Analysis Overview
SHA256
6417f15f0e04496200e688dd9e4782b82f0cc9e76a3167a259dc2cf25face837
Threat Level: Known bad
The file JaffaCakes118_6417f15f0e04496200e688dd9e4782b82f0cc9e76a3167a259dc2cf25face837 was found to be: Known bad.
Malicious Activity Summary
DcRat
Process spawned unexpected child process
Dcrat family
DCRat payload
DCRat payload
Command and Scripting Interpreter: PowerShell
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Legitimate hosting services abused for malware hosting/C2
Drops file in Windows directory
Drops file in Program Files directory
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Scheduled Task/Job: Scheduled Task
Uses Task Scheduler COM API
Suspicious behavior: EnumeratesProcesses
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-12-30 02:32
Signatures
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Dcrat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-12-30 02:32
Reported
2024-12-30 02:35
Platform
win7-20240903-en
Max time kernel
150s
Max time network
148s
Command Line
Signatures
DcRat
Dcrat family
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\providercommon\DllCommonsvc.exe | N/A |
| N/A | N/A | C:\Users\Default User\wininit.exe | N/A |
| N/A | N/A | C:\Users\Default User\wininit.exe | N/A |
| N/A | N/A | C:\Users\Default User\wininit.exe | N/A |
| N/A | N/A | C:\Users\Default User\wininit.exe | N/A |
| N/A | N/A | C:\Users\Default User\wininit.exe | N/A |
| N/A | N/A | C:\Users\Default User\wininit.exe | N/A |
| N/A | N/A | C:\Users\Default User\wininit.exe | N/A |
| N/A | N/A | C:\Users\Default User\wininit.exe | N/A |
| N/A | N/A | C:\Users\Default User\wininit.exe | N/A |
| N/A | N/A | C:\Users\Default User\wininit.exe | N/A |
| N/A | N/A | C:\Users\Default User\wininit.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Windows Photo Viewer\fr-FR\smss.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Windows Photo Viewer\fr-FR\69ddcba757bf72 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\6ccacd8608530f | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\taskhost.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\taskhost.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\b75386f1303e64 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Synchronization Services\lsass.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Synchronization Services\6203df4a6bafc7 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Windows Mail\explorer.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Windows Mail\7a0fd90576e088 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\cmd.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\ebf1f9fa8afd6d | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\Idle.exe | C:\providercommon\DllCommonsvc.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\DigitalLocker\it-IT\5940a34987c991 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\Fonts\csrss.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\Fonts\886983d96e3d3e | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\ehome\lsass.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\ehome\6203df4a6bafc7 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\rescache\rc0006\audiodg.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\DigitalLocker\it-IT\dllhost.exe | C:\providercommon\DllCommonsvc.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6417f15f0e04496200e688dd9e4782b82f0cc9e76a3167a259dc2cf25face837.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6417f15f0e04496200e688dd9e4782b82f0cc9e76a3167a259dc2cf25face837.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6417f15f0e04496200e688dd9e4782b82f0cc9e76a3167a259dc2cf25face837.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\providercommon\1zu9dW.bat" "
C:\providercommon\DllCommonsvc.exe
