Analysis Overview
SHA256
375ce4a9beabd459e3f5459cec75a1b1e8e2814443bae7914553d7b266ed1923
Threat Level: Known bad
The file JaffaCakes118_375ce4a9beabd459e3f5459cec75a1b1e8e2814443bae7914553d7b266ed1923 was found to be: Known bad.
Malicious Activity Summary
DCRat payload
DcRat
Process spawned unexpected child process
Dcrat family
DCRat payload
Command and Scripting Interpreter: PowerShell
Loads dropped DLL
Executes dropped EXE
Checks computer location settings
Legitimate hosting services abused for malware hosting/C2
Drops file in Program Files directory
Drops file in Windows directory
Enumerates physical storage devices
Unsigned PE
System Location Discovery: System Language Discovery
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Scheduled Task/Job: Scheduled Task
Suspicious use of AdjustPrivilegeToken
Uses Task Scheduler COM API
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-12-30 01:51
Signatures
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Dcrat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-12-30 01:51
Reported
2024-12-30 01:53
Platform
win7-20241023-en
Max time kernel
150s
Max time network
148s
Command Line
Signatures
DcRat
Dcrat family
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\providercommon\DllCommonsvc.exe | N/A |
| N/A | N/A | C:\Windows\inf\ASP.NET\0015\services.exe | N/A |
| N/A | N/A | C:\Windows\inf\ASP.NET\0015\services.exe | N/A |
| N/A | N/A | C:\Windows\inf\ASP.NET\0015\services.exe | N/A |
| N/A | N/A | C:\Windows\inf\ASP.NET\0015\services.exe | N/A |
| N/A | N/A | C:\Windows\inf\ASP.NET\0015\services.exe | N/A |
| N/A | N/A | C:\Windows\inf\ASP.NET\0015\services.exe | N/A |
| N/A | N/A | C:\Windows\inf\ASP.NET\0015\services.exe | N/A |
| N/A | N/A | C:\Windows\inf\ASP.NET\0015\services.exe | N/A |
| N/A | N/A | C:\Windows\inf\ASP.NET\0015\services.exe | N/A |
| N/A | N/A | C:\Windows\inf\ASP.NET\0015\services.exe | N/A |
| N/A | N/A | C:\Windows\inf\ASP.NET\0015\services.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\audiodg.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\42af1c969fbb7b | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\csrss.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\886983d96e3d3e | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Mozilla Firefox\defaults\pref\DllCommonsvc.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Mozilla Firefox\defaults\pref\a76d7bf15d8370 | C:\providercommon\DllCommonsvc.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\inf\ASP.NET\0015\c5b4cb5e9653cc | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\AppCompat\Programs\DllCommonsvc.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\AppCompat\Programs\a76d7bf15d8370 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\Registration\CRMLog\csrss.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\Registration\CRMLog\886983d96e3d3e | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\Globalization\Sorting\csrss.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\Globalization\Sorting\886983d96e3d3e | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\inf\ASP.NET\0015\services.exe | C:\providercommon\DllCommonsvc.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_375ce4a9beabd459e3f5459cec75a1b1e8e2814443bae7914553d7b266ed1923.exe | N/A |
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_375ce4a9beabd459e3f5459cec75a1b1e8e2814443bae7914553d7b266ed1923.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_375ce4a9beabd459e3f5459cec75a1b1e8e2814443bae7914553d7b266ed1923.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\providercommon\1zu9dW.bat" "
C:\providercommon\DllCommonsvc.exe
