\conhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HcCr6nEVp7.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\conhost.exe
"C:\providercommon\conhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QUR8LTwG0H.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\conhost.exe
"C:\providercommon\conhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tpXWVAFTZv.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\conhost.exe
"C:\providercommon\conhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YKuCD7w8Ue.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\conhost.exe
"C:\providercommon\conhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oxTQ808hvM.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\conhost.exe
"C:\providercommon\conhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\m1RNSv4oba.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\conhost.exe
"C:\providercommon\conhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9minE9DcLk.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\conhost.exe
"C:\providercommon\conhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tpXWVAFTZv.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\conhost.exe
"C:\providercommon\conhost.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
Files
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe
| MD5 | 8088241160261560a02c84025d107592 |
| SHA1 | 083121f7027557570994c9fc211df61730455bb5 |
| SHA256 | 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1 |
| SHA512 | 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478 |
C:\providercommon\1zu9dW.bat
| MD5 | 6783c3ee07c7d151ceac57f1f9c8bed7 |
| SHA1 | 17468f98f95bf504cc1f83c49e49a78526b3ea03 |
| SHA256 | 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322 |
| SHA512 | c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8 |
C:\providercommon\DllCommonsvc.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/5116-12-0x00007FFFFDBF3000-0x00007FFFFDBF5000-memory.dmp
memory/5116-13-0x0000000000AB0000-0x0000000000BC0000-memory.dmp
memory/5116-14-0x000000001B6B0000-0x000000001B6C2000-memory.dmp
memory/5116-15-0x000000001B6C0000-0x000000001B6CC000-memory.dmp
memory/5116-16-0x000000001B6D0000-0x000000001B6DC000-memory.dmp
memory/5116-17-0x000000001B7F0000-0x000000001B7FC000-memory.dmp
memory/4992-54-0x00000166EF380000-0x00000166EF3A2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kkx41dvg.lvn.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 2e907f77659a6601fcc408274894da2e |
| SHA1 | 9f5b72abef1cd7145bf37547cdb1b9254b4efe9d |
| SHA256 | 385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233 |
| SHA512 | 34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | cadef9abd087803c630df65264a6c81c |
| SHA1 | babbf3636c347c8727c35f3eef2ee643dbcc4bd2 |
| SHA256 | cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438 |
| SHA512 | 7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 62623d22bd9e037191765d5083ce16a3 |
| SHA1 | 4a07da6872672f715a4780513d95ed8ddeefd259 |
| SHA256 | 95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010 |
| SHA512 | 9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\jFXOGCU6Cq.bat
| MD5 | ae384fb1482269377812c3e1882b2cb1 |
| SHA1 | 0577182c38e2b1c9ee27a9fde67678d30d6cbc75 |
| SHA256 | cc7c052f4ee57918058d69dbf0212bdacef0f2decf41aebd4a8fb2dd0b253eaf |
| SHA512 | 849885aebbf0e521b2b1fa6b35478bfeac77ad58ce7e19a74640fb0e47afea735fa7c459fefcdd193fcfcadccd9074f043ca27ba4f77422af3c4f1990985fd2c |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.log
| MD5 | baf55b95da4a601229647f25dad12878 |
| SHA1 | abc16954ebfd213733c4493fc1910164d825cac8 |