"C:\providercommon\DllCommonsvc.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Adobe\taskhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\taskhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Adobe\taskhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Windows\ehome\lsass.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\ehome\lsass.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Windows\ehome\lsass.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\spoolsv.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\spoolsv.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\spoolsv.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\smss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\smss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\smss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\wininit.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default User\wininit.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\wininit.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\cmd.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\cmd.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\cmd.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\sppsvc.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\wininit.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\wininit.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\wininit.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\providercommon\wininit.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Users\Default\SendTo\dllhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default\SendTo\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Users\Default\SendTo\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Desktop\taskhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\All Users\Desktop\taskhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Desktop\taskhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\Idle.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\Idle.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\Idle.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\lsass.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\lsass.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\lsass.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Mail\explorer.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Mail\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Windows\DigitalLocker\it-IT\dllhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\it-IT\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Windows\DigitalLocker\it-IT\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Windows\Fonts\csrss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Fonts\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Windows\Fonts\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\taskhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ehome\lsass.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\spoolsv.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\smss.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\wininit.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\cmd.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\sppsvc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\wininit.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\wininit.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\SendTo\dllhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Desktop\taskhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\Idle.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Synchronization Services\lsass.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\explorer.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\DigitalLocker\it-IT\dllhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Fonts\csrss.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\csrss.exe'
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jpozkiw3ki.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default User\wininit.exe
"C:\Users\Default User\wininit.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2tBWjDxv5U.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default User\wininit.exe