"C:\providercommon\DllCommonsvc.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\providercommon\System.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\System.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Windows\Registration\CRMLog\csrss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Registration\CRMLog\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Windows\Registration\CRMLog\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\taskhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Windows\Globalization\Sorting\csrss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Globalization\Sorting\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Windows\Globalization\Sorting\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Windows\inf\ASP.NET\0015\services.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\inf\ASP.NET\0015\services.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Windows\inf\ASP.NET\0015\services.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\spoolsv.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\spoolsv.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\spoolsv.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\providercommon\cmd.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\providercommon\cmd.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\providercommon\cmd.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\csrss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\providercommon\WmiPrvSE.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Cookies\lsass.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Admin\Cookies\lsass.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Cookies\lsass.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\providercommon\explorer.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 14 /tr "'C:\Program Files\Mozilla Firefox\defaults\pref\DllCommonsvc.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\defaults\pref\DllCommonsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 12 /tr "'C:\Program Files\Mozilla Firefox\defaults\pref\DllCommonsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\explorer.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsm.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 7 /tr "'C:\Windows\AppCompat\Programs\DllCommonsvc.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Windows\AppCompat\Programs\DllCommonsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 5 /tr "'C:\Windows\AppCompat\Programs\DllCommonsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\audiodg.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\audiodg.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\audiodg.exe'" /rl HIGHEST /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\System.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\System.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Registration\CRMLog\csrss.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\taskhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Globalization\Sorting\csrss.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\inf\ASP.NET\0015\services.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\spoolsv.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\cmd.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\csrss.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\WmiPrvSE.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Cookies\lsass.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\explorer.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\defaults\pref\DllCommonsvc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\explorer.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsm.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\AppCompat\Programs\DllCommonsvc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\audiodg.exe'
C:\Windows\inf\ASP.NET\0015\services.exe
"C:\Windows\inf\ASP.NET\0015\services.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WzmeI2KvQx.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\inf\ASP.NET\0015\services.exe
"C:\Windows\inf\ASP.NET\0015\services.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MsSi1KDKJG.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\inf\ASP.NET\0015\services.exe
"C:\Windows\inf\ASP.NET\0015\services.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zcjutnjrcv.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\inf\ASP.NET\0015\services.exe
"C:\Windows\inf\ASP.NET\0015\services.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EYKlAcFNfO.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\inf\ASP.NET\0015\services.exe
