Analysis Overview
SHA256
bc11328d5225e151f6113c4e5570cde9dc8974dcf6f6b51e2038773a1c1b2c63
Threat Level: Known bad
The file JaffaCakes118_bc11328d5225e151f6113c4e5570cde9dc8974dcf6f6b51e2038773a1c1b2c63 was found to be: Known bad.
Malicious Activity Summary
DCRat payload
DcRat
Process spawned unexpected child process
Dcrat family
DCRat payload
Command and Scripting Interpreter: PowerShell
Executes dropped EXE
Checks computer location settings
Loads dropped DLL
Legitimate hosting services abused for malware hosting/C2
Drops file in Windows directory
Drops file in Program Files directory
Unsigned PE
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Uses Task Scheduler COM API
Suspicious use of AdjustPrivilegeToken
Scheduled Task/Job: Scheduled Task
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-12-30 02:36
Signatures
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Dcrat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-12-30 02:36
Reported
2024-12-30 02:39
Platform
win7-20241023-en
Max time kernel
145s
Max time network
141s
Command Line
Signatures
DcRat
Dcrat family
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\providercommon\DllCommonsvc.exe | N/A |
| N/A | N/A | C:\Windows\ModemLogs\taskhost.exe | N/A |
| N/A | N/A | C:\Windows\ModemLogs\taskhost.exe | N/A |
| N/A | N/A | C:\Windows\ModemLogs\taskhost.exe | N/A |
| N/A | N/A | C:\Windows\ModemLogs\taskhost.exe | N/A |
| N/A | N/A | C:\Windows\ModemLogs\taskhost.exe | N/A |
| N/A | N/A | C:\Windows\ModemLogs\taskhost.exe | N/A |
| N/A | N/A | C:\Windows\ModemLogs\taskhost.exe | N/A |
| N/A | N/A | C:\Windows\ModemLogs\taskhost.exe | N/A |
| N/A | N/A | C:\Windows\ModemLogs\taskhost.exe | N/A |
| N/A | N/A | C:\Windows\ModemLogs\taskhost.exe | N/A |
| N/A | N/A | C:\Windows\ModemLogs\taskhost.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Mozilla Maintenance Service\logs\sppsvc.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Mozilla Maintenance Service\logs\0a1fd5f707cd16 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr\csrss.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr\886983d96e3d3e | C:\providercommon\DllCommonsvc.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\ModemLogs\taskhost.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\ModemLogs\b75386f1303e64 | C:\providercommon\DllCommonsvc.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bc11328d5225e151f6113c4e5570cde9dc8974dcf6f6b51e2038773a1c1b2c63.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bc11328d5225e151f6113c4e5570cde9dc8974dcf6f6b51e2038773a1c1b2c63.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bc11328d5225e151f6113c4e5570cde9dc8974dcf6f6b51e2038773a1c1b2c63.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\providercommon\1zu9dW.bat" "
C:\providercommon\DllCommonsvc.exe
"C:\providercommon\DllCommonsvc.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\taskhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\taskhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\taskhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Application Data\cmd.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\Default\Application Data\cmd.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Application Data\cmd.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\sppsvc.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\sppsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\sppsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr\csrss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\providercommon\System.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\lsm.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Default User\lsm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\lsm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\audiodg.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Windows\ModemLogs\taskhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\ModemLogs\taskhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Windows\ModemLogs\taskhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\providercommon\lsass.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\taskhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Application Data\cmd.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\sppsvc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr\csrss.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\System.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\lsm.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\audiodg.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ModemLogs\taskhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsass.exe'