"C:\Users\Default User\wininit.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9j3rBUpSkc.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default User\wininit.exe
"C:\Users\Default User\wininit.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\l7tVtcAquU.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default User\wininit.exe
"C:\Users\Default User\wininit.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\I4yJNRBzAA.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default User\wininit.exe
"C:\Users\Default User\wininit.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jFR8woBO6B.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default User\wininit.exe
"C:\Users\Default User\wininit.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xZLz5Ote6t.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default User\wininit.exe
"C:\Users\Default User\wininit.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\owZfSNRP11.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default User\wininit.exe
"C:\Users\Default User\wininit.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5AjNu1Vgdj.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default User\wininit.exe
"C:\Users\Default User\wininit.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iOYCRAfa0D.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default User\wininit.exe
"C:\Users\Default User\wininit.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yNYzWO1Iaj.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default User\wininit.exe
"C:\Users\Default User\wininit.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
Files
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe
| MD5 | 8088241160261560a02c84025d107592 |
| SHA1 | 083121f7027557570994c9fc211df61730455bb5 |
| SHA256 | 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1 |
| SHA512 | 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478 |
C:\providercommon\1zu9dW.bat
| MD5 | 6783c3ee07c7d151ceac57f1f9c8bed7 |
| SHA1 | 17468f98f95bf504cc1f83c49e49a78526b3ea03 |
| SHA256 | 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322 |
| SHA512 | c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8 |
\providercommon\DllCommonsvc.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/2644-13-0x0000000000AB0000-0x0000000000BC0000-memory.dmp
memory/2644-14-0x0000000000540000-0x0000000000552000-memory.dmp
memory/2644-15-0x0000000000560000-0x000000000056C000-memory.dmp
memory/2644-16-0x0000000000550000-0x000000000055C000-memory.dmp
memory/2644-17-0x0000000000570000-0x000000000057C000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 226c29e7df2f4a8abef8e67ddf491908 |
| SHA1 | de72224e43c447ff52e7fccaac52ad27c353a8e8 |
| SHA256 | e6896a1498da765782415c8acc4575d64a03bdd18ff89ef60e5c8934025b2e15 |
| SHA512 | 9e5b7507b52f9344748b8e320cb5be83d181b038e5a8edfc94edb65a228958dae4656ff7968bd31d51e4280eac4e8a63152edff5c506c39b56f2aa6630e27e50 |
memory/1688-89-0x0000000001F00000-0x0000000001F08000-memory.dmp
memory/2704-88-0x000000001B670000-0x000000001B952000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\jpozkiw3ki.bat
| MD5 | 00e1b5bc5b4ba4081276d560f3fb464d |
| SHA1 | 8c449c27ada9e6d29ca2b5ca4df7fb9dda26e22c |
| SHA256 | 80e1e154f5ed5492583d082aab327b895b376c4286ed1bd8c0e028798976eb01 |
| SHA512 | a834aef8f405d3d969ed595e0b9d2a4433e7d4e6e60ea46f1d36c0113761ad04a97e3699f4c6c790cba2a40c1381e8705ee9381ebc2be5e3d6d1e9252f73611e |
memory/328-142-0x0000000000830000-0x0000000000940000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CabB04E.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\TarB060.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\Local\Temp\2tBWjDxv5U.bat
| MD5 | 9b630e441ac9dd33df986e576fc0d913 |
| SHA1 | 157658533a693df52b944720df0b60cdf60f612e |
| SHA256 | 6ebe9c0b5f8f7ab34ee81b29d60a68474a5e2679d68611664302a9afdf9bd689 |