"C:\Windows\inf\ASP.NET\0015\services.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nGW3UwTeX7.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\inf\ASP.NET\0015\services.exe
"C:\Windows\inf\ASP.NET\0015\services.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\be8zRZs4e0.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\inf\ASP.NET\0015\services.exe
"C:\Windows\inf\ASP.NET\0015\services.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rE1HJofSUb.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\inf\ASP.NET\0015\services.exe
"C:\Windows\inf\ASP.NET\0015\services.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nl4g9d70ax.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\inf\ASP.NET\0015\services.exe
"C:\Windows\inf\ASP.NET\0015\services.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0tZmJrpaGF.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\inf\ASP.NET\0015\services.exe
"C:\Windows\inf\ASP.NET\0015\services.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pFE2FgvhS1.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\inf\ASP.NET\0015\services.exe
"C:\Windows\inf\ASP.NET\0015\services.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
Files
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe
| MD5 | 8088241160261560a02c84025d107592 |
| SHA1 | 083121f7027557570994c9fc211df61730455bb5 |
| SHA256 | 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1 |
| SHA512 | 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478 |
C:\providercommon\1zu9dW.bat
| MD5 | 6783c3ee07c7d151ceac57f1f9c8bed7 |
| SHA1 | 17468f98f95bf504cc1f83c49e49a78526b3ea03 |
| SHA256 | 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322 |
| SHA512 | c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8 |
C:\providercommon\DllCommonsvc.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/2840-13-0x0000000000E50000-0x0000000000F60000-memory.dmp
memory/2840-14-0x00000000002D0000-0x00000000002E2000-memory.dmp
memory/2840-15-0x00000000002E0000-0x00000000002EC000-memory.dmp
memory/2840-16-0x00000000002F0000-0x00000000002FC000-memory.dmp
memory/2840-17-0x0000000000300000-0x000000000030C000-memory.dmp
memory/2968-65-0x000000001B840000-0x000000001BB22000-memory.dmp
memory/2968-66-0x0000000002210000-0x0000000002218000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 4065491bf4479f0c279aa7136146a0b2 |
| SHA1 | 71ffd2efb948bbf91973481e1faab62ba8e1b8eb |
| SHA256 | 5807b9d1dfd26fafa6a5cd6d3ecc169517ab15069d93f32a876f7b641a0b3a4b |
| SHA512 | 1ac45e4bd51e57e0dee85720b1070ef67fe59a2546313d745a233cdda78d1b9e84e2ba99cee353010f2902849a4719dfa4adeb96dd899b48b649b56e6afc1f93 |
memory/2196-86-0x0000000000F50000-0x0000000001060000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CabCBAA.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\TarCBBD.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\Local\Temp\WzmeI2KvQx.bat
| MD5 | f72b3397b49a6a6605268faf7df4847b |
| SHA1 | 979b6b739310c87298dc681710dae43e9c2969aa |
| SHA256 | 68a7105267d5f1789ad4317ae7cefb45546213bd6bf47f3e545d6c2d88de965a |
| SHA512 | 2773ede2479ba12dadeb4ee7e3a8c0cfe6daaae425b460efe147834b847e36ffa1bd966796a31a43d6e65e4451ca26b77864292b3926fdb3472a17b03c182758 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 763e4472d000508b6763c541b0c10d46 |
| SHA1 | 25f37b1c09a6f388d6e95265d1885fbbf8d1ef84 |
| SHA256 | 46926d31ef9b29c568415b555a320de49854ef2305d07f35c16a0638609de79b |
| SHA512 | 0bd7ccc823e339b4e3b911d4ea4f5da860bebbed87252681aa983448d6bd82952143981f9af68c3177db701894e754857e101842f774f2643a103e59c705372b |
C:\Users\Admin\AppData\Local\Temp\MsSi1KDKJG.bat
| MD5 | c2532f238732281f520a8f335a188383 |
| SHA1 | ca349e5c048ee4729c3b7fa8bb9398e52a19d93b |
| SHA256 | 7cae8e2fc61c57497819f5cea417052b0e5ad68348d59998a49414ed6bf61d1a |
| SHA512 | da7b08dc4ff3c4e23bb60423b61bdf06937370e2159fbc4417d1fe2b07b0986073f3ea604f4793eb35d2799d8d555236947357cce389c244d2cb0b58f5680549 |
memory/304-274-0x0000000001240000-0x0000000001350000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2d8e73d6c266affaf2f7539c4d2546fe |
| SHA1 | 47bcb0fc6c534e5509a13c9a748b1d09efc07c2e |