C:\Windows\ModemLogs\taskhost.exe
"C:\Windows\ModemLogs\taskhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6Po3x2tXZG.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\ModemLogs\taskhost.exe
"C:\Windows\ModemLogs\taskhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zlkj4ltLQI.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\ModemLogs\taskhost.exe
"C:\Windows\ModemLogs\taskhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UQ4uSu8U9J.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\ModemLogs\taskhost.exe
"C:\Windows\ModemLogs\taskhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MsSi1KDKJG.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\ModemLogs\taskhost.exe
"C:\Windows\ModemLogs\taskhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lmMgPtgxf2.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\ModemLogs\taskhost.exe
"C:\Windows\ModemLogs\taskhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\N4rS0hE0df.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\ModemLogs\taskhost.exe
"C:\Windows\ModemLogs\taskhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZZzsG8LzQB.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\ModemLogs\taskhost.exe
"C:\Windows\ModemLogs\taskhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jClCs9nEU3.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\ModemLogs\taskhost.exe
"C:\Windows\ModemLogs\taskhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\T7KIMELUbd.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\ModemLogs\taskhost.exe
"C:\Windows\ModemLogs\taskhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GN1wkOWwnv.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\ModemLogs\taskhost.exe
"C:\Windows\ModemLogs\taskhost.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
Files
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe
| MD5 | 8088241160261560a02c84025d107592 |
| SHA1 | 083121f7027557570994c9fc211df61730455bb5 |
| SHA256 | 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1 |
| SHA512 | 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478 |
C:\providercommon\1zu9dW.bat
| MD5 | 6783c3ee07c7d151ceac57f1f9c8bed7 |
| SHA1 | 17468f98f95bf504cc1f83c49e49a78526b3ea03 |
| SHA256 | 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322 |
| SHA512 | c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8 |
C:\providercommon\DllCommonsvc.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/1032-13-0x0000000000870000-0x0000000000980000-memory.dmp
memory/1032-14-0x0000000000430000-0x0000000000442000-memory.dmp
memory/1032-15-0x0000000000440000-0x000000000044C000-memory.dmp
memory/1032-16-0x0000000000560000-0x000000000056C000-memory.dmp
memory/1032-17-0x0000000000570000-0x000000000057C000-memory.dmp
memory/972-42-0x00000000003E0000-0x00000000004F0000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | da3685c5509c6e141c94452b158581a8 |
| SHA1 | 714896fd199a5c38ceb110bc2255d3872de2cbde |
| SHA256 | 0be2335c8b30dce2def6d7267a87aae59ed8ff773c57578858973f91d4aae500 |
| SHA512 | 92926c7a20077fcf597fd7d5bcc0f75bc799095a0e9b4318fd8515edda92d69ca83ef41dbd05641056528d1b72e90d484849086ccee168e0d0936ebe076545b4 |
memory/1096-53-0x0000000002210000-0x0000000002218000-memory.dmp
memory/1100-52-0x000000001B5F0000-0x000000001B8D2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab9D2.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\Tar9F5.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\Local\Temp\6Po3x2tXZG.bat
| MD5 | abcb963097d1b4c5dde62be7b499c402 |
| SHA1 | efd6294ed83801c2078fe70e54a2b70bd5140d3c |
| SHA256 | cd44422e624d7d20b9863cad8869f2c38a3f9e8e92c4003e4e86406f943c3208 |
| SHA512 | f8b80590a41bbb44209ebb565d9b031b7d06d1e84bbccae71a20308a1bdad37dc5b178633b90d94d7d5146f3566025abb19780b057eae699db3372df037c3b54 |
memory/964-146-0x00000000009D0000-0x0000000000AE0000-memory.dmp
memory/964-147-0x0000000000240000-0x0000000000252000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 9a35703fdabc03504126429938da3188 |
| SHA1 | f532352df720da031805da461e893793fad72006 |
| SHA256 | 9596efc4808d30a540d0000d47a4ad2bfee9d02d53f0e3062ea2900310930931 |
| SHA512 | 755e1ae13945b94864b19f7dcd542e4150fba758c3cc8ee678ad3553c799ccc8bb4187b710dbc053d14b111725a28cc0e3f74dafe2171925f8fa3b192487b08d |
C:\Users\Admin\AppData\Local\Temp\zlkj4ltLQI.bat