| SHA512 | 009d5f6608a7025be3c772b033b5168b2c73d4fad99995cf4f7138630a3435da9d883f8b709211c7fc0cb2fbc0f74b39d819113d0778a9a61c87b42ba710154c |
memory/2336-201-0x0000000000370000-0x0000000000480000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b2fa4a9c8c76cf516ba540144619250a |
| SHA1 | 780ea8159552ec8c67bbef50255084fccc76700d |
| SHA256 | 52a5b3be792c88a9ff579bd93a107e461cf9ac2021556bc4983f16c033e9fb87 |
| SHA512 | b7c3040146ea8645f573b94e7a533e5c574627b913f9fe27c07773e81c54f05d8f773e654c78eb5763e0b1f542bf414eec60ebd9ec8896e8e9384bc80434d869 |
C:\Users\Admin\AppData\Local\Temp\9j3rBUpSkc.bat
| MD5 | e960eec91dbd2a7037395207191ae583 |
| SHA1 | 82b75e66899626dd1748060f8e74f29d115421a2 |
| SHA256 | 2dcb76988302ba74cb0c9dc6e0d0c42d21cfdd8ad177d9d390bb94dac63652ff |
| SHA512 | faed1c07030f7b0f8a225e76499f307919e60824dc20e290d3d61434a9fb64d7f742ee2a8b889084653cef092b2d35ce2b199234236799b329c16d5c707eafab |
memory/336-261-0x0000000000A80000-0x0000000000B90000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3b58b41981f4f6c856530b08ef9ea801 |
| SHA1 | 6e5a641333ae9bd8a0cd36dd1ed9102c55c0246a |
| SHA256 | 9e16e2607bd3e87aa261f7d7da67a935e9e98b16224128271843bb0da87ee824 |
| SHA512 | f15131f9b498f67affcc204e5515728e579ced9390ccde10ded1de33dc9d1fdbadfbbf3a404566d48fb093637b75bd18d3537606f4bfdd9bf18ce715a383f77a |
C:\Users\Admin\AppData\Local\Temp\l7tVtcAquU.bat
| MD5 | ea15bafbf1a47188f860a7fee88c7b39 |
| SHA1 | 185c263d4c94e9003c330dfee1066ac0ed0d8ed0 |
| SHA256 | c6a739a317b260e23d5986482977cadd1fdb4a290eb586b4577af4dbaf27abb5 |
| SHA512 | 6edf23348ad333478099b63d31bb4cbd3148d21af030e994111d6b9b9a5ee63df1e75c12de9207f1c51b6a6bf5facd9a20db8b57ccc4e69910cfd6bd66f533f9 |
memory/2588-321-0x0000000000E80000-0x0000000000F90000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d20871ddebdb0e46a8af3e5853e1b3fe |
| SHA1 | ed0147d878fb0ac96845fecc9bed43ddd52f4163 |
| SHA256 | 2481c1534f68cf0f066acfb08ca5c15456f79ceb1243e89635d5caac43e5424d |
| SHA512 | f284d6f1b0f9941f3858bccbe6cefed3948e5405386c879184de094ec03d7fb75cf490c1d6b90b12ed01fda53d4e47ba65f212a305ccb971de073f5517f37df8 |
C:\Users\Admin\AppData\Local\Temp\I4yJNRBzAA.bat
| MD5 | 8814c95d4bdfd016cf3031bcfd981f18 |
| SHA1 | 7caae11067410bf35f1522b9b956979337df0a01 |
| SHA256 | f140b24ed5b19caf86007b2770d7a06b0d6da4e745d44118111e22ec04fd70db |
| SHA512 | 9f704105ab0922d2c47bbbaa159276f2b2020980869fb4168470fd7a3fdda3900fa2f1f4fc9d32aee5e3a21d5ab496947068cb4bd59ac237cc00c5544230500a |
memory/944-381-0x00000000013E0000-0x00000000014F0000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ad1cfe606b373babb3e7b11c2c5dff8f |
| SHA1 | d6d73a0d3e2dba914f563645e4ff63e5d94240c3 |
| SHA256 | 5affa420cecf5d07ec01b19e5846c4dc7b0e50085f8e26120296626a69788235 |
| SHA512 | 00fc6c143338e15a73ac25a048177879d8c304150a5735162f9339e7d8f041048a9f79c90d7de6bb20a633d954a60b5e37ca53dc3eff86d2937ebe19fddcfcb0 |
C:\Users\Admin\AppData\Local\Temp\jFR8woBO6B.bat
| MD5 | 1bf12767dd085341da4e19c4def121aa |
| SHA1 | c7036306aa5584b1449999b2fffa76fb7d9c8af3 |
| SHA256 | 7e389b87e36fa408d998f71dd5b1917d4719938e77ab1821bf69f021a6f1e4fa |
| SHA512 | a3b1e2b864641cae1462b5c8602664367bcc32889286014d5d8eb9cde029d2e6d2e6427fe7b6318bfaf0a11106ed6d5e15fed9190797b58a868165c8be3eae97 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2269acb9b0c4e156ab6c208fe8b81f0c |
| SHA1 | 6469de101c73761884ceb0e5f8904dbe14763e07 |
| SHA256 | 7ee7d912aeb8032b67911c3296a856b277963833bf8561f30a37eb35d37fb015 |
| SHA512 | 52d4222da9e9db4012863f8b90e2025f6c917a81bf84953eeaf180f549c00ed46911ad16bf6457de2cda386c108f5267c0107326a71ec648b7ef54445294a8a6 |
C:\Users\Admin\AppData\Local\Temp\xZLz5Ote6t.bat
| MD5 | b8633100190a6c728c5d95834682c31f |
| SHA1 | 7af11aee90a5949e96dc9378f194d26800eff177 |
| SHA256 | f43431604e5e33724bf07ad53aebc6ace01ba19f100d98bcfc19871cd1f6d63d |
| SHA512 | 3a9c816d0eb0cf48c28211475078e3500b7a1fb53b0d8ad6d6e85c7ef73f4ad0e68322448d95c2f14d9e47a3f85a04a30944815b24e789ba268a094ea0ceb6bc |