| SHA256 | 3e033edbf8c74afe231f636f1e3a425c6889af19bbd8783837548f450e7a95d5 |
| SHA512 | 5a39ac8aa986642f68cdc5ca15d3ff85e4724156be8052d1dcc212bef524a31fdf00f6796b13b0dbe7cc04126c45c47a4b75de0c019d76a71d3443cd122c45d3 |
C:\Users\Admin\AppData\Local\Temp\zcjutnjrcv.bat
| MD5 | 80e1ed96693488b873d0303c6b5f25dc |
| SHA1 | afe050b3fc31fb4e2a2cf8a5ab59a013a507ccf1 |
| SHA256 | 0f347eab29e5700c6f11b58c48402dbb78073597c5cd5f302f66dc9e62fed213 |
| SHA512 | b4217ba21eb92b10e2c14437cbafb9f006705011131aea76f9be485bdbe66489c9637edd3db5a39e685ab43a6449918bd2fc4cf6c0f4bdc1aa8b3c32561476c9 |
memory/2756-334-0x00000000005C0000-0x00000000005D2000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e0359ff827131c8cd2e6bcf95337e7e1 |
| SHA1 | c85d3ba30f0e31aee84960f4bd0d7cf75b1c5690 |
| SHA256 | 90eaf8ef1e9a4bb879f1f94168753844908a100952be403e1f8c5666a4c57108 |
| SHA512 | 9105cb1141cd3c109a3fb656cc294d7c4f9bee0c7ceb9610db39d3f09c2cc7f0b7317418ca29a0d703e5e920e8722ce143f9d3f4a4c2cd4cbd7f6e928c8207f0 |
C:\Users\Admin\AppData\Local\Temp\EYKlAcFNfO.bat
| MD5 | 625d01725291f44b76c1aed730690ed4 |
| SHA1 | 08071240393735e1401604a57aefafd41d9c08d7 |
| SHA256 | dbfce0c666551b8f102c3febd987c6f5f96f665766cddb2a6d08df64ffddbbda |
| SHA512 | 7d13e513d65bbd4b42575272eeb639529590f85ee69791c16f9e976d0c6c14289010639c7da89862e3e2b51811e2a212786375ed1db9e41e49e70d8664b60328 |
memory/1028-394-0x0000000000430000-0x0000000000442000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e331fa27a211dcb2beda310f4afd6dde |
| SHA1 | 4e68a4a0fa920bbef6e3eee1aa1ea69e6974c8bb |
| SHA256 | 62073a74c4e8e5e888a38fb5d2a019ab9ea4a6669122d009dc7023e7455fce08 |
| SHA512 | c8da4cfbb2c9ca59e5ae9b3d81b01c5fee5988b05cb2d442730c0b97c47427478107b254d88bc302497e05501073e9f27850779e2aaba6f8a4d9d96b85a0e168 |
C:\Users\Admin\AppData\Local\Temp\nGW3UwTeX7.bat
| MD5 | b1804fd12b823b4bcbfa3bc6eec7874c |
| SHA1 | 92007aeb80a50549da76453063974b7d48daa162 |
| SHA256 | 05581dcfd9610c361f015ec047bef13f76716604e7db8ebe6429b268d97a21fe |
| SHA512 | 1a736d408337f3a087b75e4b31648a444ed8b8e96a256e933a385cd523cd2bc3c25d231602e91dc9b451510662dfb3df81e7822f09435090a6139c35513039ee |
memory/984-454-0x0000000000140000-0x0000000000250000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 5149d2f2f9f23cb41cf0f00e42f452b6 |
| SHA1 | 9e5e84e31638f83a102c75e1c829deb059cf5067 |
| SHA256 | 8250494cd994319c51b472c83ec498ae69260bcd656ce433ea340193243fbf85 |
| SHA512 | 49bdbc8c83fc6154c3267d81dc94d62ab2a391d3990cd54863671c49ef439397b4e5432a8668864c47a6aeb5669ba25a9a4ca68e94a799c00bb88afacfc379d4 |
C:\Users\Admin\AppData\Local\Temp\be8zRZs4e0.bat
| MD5 | 9db71bbd3bf5d9c606dc620dce9d671f |
| SHA1 | 803b7f50bf8b0c2bfc1c1a2422bc5d3b40a3ddeb |
| SHA256 | 0321bd3cf90f2b7b8fedb0af0ddc864ec0cf180c0f0e42d1e53cef4a91c3e637 |
| SHA512 | e9d61d1eabf9c3bf5be52791a378a4b520cbf39b9d796099044540515bef9a736efe72ba03213138343bcedbd9c347d4796a11bb7009426168f661da31531616 |
memory/2932-514-0x0000000001360000-0x0000000001470000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1a0bddb05055bfe679f964bf016976b3 |
| SHA1 | 750920054b0e0be175ed66e82772130e9b7695c3 |
| SHA256 | 7cc79e959ae723c72922e8182097979282cfccd00cdc1c1ca773341c9ad3f49a |
| SHA512 | a98946cffe9698d68146fb725ffcef69c4ea3133a8ead29a0fffe4a5453a5f052769c0a7db6bbad6bf5348e58dc426bbaaa045c9b44eb03384af2b006f497229 |
C:\Users\Admin\AppData\Local\Temp\rE1HJofSUb.bat
| MD5 | 38cb1ebc762dc5c14230df9c4ae66c76 |
| SHA1 | f58c6dda355227e5b742fb0b61fc8d478cc7cacc |
| SHA256 | 124edfa6d844774233e03af9c8c693e15e9b604c5a9b431ccdde5c45ef3c00fa |
| SHA512 | 4926a670be6994054fc3dff09be3b8c42b91f5de7226c7f1e6666328e8aaedbab4add900bd7085425849a82160cc17780625238d374254bd41ffcafc0595b288 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3d44037f106e0eb542471d06611fb2a1 |
| SHA1 | 5c6ca498b9b5d194d76e1bec3136949bc2a465e5 |
| SHA256 | bf67a1a1ec15997fd7f47ce3899d3ffefa324581af565e9af7d93893a0ddf86d |
| SHA512 | 87e5cee2a1beb9feca64168086f73858dd14a2d5cc6707986f33b1bb905aa9871d1388c1096768ac29596e4573a705c842f5bcc8e88019ba44f8f79b2aad672d |
C:\Users\Admin\AppData\Local\Temp\nl4g9d70ax.bat
| MD5 | 718ff226a71cf8e36266d09b06055721 |