| MD5 | c9696dbe4cd63c75fc5cc16683c00d57 |
| SHA1 | 9375ae1aa091153325c4557d7e6da52ef271e07d |
| SHA256 | abffac2e21ebc286951846b039e4735551cab07d1680d3dd860b67ae1df2218a |
| SHA512 | 981f6fc6c7839ed5d40ba47fece6c253d1340c6a4f208dd206e5a955858f7330ae281967c77f0f32a742786fec11abe4a9ed7380b7005e8ed56dc7c260aaf2f6 |
memory/852-207-0x00000000000F0000-0x0000000000200000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b30f15c94f3caeeeb26c3bcda95e02ea |
| SHA1 | 75bd004df899a1ba20e9e7b19df2933ec6e3400f |
| SHA256 | 0ef204543f3d6b766ff2bfc62c803cdaa49a1522ffbe93d3d934004d98809d4a |
| SHA512 | 0633b31eb544ddb5dec9e75bced9ca482b6b2653cebc2fddea5ef76b9881a48324b0b3832f02dd2b576317faa5c249e54c33b155d33426d31e50a1bdce6f5348 |
C:\Users\Admin\AppData\Local\Temp\UQ4uSu8U9J.bat
| MD5 | d3a645cc8642c495976724d5a6e82306 |
| SHA1 | 69e3de2c21e71de77298012660be4aab25c2686a |
| SHA256 | 159849cac1483254b828cc591d114ac512b8edfb6a45e3e1905427a7f5240daa |
| SHA512 | 8077a1d96bb85dee6895b20aa8386e685720d82d4e8a5f7582c4db1e9d58b38af929da7f2525e894c1b1770a51e0c849196d132c0d2be1b2d214ba4bed3048fe |
memory/2488-267-0x00000000011B0000-0x00000000012C0000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b7d35734de4d50bb8bd383196b6c0ef6 |
| SHA1 | fb4521871b584bde5be2464909279931fa10538b |
| SHA256 | bb7ffff81a51f3beb8c5000f9ea7e150275482141ed5298115b1d4cbe47eefda |
| SHA512 | dfa3786de69311bfafbf9f7d09911a7e39b47906ce51dbc9cddceb472b0bba6b2daa983137515ddd37c26bee8ca4fc20b0540433769569846d079902709166e2 |
C:\Users\Admin\AppData\Local\Temp\MsSi1KDKJG.bat
| MD5 | e85cc3b0cdf76705b3bc2126bd0c83e2 |
| SHA1 | fee2a2238b5e5ec0601ec8276274ffe5b1e978df |
| SHA256 | 4e2d2ec43f97c3bfeaf149d58802ad19d4976b72ef6bbafdcfbee9549632acf6 |
| SHA512 | 18dfdbf6487d781007d224a7082645c98cc3ec6e7f7df6d9f6654837062944c051e9f913ac8f61cc78bd048f892b316eec8da1f53f68b94916c437113cf91add |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c6343f1888b9693d581222ee4e828781 |
| SHA1 | a48d11d3232232ccb42f4ea76ce335fd98d26b3d |
| SHA256 | ac1a2aaa757144ad51b1c9033e36a38b64fb0d715d749cfaa8c11d0a01537bb9 |
| SHA512 | 28bacd823b805a5fb30137eff8150e33aa4edcf6f5d6ab54a2c2ead02ab4c716bbdd1f9417f4cff06a526212611b271afcc2339b70b0f006f3a9d2c81bfa9d67 |
C:\Users\Admin\AppData\Local\Temp\lmMgPtgxf2.bat
| MD5 | 41235eee95e02dd86e0f427599864cf9 |
| SHA1 | 959d9478aed3bfc41da1687cf47af6d56035d449 |
| SHA256 | a1a943a631b016e8654aa2aece40e720f044dc96209af74f2b8afb72111e0fb5 |
| SHA512 | a4ce33b7820d7c8838879fc8ecb585c9cc48a45a5e2d5ac658e763dcb60f3017cb855a2a7218392c5dac9c3ee8d5530116ddc44ef2197a52694b8e1b2776d834 |
memory/1636-386-0x0000000000430000-0x0000000000442000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e79b2f605ba8ab98b235a45427e12e83 |
| SHA1 | 47c9a828b8871e16f62dc8d95e4bbadc8fddf1e2 |
| SHA256 | 5a45a6a226d5761f662bbbc187ef313b544e5dc09ae1af77a9b77be98f871e0d |
| SHA512 | c13c15391df2ea7771f6374890dae18e657be2bf1e334eb12c672a99713676e83cb663852c0c3d0b453555594c967deec032808ea78089c0d9a9e51ef3833d31 |
C:\Users\Admin\AppData\Local\Temp\N4rS0hE0df.bat
| MD5 | 7d58d5850741dc0e95c87ef222414c8f |
| SHA1 | 76398026616a37a84c3902d29e55546fa056f894 |
| SHA256 | 9adab3287485e6d684998d2fa562ebfdff5051b4f66149bd3f2f5abb68144189 |
| SHA512 | 17d6a3b931bb485446d8ebfa42003897fa9b5cda271918dfd2a08749272583f41082291c31616a0d9a5c3768aba32d1b20ae26453893d1d6e417ce02ec8a7ef0 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 5f289672837f7738799da3c304e47695 |
| SHA1 | b7a24703b5abb49decd723e62d5967fa03b982d1 |
| SHA256 | 1b86a9a7a0ddbdac5809d940f9c710655c7a74b9e895daab6c35c3ba5948904d |
| SHA512 | 15415fbeb1e4c7cbe6d8cc1f10066fb97c195a07ff1004c2d7a69f3abdfb3cc1adffecea5f8053df8ba89085c641545c8ab62d49a9384510cbc4d445c8e5f65c |
C:\Users\Admin\AppData\Local\Temp\ZZzsG8LzQB.bat
| MD5 | 92c1cfbccf77d3e0ce367afa2dcab06c |
| SHA1 | 3d905656ca003ac16c1dc8ce1a427d54237cd866 |
| SHA256 | b1fe7975d5fca4017fcff0a36a84d48f18db7531027d8c7292599ee028874ea8 |
| SHA512 | 69c06f58ffee274457e61178350498ae9fbb58bb96fa4e7e7733983ce5be929936633449b59765aecd031be1ef1cd89997a7bcd3c56153ec45a6c5a50363a9ff |
memory/2948-505-0x0000000001310000-0x0000000001420000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 80dc00516e2420c3f5c865b39d82fa23 |
| SHA1 | 853355af67e1cd02247a1e7e77a3942811449968 |
| SHA256 | 3a10730ef23694c4ac0e312f8d20f290431d9ef5855d5231d629e6b9348474b9 |
| SHA512 | 00a072b464ccef655ff76f292f5dfa7940fbe3154a465a7a48ac734b2cabff33e8516cc98f77762f12326c93c9f6fd40e09ac1d43f18e42deccf0441d27e9737 |