| SHA256 | ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924 |
| SHA512 | 24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545 |
memory/3324-154-0x0000000001A30000-0x0000000001A42000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\KYEunsIO9t.bat
| MD5 | 1a3d939ba875788b3431eb0faeca2d14 |
| SHA1 | b50668667fd84d02a0533f658e3650dba92c2fe1 |
| SHA256 | a007b2ad26e815356dcd48375eb211327a33aa80880b6fafc6f7f41a07d5e8db |
| SHA512 | d772fec4819e34f0e3fccaedf2ae45f18201b52018358d5ff3794aac7b8b57fbbe59a8894b958092986eabfaa991b2d9e777c679f044a882593cf325c1816063 |
C:\Users\Admin\AppData\Local\Temp\7hZg3igX7v.bat
| MD5 | 270162444fdc5e4dc7a952c9cde14e08 |
| SHA1 | 66cbe2c029a20e1dc6f4e89a7d739648a6b4fc53 |
| SHA256 | 43255271a31471dbef19f9405fb16398113ba115ffae1b66dd9a45dccbde31ff |
| SHA512 | 4be304e7f3322a7088ede2a2401b101b355458d0d34368e2302c4c72b564a9d8bd51e900b3aa72927ea7c9d87fc116e310b31488119a65d3928f2621295e6d6f |
memory/4420-167-0x0000000000D80000-0x0000000000D92000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\HcCr6nEVp7.bat
| MD5 | 2ce6fe662832cdddcbbdff44646414f8 |
| SHA1 | d6f427689a6ba957bc1ce9318d6b76a9241dab07 |
| SHA256 | 5cb36ddbab6d9a2a6168164675e507438c053f732d1340c451c8b9dfc6099612 |
| SHA512 | 92d59d853898b7bfaeda3194221439fc0f3068c25d7145adb894e06d3af6275c09c0357beb45575ced9695c9c6560354863ba99f398b34a7a55e467352d6cdc0 |
C:\Users\Admin\AppData\Local\Temp\QUR8LTwG0H.bat
| MD5 | 279ad3a80809c8181ed38dc009eb1302 |
| SHA1 | 7ac6aa57f3e91e5898beb0dc2d2fbed2e99d1d25 |
| SHA256 | bc526d51eb6d14806a6a0cb2e73b025fe2f4f3af15695ba42b96cc3a334ad273 |
| SHA512 | 0e8568a08c00f1ffb192643b4617419983edaa3585d71202e982cdf6e7ffbd9d1098253b4430898052c0f4bacdb1c232f680d39c64f09047ff3256890741a7d7 |
C:\Users\Admin\AppData\Local\Temp\tpXWVAFTZv.bat
| MD5 | 4227dae00cead819ccd068d52feed121 |
| SHA1 | 6cf220ad3b4f5fa989f0a7d2039fb16efab9e154 |
| SHA256 | c6441d4a49cd406d71dcb17687cc6cdef61c17053177dfa49008548110293389 |
| SHA512 | 30cc362b897d2c9c330d5a4e786ee387e7ab74f56f9ca7187af22220da3836b6dc0254aa9228ff3c2e98b79ba38e49c338a2cf4ef0d2d8dcf3d1ef887e2e2f2a |
C:\Users\Admin\AppData\Local\Temp\YKuCD7w8Ue.bat
| MD5 | 980d79a212b8efcc13ae73aa20079ce7 |
| SHA1 | d6bdc0b686d0a38ef435db1e059285779f76ff4f |
| SHA256 | 83abf9d29084236a0bd7e3119dfd9ca811f44fc3ebab42af53c8fd52a4e61b7d |
| SHA512 | 4250f38a256895da99858575cf21e2680b846d8dcf3e79af9d879b535a47f66a277dc8b5d39738658542a006a33e7847773e92782e6b3f762a95c41c5b9e16f2 |
C:\Users\Admin\AppData\Local\Temp\oxTQ808hvM.bat
| MD5 | ab3a016fe579f0fa0fc91cb3dae5d0f5 |
| SHA1 | f86899db7fe2183c02ed1d2f8878de0c4c4a9b87 |
| SHA256 | 1b7074ac3d537e9bccdfb70e08f1209012c0f503e2b2688e6092cf4a4110dd58 |
| SHA512 | ea7c513853298186ad5f0896689b3b88357b0ea180927187449696003764a8a77f4b8d257861c8aa6e21e6af574601cbc95a6292868ae8ec7d794681f50705a3 |
C:\Users\Admin\AppData\Local\Temp\m1RNSv4oba.bat
| MD5 | 16c6331c595996aa5dad7afafca4931b |
| SHA1 | d96e8c86859d2e5096d3456e307f120b26aed0f6 |
| SHA256 | 58407d15ca525e5d0152a101f422df4004efe8635d62e2cf6b56792fba1e874c |
| SHA512 | ffc74b170132486cb062e86b241cfe110e0eac1a08770ebb81dcc0c61b182296223d8fa95304aa09dfbb3cf036c94150e0f9e2ea78c9218453e8b01bf4d861c1 |
memory/4020-204-0x00000000024C0000-0x00000000024D2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\9minE9DcLk.bat
| MD5 | 286c235ba7d5a29c868b6856173d38e6 |
| SHA1 | bb2230127f6a1e571675e82e28017ca3ef1de8da |
| SHA256 | 34a3f5a74f122d92897509e9fbd49936a252799938dc07bc02fb7d2dd4626091 |
| SHA512 | dbafa17cca1b91b5253b23d007044f9af826b804955f0f927b71c29bcef1e250b4330378d01168a64dee7f3f3f2c733b0d168f4eff858cad802163c9fe331081 |