memory/2524-500-0x00000000000C0000-0x00000000001D0000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d9a05a9c3de447e98fd39a5521e31615 |
| SHA1 | 3c45f6101bed0fae105997459d9050577b8cc95d |
| SHA256 | 0f3b22b572dd17f86666084ad5a696ebc267c035e64c86cf6e5abb0dceb0da09 |
| SHA512 | 9cb3113fe1e6ba303f0b9042dba08d3941069412f42285e14c0f49eb15f31fdae40e5cccab49be5c4ead15ccfff8fdef017ee578e81ca2b07ff772b923544d30 |
C:\Users\Admin\AppData\Local\Temp\owZfSNRP11.bat
| MD5 | 924b5f98b97936badb3209e112465ed4 |
| SHA1 | 96d81f3d2598d7a50242270ea6deb76f0c272605 |
| SHA256 | 75a6a135e42ed0e4d318db5ffb5be1acd70eccf8d542cd92c7e28a060d0f2e45 |
| SHA512 | fbdebd247d32e395cd20ab9cb62ba811e209635163d3ab14f1667cbaec17e56fb4cc66857e124e79210add0a59eb45fd8b12640fbfeb7526a594111fb3a72173 |
memory/1800-560-0x0000000000C80000-0x0000000000D90000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c980a789a96aea3710494172cbf35c9f |
| SHA1 | 91a9e32514afde6a7a38c4e822672ff3a510b047 |
| SHA256 | 9b00c7aece109738c921f226acea45c5ffb3677dab522e9d69f14b3af27a27bc |
| SHA512 | d2d62dde80c5ea1e6f3bd7492b22e09c02d68b987dc75f0bef2cf386028637e0d5d0139ec313f665b273f43de3e8b81802a66a8b3c8393f2d6e42e98c03f7c8f |
C:\Users\Admin\AppData\Local\Temp\5AjNu1Vgdj.bat
| MD5 | c2d7f289fb722fad9328241966fef5f2 |
| SHA1 | 990c8803eb78525425ee91e7a34fbe55ab79e12b |
| SHA256 | 76f9c4382de0b5bd97b1a9c3387ddd8844ef74c5b5cbd7c4179e7689c49cba7a |
| SHA512 | 3373d1f22267f15e5a1074696b04eea78dbd38db202b6a9ed4403cc51f1df499e1ed1a77248ac06669aad08856e7929b48b346bf6121f49ad4538198efeea340 |
memory/1044-620-0x0000000001110000-0x0000000001220000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b6761196075a15878f8943f84a7afc9c |
| SHA1 | 48c132c267c25eb4ab47c3ddc38833c5f208ad15 |
| SHA256 | cc3279c23c436d1145a5b05e34e332f60599b680153616626a11c64ed7990974 |
| SHA512 | 6eae9e99d3017e9c30a690fec1c49ecff6c314eea41439d7b25f5b6c37471467491cdc1cf923d447e0814d1dfee29f4f09e41e62d579070c6b1ff00191091a30 |
C:\Users\Admin\AppData\Local\Temp\iOYCRAfa0D.bat
| MD5 | a5c908bc8fe709a3a836b4d7280bc64d |
| SHA1 | bcbd04826ba1c3995ad00b628a46021f26190889 |
| SHA256 | cb125d853394fcfaebf6bd1805a9f0e3efc5b352e0a30fae545e829821f612e1 |
| SHA512 | 7333c082b370dbf1b3f361be148c7791a2a9d7357ed85625b24ef0ec8595c764e2443ef198eca456247a06b037dcf1fa4269dacd97fa561cd370561edd611181 |
memory/2580-680-0x00000000003A0000-0x00000000004B0000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 9fe1ec2f215ddecd7467ac00dcbd27c3 |
| SHA1 | be1e9af48efd7179bcf4ec779d158daec192eceb |
| SHA256 | b4287a74484a63bc2d20726ebc84d473a4697a5596eb76f7c9bb18e031dfc1fb |
| SHA512 | 9a751eb10a5cd1676858f80d221954be7b75a28a6d4fa5e724e83148212866fda56a09de66edd7a306957bc01b17a34e29510f15f70606d17b1c4f359a60f621 |
C:\Users\Admin\AppData\Local\Temp\yNYzWO1Iaj.bat
| MD5 | 3d2fe4ada936042de08eeb254594a847 |
| SHA1 | 2ff116e453c30c821c0a02c92437043a7032b306 |
| SHA256 | 56115bb3c5af086eede889c63934761b3e0cadbb35f63e36ee92e649f738e014 |
| SHA512 | db203f0649601c4686e85aef4afb75393564f087e7173d5d4adc131e85d378b7ffeafe372d37e19d1ccd3b7cee59fbbdf44324999b79275f17f6399cdef754c1 |
memory/1480-740-0x0000000001120000-0x0000000001230000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-12-30 02:32
Reported
2024-12-30 02:35
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
154s
Command Line
Signatures
DcRat
Dcrat family
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Recovery\WindowsRE\csrss.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Recovery\WindowsRE\csrss.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Recovery\WindowsRE\csrss.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Recovery\WindowsRE\csrss.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\providercommon\DllCommonsvc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Recovery\WindowsRE\csrss.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Recovery\WindowsRE\csrss.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Recovery\WindowsRE\csrss.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6417f15f0e04496200e688dd9e4782b82f0cc9e76a3167a259dc2cf25face837.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Recovery\WindowsRE\csrss.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Recovery\WindowsRE\csrss.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Recovery\WindowsRE\csrss.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Recovery\WindowsRE\csrss.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\providercommon\DllCommonsvc.exe | N/A |