C:\Users\Admin\AppData\Local\Temp\jClCs9nEU3.bat
| MD5 | 0c1f69043f83049bf59e42e8b64245e3 |
| SHA1 | 36f8441b1b65e240ef88fed7fd2fc627dba33217 |
| SHA256 | 3043c7ac14341a6bc469f7a6146ff6e4f8b3b0166b98926135a7d6f2b6ecd70a |
| SHA512 | f9d9424383938a0b0ffb153431f2a1eef681a5832b8dbc6464fb291ab4b6194f67d224f42d866836d474ec30850e4e43b5dca849a3c70efe127c29791ec03561 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8b75bde568c1b0e5af04706c88ca97bc |
| SHA1 | d34e48dbdae062d5e9c7ca6d91a3ce4048ea6316 |
| SHA256 | 53ef7902437bf4ad53a57e8721a32f658d5ea8e1ca496240dce5a37418d6cfd8 |
| SHA512 | c64527eb6b540877c89e94df0a519cb46830b7c4909d7309418674bf2f38cbfacfb3de77bbad61e80c7ab825fa34e5c50581d80ec1aabeffed439b7253013b9f |
C:\Users\Admin\AppData\Local\Temp\T7KIMELUbd.bat
| MD5 | a6c1fcc6f55baa023093cd47d4909ca3 |
| SHA1 | 1dea9f6a64e5d271661e188cbc45042023ebdee5 |
| SHA256 | e274380daf0698f6fd0081676392f30eeb1a034f165d55c0b91490b2625879e9 |
| SHA512 | 978c4f6fedd8cf65554626b5d1409fbbe57454c6a3a810372bb5cb8b4826d225b77707059afc4906c55bd126ba2f31bf68c238f2eaf5a6b5c0bcde37f998d59c |
memory/2208-624-0x00000000000D0000-0x00000000001E0000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d867af224f6b7ed4a6983f1a078cb4f3 |
| SHA1 | f44f6fd5e5bd59466a230dd88bbad75af459fea6 |
| SHA256 | 8515cd8123e16087890f9441ebdfdc16f6f5b411da47a13a37d5216faaaec5df |
| SHA512 | 46ab9884d6d979a1354c2eecc0846a20a4b142defd8f3f56f31060c8aed5e9c2cc8b544bc778192a435734d01b9629599324f6bf78d699c7335d2d1cc4386220 |
C:\Users\Admin\AppData\Local\Temp\GN1wkOWwnv.bat
| MD5 | b31a26050e2b3ec7119e274d49de0e6d |
| SHA1 | 1a009a7165fbd6a14d838b680fa1f36078fe7a8d |
| SHA256 | abdcb664bff33039605072c94cbc16d97e610c6fcd69483be0a9212b34e9eefe |
| SHA512 | 262b5ba992a939ad31252abe5592fb07f1d8349cd3cb4c3802a2be6658e4f25bbd3ca6fc13e344204ce3657cfcdc657fd49a8ed70026ff0f6a9289c7ec34b115 |
memory/2740-684-0x0000000000A70000-0x0000000000B80000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-12-30 02:36
Reported
2024-12-30 02:39
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
DcRat
Dcrat family
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Program Files\Crashpad\SppExtComObj.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Program Files\Crashpad\SppExtComObj.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Program Files\Crashpad\SppExtComObj.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bc11328d5225e151f6113c4e5570cde9dc8974dcf6f6b51e2038773a1c1b2c63.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\providercommon\DllCommonsvc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\providercommon\DllCommonsvc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Program Files\Crashpad\SppExtComObj.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Program Files\Crashpad\SppExtComObj.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Program Files\Crashpad\SppExtComObj.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Program Files\Crashpad\SppExtComObj.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Program Files\Crashpad\SppExtComObj.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Program Files\Crashpad\SppExtComObj.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Program Files\Crashpad\SppExtComObj.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Program Files\Crashpad\SppExtComObj.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Program Files\Crashpad\SppExtComObj.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\providercommon\DllCommonsvc.exe | N/A |
| N/A | N/A | C:\providercommon\DllCommonsvc.exe | N/A |
| N/A | N/A | C:\Program Files\Crashpad\SppExtComObj.exe | N/A |
| N/A | N/A | C:\Program Files\Crashpad\SppExtComObj.exe | N/A |
| N/A | N/A | C:\Program Files\Crashpad\SppExtComObj.exe | N/A |
| N/A | N/A | C:\Program Files\Crashpad\SppExtComObj.exe | N/A |
| N/A | N/A | C:\Program Files\Crashpad\SppExtComObj.exe | N/A |
| N/A | N/A | C:\Program Files\Crashpad\SppExtComObj.exe | N/A |
| N/A | N/A | C:\Program Files\Crashpad\SppExtComObj.exe | N/A |
| N/A | N/A | C:\Program Files\Crashpad\SppExtComObj.exe | N/A |
| N/A | N/A | C:\Program Files\Crashpad\SppExtComObj.exe | N/A |
| N/A | N/A | C:\Program Files\Crashpad\SppExtComObj.exe | N/A |
| N/A | N/A | C:\Program Files\Crashpad\SppExtComObj.exe | N/A |
| N/A | N/A | C:\Program Files\Crashpad\SppExtComObj.exe | N/A |