| SHA1 | 5ed2c840c1ab4a8ef718f4a64071026051d63111 |
| SHA256 | 5ef9b407486c939c2684f1f239ad70046e7d32406e0dc9a2158f309e9e34a538 |
| SHA512 | 3ced2f6502996df846863f4f25eb496bcd1135d964d80b32f5adce8c3ff7b3bb821aadaf081d23abb7ab7651eebca8fc26bb301d0efb7d5dc0bbcaaa5257ec0d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b8176a7ee205270b7b850c6b33160040 |
| SHA1 | 46027486c846734743bbb3a2290802eebe806143 |
| SHA256 | b2b011715f83fdbd22f70330c4c6a86a38abfa31153ef0bef3f7ae83824d3d16 |
| SHA512 | 18f5c27f56c7f62188abee5fa709ad92e7042718ecededc31c5cfb3c50c67f01a230c9074f8967cb9599221a68ec37f53358376635a36e7ca465fbde87d50053 |
C:\Users\Admin\AppData\Local\Temp\0tZmJrpaGF.bat
| MD5 | de9f4d7306f972140a6892200495be4d |
| SHA1 | 359a69ba9d070d6bd439b91cd8e5c9b7cf7286c0 |
| SHA256 | 27cdb9cf709e55f128315c0facc1361316753fd6c3482223cfd3d001b0eb6015 |
| SHA512 | 5e0cd11738530dab308a7ab3e4723e84b08c7ca7d6efe68e2175ae1c7c7a402321118af5d90ec6bfb9f02711c380bbcb91692e83f9938ab211465e2971b5c60c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6d21c3c7497c4fd4c7d3f25dab91b3bd |
| SHA1 | 45e29c2924aed5213b30f090ac05bd78b6144860 |
| SHA256 | 1231872bdac4635a9ad6d63ed62118febe10c558a1c1bd4b8e4e60b9095f1d74 |
| SHA512 | 01ea6f2f6dfcd94fff1df05e69f66175d64ba3c90077b45a4101b409d3cad4c98aa9a339ab70eec9ab9bc017650b2b37bdafca43a97d2669c1631eed23113400 |
C:\Users\Admin\AppData\Local\Temp\pFE2FgvhS1.bat
| MD5 | 9fed6e9ade6ef2e6457197ff1e42c5d7 |
| SHA1 | 07f20759b07232203a1a50aebd990429eb6f0386 |
| SHA256 | da4181b49d3de784230d124d2961caea6be90bcf2fd918ec0ee6d8331a600329 |
| SHA512 | 04f601566433eb3bad484fac4c74d5cd15865ce19c0e56b928fba5257569047416ac47b035f4815f698601f036358d97a648da60e39964a2557634dcfab20556 |
C:\Windows\inf\ASP.NET\0015\services.exe
| MD5 | 428760f5851ea9b583a70b905428d76c |
| SHA1 | 3b89f01398840df9804648152f18a0a9fa6655a9 |
| SHA256 | b91d65c1ffc9b454013da44cc8313765d118ec63a8cfdf7288871320ab8649cd |
| SHA512 | 88ec42b4a3a914a847070250546c9cb4719bbc1bf3141fdac00ab705e1d4c39edb0afd8b023518370d034ef11eae2dc3adbdea0d064ce348875d223d0dac717e |
Analysis: behavioral2
Detonation Overview
Submitted
2024-12-30 01:51
Reported
2024-12-30 01:53
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
153s
Command Line
Signatures
DcRat
Dcrat family
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Windows\ImmersiveControlPanel\conhost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Windows\ImmersiveControlPanel\conhost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_375ce4a9beabd459e3f5459cec75a1b1e8e2814443bae7914553d7b266ed1923.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\providercommon\DllCommonsvc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Windows\ImmersiveControlPanel\conhost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Windows\ImmersiveControlPanel\conhost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Windows\ImmersiveControlPanel\conhost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Windows\ImmersiveControlPanel\conhost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Windows\ImmersiveControlPanel\conhost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Windows\ImmersiveControlPanel\conhost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Windows\ImmersiveControlPanel\conhost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Windows\ImmersiveControlPanel\conhost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Windows\ImmersiveControlPanel\conhost.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\providercommon\DllCommonsvc.exe | N/A |
| N/A | N/A | C:\Windows\ImmersiveControlPanel\conhost.exe | N/A |
| N/A | N/A | C:\Windows\ImmersiveControlPanel\conhost.exe | N/A |
| N/A | N/A | C:\Windows\ImmersiveControlPanel\conhost.exe | N/A |
| N/A | N/A | C:\Windows\ImmersiveControlPanel\conhost.exe | N/A |
| N/A | N/A | C:\Windows\ImmersiveControlPanel\conhost.exe | N/A |
| N/A | N/A | C:\Windows\ImmersiveControlPanel\conhost.exe | N/A |
| N/A | N/A | C:\Windows\ImmersiveControlPanel\conhost.exe | N/A |
| N/A | N/A | C:\Windows\ImmersiveControlPanel\conhost.exe | N/A |
| N/A | N/A | C:\Windows\ImmersiveControlPanel\conhost.exe | N/A |