| N/A | N/A | C:\Recovery\WindowsRE\csrss.exe | N/A |
| N/A | N/A | C:\Recovery\WindowsRE\csrss.exe | N/A |
| N/A | N/A | C:\Recovery\WindowsRE\csrss.exe | N/A |
| N/A | N/A | C:\Recovery\WindowsRE\csrss.exe | N/A |
| N/A | N/A | C:\Recovery\WindowsRE\csrss.exe | N/A |
| N/A | N/A | C:\Recovery\WindowsRE\csrss.exe | N/A |
| N/A | N/A | C:\Recovery\WindowsRE\csrss.exe | N/A |
| N/A | N/A | C:\Recovery\WindowsRE\csrss.exe | N/A |
| N/A | N/A | C:\Recovery\WindowsRE\csrss.exe | N/A |
| N/A | N/A | C:\Recovery\WindowsRE\csrss.exe | N/A |
| N/A | N/A | C:\Recovery\WindowsRE\csrss.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\uk-UA\9e8d7a4ca61bd9 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\uk-UA\RuntimeBroker.exe | C:\providercommon\DllCommonsvc.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6417f15f0e04496200e688dd9e4782b82f0cc9e76a3167a259dc2cf25face837.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings | C:\Recovery\WindowsRE\csrss.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6417f15f0e04496200e688dd9e4782b82f0cc9e76a3167a259dc2cf25face837.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings | C:\Recovery\WindowsRE\csrss.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings | C:\Recovery\WindowsRE\csrss.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings | C:\Recovery\WindowsRE\csrss.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings | C:\Recovery\WindowsRE\csrss.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings | C:\Recovery\WindowsRE\csrss.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings | C:\Recovery\WindowsRE\csrss.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings | C:\providercommon\DllCommonsvc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings | C:\Recovery\WindowsRE\csrss.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings | C:\Recovery\WindowsRE\csrss.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings | C:\Recovery\WindowsRE\csrss.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings | C:\Recovery\WindowsRE\csrss.exe | N/A |
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6417f15f0e04496200e688dd9e4782b82f0cc9e76a3167a259dc2cf25face837.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6417f15f0e04496200e688dd9e4782b82f0cc9e76a3167a259dc2cf25face837.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
C:\providercommon\DllCommonsvc.exe
"C:\providercommon\DllCommonsvc.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Windows\uk-UA\RuntimeBroker.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\uk-UA\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Windows\uk-UA\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Videos\fontdrvhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Public\Videos\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Videos\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\explorer.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\RuntimeBroker.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\uk-UA\RuntimeBroker.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\RuntimeBroker.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Videos\fontdrvhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\fontdrvhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\csrss.exe'
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zewrKVspW3.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Recovery\WindowsRE\csrss.exe