| N/A | N/A | C:\Program Files\Crashpad\SppExtComObj.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\a76d7bf15d8370 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Adobe\Reader\DC\22eafd247d37c3 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\DllCommonsvc.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Windows Media Player\ja-JP\5b884080fd4f94 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\DllCommonsvc.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\DllCommonsvc.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Crashpad\e1ef82546f0b02 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Google\ee2ad38f3d4382 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Adobe\Reader\DC\TextInputHost.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Windows Multimedia Platform\9e8d7a4ca61bd9 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\WindowsApps\OfficeClickToRun.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\a76d7bf15d8370 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Internet Explorer\uk-UA\SppExtComObj.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Mozilla Maintenance Service\logs\dwm.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Google\Registry.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Windows Media Player\ja-JP\fontdrvhost.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Crashpad\SppExtComObj.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Windows Multimedia Platform\RuntimeBroker.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Internet Explorer\uk-UA\e1ef82546f0b02 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Mozilla Maintenance Service\logs\6cb0b6c459d5d3 | C:\providercommon\DllCommonsvc.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\DiagTrack\Scenarios\powershell.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\DiagTrack\Scenarios\e978f868350d50 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\System\Speech\sysmon.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\System\Speech\TextInputHost.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\DiagTrack\Scenarios\powershell.exe | C:\providercommon\DllCommonsvc.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bc11328d5225e151f6113c4e5570cde9dc8974dcf6f6b51e2038773a1c1b2c63.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings | C:\Program Files\Crashpad\SppExtComObj.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings | C:\Program Files\Crashpad\SppExtComObj.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings | C:\Program Files\Crashpad\SppExtComObj.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings | C:\Program Files\Crashpad\SppExtComObj.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings | C:\Program Files\Crashpad\SppExtComObj.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bc11328d5225e151f6113c4e5570cde9dc8974dcf6f6b51e2038773a1c1b2c63.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings | C:\Program Files\Crashpad\SppExtComObj.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings | C:\Program Files\Crashpad\SppExtComObj.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings | C:\Program Files\Crashpad\SppExtComObj.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings | C:\Program Files\Crashpad\SppExtComObj.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings | C:\Program Files\Crashpad\SppExtComObj.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings | C:\Program Files\Crashpad\SppExtComObj.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings | C:\Program Files\Crashpad\SppExtComObj.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings | C:\providercommon\DllCommonsvc.exe | N/A |
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bc11328d5225e151f6113c4e5570cde9dc8974dcf6f6b51e2038773a1c1b2c63.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bc11328d5225e151f6113c4e5570cde9dc8974dcf6f6b51e2038773a1c1b2c63.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
C:\providercommon\DllCommonsvc.exe