| N/A | N/A | C:\Windows\ImmersiveControlPanel\conhost.exe | N/A |
| N/A | N/A | C:\Windows\ImmersiveControlPanel\conhost.exe | N/A |
| N/A | N/A | C:\Windows\ImmersiveControlPanel\conhost.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Windows NT\TableTextService\en-US\csrss.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Windows NT\TableTextService\en-US\886983d96e3d3e | C:\providercommon\DllCommonsvc.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\L2Schemas\dllhost.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\L2Schemas\5940a34987c991 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\ImmersiveControlPanel\conhost.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\ImmersiveControlPanel\088424020bedd6 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\L2Schemas\dllhost.exe | C:\providercommon\DllCommonsvc.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_375ce4a9beabd459e3f5459cec75a1b1e8e2814443bae7914553d7b266ed1923.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings | C:\Windows\ImmersiveControlPanel\conhost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings | C:\Windows\ImmersiveControlPanel\conhost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings | C:\Windows\ImmersiveControlPanel\conhost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings | C:\Windows\ImmersiveControlPanel\conhost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings | C:\Windows\ImmersiveControlPanel\conhost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_375ce4a9beabd459e3f5459cec75a1b1e8e2814443bae7914553d7b266ed1923.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings | C:\providercommon\DllCommonsvc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings | C:\Windows\ImmersiveControlPanel\conhost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings | C:\Windows\ImmersiveControlPanel\conhost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings | C:\Windows\ImmersiveControlPanel\conhost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings | C:\Windows\ImmersiveControlPanel\conhost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings | C:\Windows\ImmersiveControlPanel\conhost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings | C:\Windows\ImmersiveControlPanel\conhost.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_375ce4a9beabd459e3f5459cec75a1b1e8e2814443bae7914553d7b266ed1923.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_375ce4a9beabd459e3f5459cec75a1b1e8e2814443bae7914553d7b266ed1923.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
C:\providercommon\DllCommonsvc.exe
"C:\providercommon\DllCommonsvc.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Windows\L2Schemas\dllhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\L2Schemas\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Windows\L2Schemas\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Windows\ImmersiveControlPanel\conhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\ImmersiveControlPanel\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Windows\ImmersiveControlPanel\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\providercommon\csrss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\csrss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\csrss.exe'" /rl HIGHEST /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\L2Schemas\dllhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ImmersiveControlPanel\conhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\TableTextService\en-US\csrss.exe'
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RoC84loMkT.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\ImmersiveControlPanel\conhost.exe
"C:\Windows\ImmersiveControlPanel\conhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\x4tck5X09i.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\ImmersiveControlPanel\conhost.exe
"C:\Windows\ImmersiveControlPanel\conhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yvlYFj4oEg.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\ImmersiveControlPanel\conhost.exe
"C:\Windows\ImmersiveControlPanel\conhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qwBPskakqG.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\ImmersiveControlPanel\conhost.exe