"C:\Recovery\WindowsRE\csrss.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qwBPskakqG.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Recovery\WindowsRE\csrss.exe
"C:\Recovery\WindowsRE\csrss.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pCeLVPpGxY.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Recovery\WindowsRE\csrss.exe
"C:\Recovery\WindowsRE\csrss.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\o09MCfWrWU.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Recovery\WindowsRE\csrss.exe
"C:\Recovery\WindowsRE\csrss.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DhSpfyjZaR.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Recovery\WindowsRE\csrss.exe
"C:\Recovery\WindowsRE\csrss.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JbtrqXgYk1.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Recovery\WindowsRE\csrss.exe
"C:\Recovery\WindowsRE\csrss.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BlQmztffGe.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Recovery\WindowsRE\csrss.exe
"C:\Recovery\WindowsRE\csrss.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JbtrqXgYk1.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Recovery\WindowsRE\csrss.exe
"C:\Recovery\WindowsRE\csrss.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QOz0umrEhM.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Recovery\WindowsRE\csrss.exe
"C:\Recovery\WindowsRE\csrss.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qwBPskakqG.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Recovery\WindowsRE\csrss.exe
"C:\Recovery\WindowsRE\csrss.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fH1ASKIIFN.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Recovery\WindowsRE\csrss.exe
"C:\Recovery\WindowsRE\csrss.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OTxxDhnLNa.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
Files
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe
| MD5 | 8088241160261560a02c84025d107592 |
| SHA1 | 083121f7027557570994c9fc211df61730455bb5 |
| SHA256 | 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1 |
| SHA512 | 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478 |
C:\providercommon\1zu9dW.bat
| MD5 | 6783c3ee07c7d151ceac57f1f9c8bed7 |
| SHA1 | 17468f98f95bf504cc1f83c49e49a78526b3ea03 |
| SHA256 | 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322 |
| SHA512 | c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8 |
C:\providercommon\DllCommonsvc.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/1852-12-0x00007FFCD4B43000-0x00007FFCD4B45000-memory.dmp
memory/1852-13-0x0000000000280000-0x0000000000390000-memory.dmp
memory/1852-14-0x0000000000B50000-0x0000000000B62000-memory.dmp
memory/1852-15-0x0000000000BC0000-0x0000000000BCC000-memory.dmp
memory/1852-16-0x00000000024C0000-0x00000000024CC000-memory.dmp
memory/1852-17-0x00000000024D0000-0x00000000024DC000-memory.dmp
memory/1280-47-0x000002439E3D0000-0x000002439E3F2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_x3x1vutz.kx0.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Admin\AppData\Local\Temp\zewrKVspW3.bat
| MD5 | 68a3f2a1d1835c60b44dd7f1651e59cc |
| SHA1 | 00c4b7b48a02ae19c2ea8e00ddcc38c8da36e405 |
| SHA256 | 10ed008c3eeb020b4446c93cc2818a567df12e700fa59e4a7608179e00b68e78 |
| SHA512 | 4bc3de0b6b4b1643cf81e680ca7221aa2bc4cd132e7d6a02e2604995fb12b949565cc1b0fcf1424cbc019573d4e2fce74a89fa2529529dcc124602ea941296cb |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | cadef9abd087803c630df65264a6c81c |
| SHA1 | babbf3636c347c8727c35f3eef2ee643dbcc4bd2 |
| SHA256 | cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438 |
| SHA512 | 7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 59d97011e091004eaffb9816aa0b9abd |
| SHA1 | 1602a56b01dd4b7c577ca27d3117e4bcc1aa657b |
| SHA256 | 18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d |
| SHA512 | d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d28a889fd956d5cb3accfbaf1143eb6f |
| SHA1 | 157ba54b365341f8ff06707d996b3635da8446f7 |