"C:\providercommon\DllCommonsvc.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\DllCommonsvc.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\DllCommonsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\DllCommonsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Common Files\Adobe\Reader\DC\TextInputHost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Adobe\Reader\DC\TextInputHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Common Files\Adobe\Reader\DC\TextInputHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\RuntimeBroker.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\sihost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\Default User\sihost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\sihost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\DllCommonsvc.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\DllCommonsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\DllCommonsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Oracle\Java\.oracle_jre_usage\SearchApp.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Users\All Users\Oracle\Java\.oracle_jre_usage\SearchApp.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Oracle\Java\.oracle_jre_usage\SearchApp.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Internet Explorer\uk-UA\SppExtComObj.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\uk-UA\SppExtComObj.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Internet Explorer\uk-UA\SppExtComObj.exe'" /rl HIGHEST /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\DllCommonsvc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\Adobe\Reader\DC\TextInputHost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Multimedia Platform\RuntimeBroker.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\sihost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\Idle.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\DllCommonsvc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Oracle\Java\.oracle_jre_usage\SearchApp.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\uk-UA\SppExtComObj.exe'
C:\providercommon\DllCommonsvc.exe
"C:\providercommon\DllCommonsvc.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 10 /tr "'C:\Windows\DiagTrack\Scenarios\powershell.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Windows\DiagTrack\Scenarios\powershell.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 11 /tr "'C:\Windows\DiagTrack\Scenarios\powershell.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\dwm.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\dwm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\dwm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Google\Registry.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Registry.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Google\Registry.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Oracle\Java\.oracle_jre_usage\dwm.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\All Users\Oracle\Java\.oracle_jre_usage\dwm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Oracle\Java\.oracle_jre_usage\dwm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Media Player\ja-JP\fontdrvhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\ja-JP\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Media Player\ja-JP\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\providercommon\dllhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 10 /tr "'C:\Program Files\Crashpad\SppExtComObj.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files\Crashpad\SppExtComObj.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 5 /tr "'C:\Program Files\Crashpad\SppExtComObj.exe'" /rl HIGHEST /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\DiagTrack\Scenarios\powershell.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\dwm.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\Registry.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Oracle\Java\.oracle_jre_usage\dwm.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\ja-JP\fontdrvhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dllhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\SppExtComObj.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Crashpad\SppExtComObj.exe'
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lYtLZ79qcT.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\Crashpad\SppExtComObj.exe
"C:\Program Files\Crashpad\SppExtComObj.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gJVLZ7RDs3.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\Crashpad\SppExtComObj.exe
"C:\Program Files\Crashpad\SppExtComObj.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EVfp7xrD4G.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\Crashpad\SppExtComObj.exe
"C:\Program Files\Crashpad\SppExtComObj.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EVfp7xrD4G.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\Crashpad\SppExtComObj.exe
"C:\Program Files\Crashpad\SppExtComObj.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dCyIaH4v8D.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\Crashpad\SppExtComObj.exe