"C:\Windows\ImmersiveControlPanel\conhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HZWv28qLDz.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\ImmersiveControlPanel\conhost.exe
"C:\Windows\ImmersiveControlPanel\conhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZHEG9SYztW.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\ImmersiveControlPanel\conhost.exe
"C:\Windows\ImmersiveControlPanel\conhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5irhJyFUC1.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\ImmersiveControlPanel\conhost.exe
"C:\Windows\ImmersiveControlPanel\conhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FdUsM3mSuD.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\ImmersiveControlPanel\conhost.exe
"C:\Windows\ImmersiveControlPanel\conhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lEFN0vw97k.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\ImmersiveControlPanel\conhost.exe
"C:\Windows\ImmersiveControlPanel\conhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wtOcRLEbie.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\ImmersiveControlPanel\conhost.exe
"C:\Windows\ImmersiveControlPanel\conhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lEFN0vw97k.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\ImmersiveControlPanel\conhost.exe
"C:\Windows\ImmersiveControlPanel\conhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MXvuXcjR4o.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\ImmersiveControlPanel\conhost.exe
"C:\Windows\ImmersiveControlPanel\conhost.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.109.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
Files
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe
| MD5 | 8088241160261560a02c84025d107592 |
| SHA1 | 083121f7027557570994c9fc211df61730455bb5 |
| SHA256 | 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1 |
| SHA512 | 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478 |
C:\providercommon\1zu9dW.bat
| MD5 | 6783c3ee07c7d151ceac57f1f9c8bed7 |
| SHA1 | 17468f98f95bf504cc1f83c49e49a78526b3ea03 |
| SHA256 | 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322 |
| SHA512 | c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8 |
C:\providercommon\DllCommonsvc.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/5084-12-0x00007FF857E23000-0x00007FF857E25000-memory.dmp
memory/5084-13-0x0000000000140000-0x0000000000250000-memory.dmp
memory/5084-14-0x00000000024D0000-0x00000000024E2000-memory.dmp
memory/5084-15-0x000000001AE60000-0x000000001AE6C000-memory.dmp
memory/5084-16-0x0000000002540000-0x000000000254C000-memory.dmp
memory/5084-17-0x000000001AE70000-0x000000001AE7C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jlhxlotz.zse.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/372-45-0x000002A3670B0000-0x000002A3670D2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RoC84loMkT.bat
| MD5 | 288adf9b0c0049e2a4d84ad06b94e972 |
| SHA1 | a4873c834475411333bbe5f7195a349e6f1a402b |
| SHA256 | 1a60f39b7121d65ef31efe59d91e43ddb57fd266aa611fe0836ae54fffde9b47 |
| SHA512 | 69496fa94506b384b4b8b7326402b61c4ed706652e4f83d5be0c333c795c11cfd05558db1df2f97051c1a066ff2980a0498575d999a9fe6ab48bc21491b0a881 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 6d3e9c29fe44e90aae6ed30ccf799ca8 |
| SHA1 | c7974ef72264bbdf13a2793ccf1aed11bc565dce |
| SHA256 | 2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d |
| SHA512 | 60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | bd5940f08d0be56e65e5f2aaf47c538e |
| SHA1 | d7e31b87866e5e383ab5499da64aba50f03e8443 |
| SHA256 | 2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6 |
| SHA512 | c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406 |
memory/3580-92-0x0000000002890000-0x00000000028A2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\x4tck5X09i.bat
| MD5 | d9d47688a3fe603d18c58813a963cc9a |
| SHA1 | 1c1c75b34e747eab1c64d1b59f43248e2aaa7667 |
| SHA256 | b5e3b455a3182af300a9b815cd03c00b753061714590e2af3dcc735eef137023 |