| SHA256 | 21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45 |
| SHA512 | 0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c |
memory/3388-144-0x000000001ADC0000-0x000000001ADD2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\qwBPskakqG.bat
| MD5 | 368d42a89ea2c8d6e9ccc8aee5609b59 |
| SHA1 | 33854667e0c0358bc4b70f9efd2dac8cb9357144 |
| SHA256 | 4b3993489d018482720657bff7479d2ef7e9dc715b0d64e2bb286b19a3da87f5 |
| SHA512 | ccaba29e5e56258a079dda4259510afb380fedf49b3cae8258815eb6e08cb1b050251aa9541118079d619ec4dbd0c25483931722dae184242a9b1ffb9a3f7c06 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\csrss.exe.log
| MD5 | baf55b95da4a601229647f25dad12878 |
| SHA1 | abc16954ebfd213733c4493fc1910164d825cac8 |
| SHA256 | ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924 |
| SHA512 | 24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545 |
C:\Users\Admin\AppData\Local\Temp\pCeLVPpGxY.bat
| MD5 | 77ecf31729d9f7b94da7e6d7a5d9db45 |
| SHA1 | c02ed81d83e4e9fb695c9c411da82c5ce6fa3772 |
| SHA256 | b9fe267cf553ed664d059f10c4094188f50e124b8a4987de63ce4ecc53504681 |
| SHA512 | 9353605176a7c35eb0a0ec5abb6f2c065b81a366f0762e2e1078363d9ea99688b0bb9aa9108667bb8fbc9dcbce5c628deda819fc52f600ff75ec0603f2ed7cdf |
memory/2668-159-0x000000001B9F0000-0x000000001BA02000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\o09MCfWrWU.bat
| MD5 | 1f8b6a63b79fe9ac23838d6d1a2e4e39 |
| SHA1 | 493b2a3262a9c58301306de55ae901b81cd587cc |
| SHA256 | c54beaba8da5abccd6a3f92c448ab3473329e2c39ba644be30915def86d47b10 |
| SHA512 | d7a2efffb3e0b489ec1a189f0d1d172bb2418c9af125e080f861ff92d0b874deb6258207346ae6aab7debab4cf50f0d8c5a09c9bbbed9df913e1b412b9f44ecf |
memory/3776-166-0x000000001B9F0000-0x000000001BA02000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\DhSpfyjZaR.bat
| MD5 | ce45ac43d25498a0aa706d304b40b36e |
| SHA1 | f10be1b1d5ede8fb0a1ec3132abb44b59e6eeb4d |
| SHA256 | f632e33146bc82c41e132745b3fdde5d6a43eedf0a5e30a98208d6b36fd0367f |
| SHA512 | 6fb5c7fc66256025f1223dbdd88bc539e454b9115c7e9b6f469ef89826d1291317350c03dda2f54fe3c754d50446776f3ba63485b7c6a914404736a80e45115d |
C:\Users\Admin\AppData\Local\Temp\JbtrqXgYk1.bat
| MD5 | 23217aae743bb55192f91d28540e0b5a |
| SHA1 | 0243d2db65f4bafcaa9434a044b9133b620ba417 |
| SHA256 | 6eaf35af49b613ae7dfcd0fb731f8d2d6e2d6d8c92634b46a2d34f8ecd3d5af5 |
| SHA512 | e262def6d8531c7ef5517c5dc58114308e92bfebb4bc99b0043bc7b8d9532fde9db8884589bd424ba21421209e313c447323965903f1f10744a1c3cf967e2c1a |
C:\Users\Admin\AppData\Local\Temp\BlQmztffGe.bat
| MD5 | a75d7124fc05549567d35d24925677b0 |
| SHA1 | 6ab7502d33bfaf51f9d6484657d8ca0c7bd9c2d0 |
| SHA256 | cf24b017b23f1a0421762508060cd11cb84303267505fdced4657f5f41c6f155 |
| SHA512 | 6638ae246d56a9e384462efa989e880b0cc73e6369ce45204f944b2213905dc207897c3ad6560d636bd86f71ee3bec4f3ed9a1146a9c54a15cc349a0c0d0f346 |
C:\Users\Admin\AppData\Local\Temp\QOz0umrEhM.bat
| MD5 | 2e4275a4c65c5179e6c0096f2db8472f |
| SHA1 | f206f5f8557435def464723237666cc9c7c0d8a2 |
| SHA256 | da0adb687cfbf0e1cebefc553d8009cf901a9027e9e82b8d8640879d4e937cca |
| SHA512 | f30eb22458126ea3dd7ee976d746fdb9e5f386fee40f655696df8aa1078c880c0613b2fad88b87fd0b533a481e67d6b52d97069637be6d5658b7bd63528e5b35 |
memory/1320-197-0x000000001AFF0000-0x000000001B002000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\fH1ASKIIFN.bat
| MD5 | 099670ace2732119be87ee2b7a220d73 |
| SHA1 | 5d76027d2fe539345ef46f8b7c7921ab727c5185 |
| SHA256 | 720f620caa07f07df6699f5230fc5faa7323f475d42e98044332cda6a62afa36 |
| SHA512 | 9ee92eade492548c93ce0f9d34aab23e012ac26975301a7434b0887e12ef5ec55f68c5f636a4c8834b7e9878b31a7022543ac394ac312c510c9b142e47e75fc9 |
C:\Users\Admin\AppData\Local\Temp\OTxxDhnLNa.bat
| MD5 | 565ae3f66ff245b9e8396010468c8703 |
| SHA1 | 249b21af3071ba7f1eff605002e8bca97771dda2 |
| SHA256 | d4b495b01e51e97fbfc1cda1f73a0dbdec2d862393f3c6031f45c8244d5b38d3 |
| SHA512 | bc0a82ca821d36047c1b227c41ec8e6d36558494fde9478b1e63867a4ffaf6df44cfafdd38449bf14be278d0831241fb93ae4823296f01ddcb08ed4aad4ca7f0 |