"C:\Program Files\Crashpad\SppExtComObj.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ys6bB5gfdY.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\Crashpad\SppExtComObj.exe
"C:\Program Files\Crashpad\SppExtComObj.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KRs2fZV4we.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\Crashpad\SppExtComObj.exe
"C:\Program Files\Crashpad\SppExtComObj.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\THL7XCWxQ1.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\Crashpad\SppExtComObj.exe
"C:\Program Files\Crashpad\SppExtComObj.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UMVEid32eq.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\Crashpad\SppExtComObj.exe
"C:\Program Files\Crashpad\SppExtComObj.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\q2cXKRfm9B.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\Crashpad\SppExtComObj.exe
"C:\Program Files\Crashpad\SppExtComObj.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QLJ4q7S46F.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\Crashpad\SppExtComObj.exe
"C:\Program Files\Crashpad\SppExtComObj.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XIXHPi7vyc.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\Crashpad\SppExtComObj.exe
"C:\Program Files\Crashpad\SppExtComObj.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\a4RGbRhdNM.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\Crashpad\SppExtComObj.exe
"C:\Program Files\Crashpad\SppExtComObj.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.111.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | udp |
Files
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe
| MD5 | 8088241160261560a02c84025d107592 |
| SHA1 | 083121f7027557570994c9fc211df61730455bb5 |
| SHA256 | 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1 |
| SHA512 | 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478 |
C:\providercommon\1zu9dW.bat
| MD5 | 6783c3ee07c7d151ceac57f1f9c8bed7 |
| SHA1 | 17468f98f95bf504cc1f83c49e49a78526b3ea03 |
| SHA256 | 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322 |
| SHA512 | c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8 |
C:\providercommon\DllCommonsvc.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/4392-12-0x00007FFC5A1D3000-0x00007FFC5A1D5000-memory.dmp
memory/4392-13-0x0000000000FA0000-0x00000000010B0000-memory.dmp
memory/4392-14-0x0000000003220000-0x0000000003232000-memory.dmp
memory/4392-15-0x00000000033A0000-0x00000000033AC000-memory.dmp
memory/4392-16-0x000000001BCD0000-0x000000001BCDC000-memory.dmp
memory/4392-17-0x000000001BCE0000-0x000000001BCEC000-memory.dmp
memory/432-42-0x0000025DCEA30000-0x0000025DCEA52000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_234rbpol.t3g.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4884-100-0x0000000002990000-0x00000000029A2000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\DllCommonsvc.exe.log
| MD5 | 7f3c0ae41f0d9ae10a8985a2c327b8fb |
| SHA1 | d58622bf6b5071beacf3b35bb505bde2000983e3 |
| SHA256 | 519fceae4d0dd4d09edd1b81bcdfa8aeab4b59eee77a4cd4b6295ce8e591a900 |
| SHA512 | 8a8fd17eef071f86e672cba0d8fc2cfed6118aff816100b9d7c06eb96443c04c04bc5692259c8d7ecb1563e877921939c61726605af4f969e3f586f0913ed125 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 6d3e9c29fe44e90aae6ed30ccf799ca8 |
| SHA1 | c7974ef72264bbdf13a2793ccf1aed11bc565dce |
| SHA256 | 2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d |
| SHA512 | 60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a |
C:\Users\Admin\AppData\Local\Temp\lYtLZ79qcT.bat
| MD5 | 2fe83b7bce99826d52a2b10c9d0aabc2 |
| SHA1 | 0310453a0588e562e683baaaf782325a01d7540d |
| SHA256 | b4f6c4cfb71d1936607c3304853c8cf0598c8873b0eebee1e3d754278f69bb34 |
| SHA512 | db155e569eee027ec4e35221aedfc8d946d191c05c9c28179848c50341fea08e0b652c290893ba320a382014e0b2d9db1ceb5d07bc8d1ec2d94d9d9209d84f9b |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d28a889fd956d5cb3accfbaf1143eb6f |
| SHA1 | 157ba54b365341f8ff06707d996b3635da8446f7 |
| SHA256 | 21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45 |
| SHA512 | 0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 2e907f77659a6601fcc408274894da2e |
| SHA1 | 9f5b72abef1cd7145bf37547cdb1b9254b4efe9d |
| SHA256 | 385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233 |
| SHA512 | 34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | cadef9abd087803c630df65264a6c81c |