| SHA512 | 7e32105167bab922f1752805e166620fc0b4c719010ccee2f4d6439f1c4b6e7ec9e9efd08b4129e1173fafb05df75cb8f4645b44cb221890cc6d2bf64834a23e |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.log
| MD5 | baf55b95da4a601229647f25dad12878 |
| SHA1 | abc16954ebfd213733c4493fc1910164d825cac8 |
| SHA256 | ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924 |
| SHA512 | 24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545 |
memory/4236-101-0x00000000013E0000-0x00000000013F2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\yvlYFj4oEg.bat
| MD5 | 7652070c303de18f689f86f52229e22a |
| SHA1 | 66184ac2c29c244c36cdaa1506d33345e5df5753 |
| SHA256 | 49f16adb844f7aab5cff5935bc839a413590e437ea018dfe355f6497f8b45cd0 |
| SHA512 | 2a918b36797354169e3827c415054cd3f56d517f1958c14ca38a772c98a965c992e08456b50b7ad991fcc50a758f49cfa5133454f5433ea71415396984c8c01c |
memory/2700-108-0x00000000031C0000-0x00000000031D2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\qwBPskakqG.bat
| MD5 | ec364c98613e208de731294e7fea0cee |
| SHA1 | 6b20cf6a4165c0c7ae31db39056d4cea4830d6b7 |
| SHA256 | a1fe0a50c9e77c573b73f9775d760df28f77858d3964b781952a0d2cc87cbb64 |
| SHA512 | 1f605a73f444c431f3e06cfecf176bfd7d1800b337d7e390a7527e14485a7231080e5afc7901209f15723f5beab89689cbb2cd7a028d0b3b0d450ce5e03ab5d9 |
memory/1008-115-0x000000001AD90000-0x000000001ADA2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\HZWv28qLDz.bat
| MD5 | 053ba1560a2ff6c53be0a3e1bac3d804 |
| SHA1 | bc839b9105729f3ffde8c1aaf6ba939538ac640a |
| SHA256 | 3aa5c67aa33214a03e6c0f37dc03f6b0eafd78ab7e18e6ee649d3b113b546322 |
| SHA512 | 61490f5fe9dbc8dd9edf4a7e5ed23bbf41d1034c5d681f1533a94a3ea067b4c0d3b8e916784ad51728c903c599f86ab36873d49fb428e0b732df99fc04cc5bc9 |
memory/2860-122-0x0000000002780000-0x0000000002792000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ZHEG9SYztW.bat
| MD5 | 7e9c29b11e79ea4aefb7ff8d103f89c2 |
| SHA1 | d88a65cb8d8611b6d6b52edfcd8180580e214ddd |
| SHA256 | 30b6bc7bdc96a68e6803d30a438bdeb883cfe76d830bde6de73870d009c99304 |
| SHA512 | 61d47891ea585386daa71c0cb7e641d51316032b5c462bd0310e01f0fa15a6ac99be217aa9df7f14e924f52d99d11e6710b938367b45a541943c2c43294eb9f2 |
C:\Users\Admin\AppData\Local\Temp\5irhJyFUC1.bat
| MD5 | ccef91a587de848baa885f3e518d7108 |
| SHA1 | 1d9bb571f3613f9b19965f62d8f81e1fb6203694 |
| SHA256 | 4eea67c9645585b0fc1a0e76b40f70abd6775f9d6b75047e8d0b92378560cffd |
| SHA512 | 3cadbc637478ef32a58fd8e8e5d1bfa636aa43569bd95e011451457fe01598ad2be437edb981dd2a4b60abd8bd790ad1b6d72e76b54bb5552b5cdfe0571a3aab |
C:\Users\Admin\AppData\Local\Temp\FdUsM3mSuD.bat
| MD5 | b76f89b2b1a1f20db80f4a6bf8a6181c |
| SHA1 | 1add334d33edce5b1e6b98a649917f87ef5a4c63 |
| SHA256 | e4574c4583ce894f3a4f27e9a540a4347d49ac9a5e32e1d883a74234f4c193ca |
| SHA512 | 0d81f5c6b16896265e779cf9c3aa491deb9a564ba292d84ce7d7b35adcc04fc3d65dc3ac573fc448691f7ac088ce8b655ef1f97516b727ce0c2ceceb41775c3b |
memory/1904-141-0x00000000013C0000-0x00000000013D2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\lEFN0vw97k.bat
| MD5 | 25f8b0d6411f46137646358e4632dad5 |
| SHA1 | a120dd562ceb3cc56769ce0eab8f79c79ec04a6f |
| SHA256 | c229d05f14dd6002bdca36da87d3f914ca168dc672462f3bc7824ba290342a28 |
| SHA512 | 82b9cce1a045552292dfad14c4e250738bf373ba25610c9431dfbb15e889df2eadd3dcde64199aa9b85dd6f7bf9137d9c13beba9ca2962cd3f6f787c98c7b411 |
memory/2928-148-0x0000000002AA0000-0x0000000002AB2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\wtOcRLEbie.bat
| MD5 | cb307687356d5e002c0a077b2eaf1e4f |
| SHA1 | ff44f0622c2430951bc1c1f50ce32ac6518d0075 |
| SHA256 | c6e50ae175596933de88eef573da73fd4f51a98615794cd402edc67df25be0c7 |
| SHA512 | ae8e77d4a34801163ddd464fa1d758ed47cffb16e27ce0f239dcd8fa448286bae796681dc0b9dabfd743916ec57f2ba8544b61b442b8f1f4e3bcdd31f7390d99 |
memory/4244-155-0x0000000002770000-0x0000000002782000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\MXvuXcjR4o.bat
| MD5 | 032c7f25664db67d3af6df5d090bd697 |
| SHA1 | 9c6e078fda983effa549d7f9fec0c9104f0889e5 |
| SHA256 | 96dd12c9293dade842ee9ff14b9fdbb4a3bda5d5c850700ea2799c0a061cad46 |
| SHA512 | 69799c70c344e407eb6f54340c8a6444030a3f6da3c4ddb599e7cb09e6a550f7d24a491fa227b504ca617db96c6b0da310222984cdd5fddb679cb0fa5fea08d9 |