| SHA1 | babbf3636c347c8727c35f3eef2ee643dbcc4bd2 |
| SHA256 | cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438 |
| SHA512 | 7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 59d97011e091004eaffb9816aa0b9abd |
| SHA1 | 1602a56b01dd4b7c577ca27d3117e4bcc1aa657b |
| SHA256 | 18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d |
| SHA512 | d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 96ff1ee586a153b4e7ce8661cabc0442 |
| SHA1 | 140d4ff1840cb40601489f3826954386af612136 |
| SHA256 | 0673399a2f37c89d455e8658c4d30b9248bff1ea47ba40957588e2bc862976e8 |
| SHA512 | 3404370d0edb4ead4874ce68525dc9bcbc6008003682646e331bf43a06a24a467ace7eff5be701a822d74c7e065d0f6a0ba0e3d6bc505d34d0189373dcacb569 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | a83ce2908066654f712d1858746bc3c4 |
| SHA1 | 14887f0537ce076cdc91801fb5fa584b25f1089f |
| SHA256 | 7c32ae0eaa4fef7404ce708744116ab8ea17d9575bbb3b06eb41a443f963456f |
| SHA512 | 991b20116815c7db3497d0ede9a216c7b78795e65f898847ffec513692f0c24d146a123725d14a2e1e3efb5744a626dd025a364f2f55f581e21640794a0cc551 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 216ed9984535dcd9a80f93bba9b250c2 |
| SHA1 | bc9fd7295b3cadea004ad66fd2b0a9407a867c46 |
| SHA256 | 8eab753b2a6e8a0185173fc4818d30de9377374d258e876ccc47eb922a642f14 |
| SHA512 | 438311ce326c6e0cd6f5dd2b04b7684bf2fbeb8642158566c30481e162fa185325748af4489d12a0502a28ad2096ec3383b670e69f749f2311c7e884aa15d094 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 9a2c763c5ff40e18e49ad63c7c3b0088 |
| SHA1 | 4b289ea34755323fa869da6ad6480d8d12385a36 |
| SHA256 | 517807921c55bd16cd8a8bfae3d5dc19444c66f836b66acd5593e3080acbaf8e |
| SHA512 | 3af01926bc7de92076067d158d7250b206d396b3282ee0db43639d04d91bd9ff763acbce12c7822914824984a3c5fdd1b8dbf1ad2ee88233d47f0f808b746bc8 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | a9a7f35c006bbf5da72f9cb250ffbddb |
| SHA1 | 458a8cedc38dac109631d9fccb3bf6d2c5c0e89e |
| SHA256 | a1db56d56e35a6c95f98204e40f69f70422969681d408e5edc4afbf732eef86b |
| SHA512 | d341773d30e09214567c65f24cd1854f1e438b8528aa30d35b6baac16e671dde1245edda654f19343b7c160da45985ab53f08453e7f6286e272d544f8741c131 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | ec66606831e595ea115f35d1b61b7105 |
| SHA1 | f22d025450dc8dafd9b434b2eb31cb876bcb8109 |
| SHA256 | 4f17fe98ecf3ea9ec9873ff0a3acdd6ca93eb17e280a01ff6cfeca4422019dec |
| SHA512 | f2922870f0b34b5cd8a75ce3aa94362a43997a752b0e8e9001f63d650225bf15415a75ce8aa333e4d3554a52ca5d40eec7b15ce67e3ee20441cf2680de59ed5d |
memory/4052-262-0x000000001B620000-0x000000001B632000-memory.dmp
memory/4052-268-0x000000001C660000-0x000000001C701000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\gJVLZ7RDs3.bat
| MD5 | f9143c025e97c437f71ac1384f2baaad |
| SHA1 | 7ffb468cb1c3b18be226c58ee1a8499ed60a1eb7 |
| SHA256 | 64ab5b40f403361ec77a61576752454dffa348dc4a7221e48eacb3a5d5651844 |
| SHA512 | 289b3191fad2d6aab97c02b120678ad0036373aee818196a3a6498fc349bb68c861b2dbbd5acb638f2aeeebee23bab79ad547af682738f1f391841455198fea7 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SppExtComObj.exe.log
| MD5 | baf55b95da4a601229647f25dad12878 |
| SHA1 | abc16954ebfd213733c4493fc1910164d825cac8 |
| SHA256 | ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924 |
| SHA512 | 24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545 |
memory/612-272-0x0000000002560000-0x0000000002572000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\EVfp7xrD4G.bat
| MD5 | d035c32b077a2c1531382d142123bf19 |
| SHA1 | f1c586a92a365db50667cb3297267f9e33eaa38d |
| SHA256 | f11213f5404dd398a321d5bcd08d9fdd8e2051c347dc75fa2f1c774b77dfbddd |
| SHA512 | fad4556687123db18736bca5b913d3369dae2ff6105edce3797c6b6268fbf9ba4fcd52cd058e4f8304ae31a39fb516bd34a9061a6495c31b99173cff265ef089 |
memory/612-278-0x000000001BFE0000-0x000000001C036000-memory.dmp
memory/3940-284-0x000000001B940000-0x000000001B996000-memory.dmp
memory/2908-291-0x000000001C3B0000-0x000000001C406000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\dCyIaH4v8D.bat
| MD5 | 2d3f2097b40ae2119b627e62a6396b10 |
| SHA1 | 24468f82613ee8d3bd1df937609754f7e0005db2 |
| SHA256 | 4f9a0e8df7ecaefd7c96cc65c2fe9cabda0ce71f42e0c72dce103f5a97574840 |
| SHA512 | 548d66ebf1a2dd59a387c095d826ffec85d5094590acbcbf3bea16ff8a1bd0cf8d2d7ecd568ed660ab48930a50c9438dfafe17a4aedcb61cf1af4255f6e2cb0f |
memory/1068-298-0x000000001B050000-0x000000001B0A6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ys6bB5gfdY.bat
| MD5 | 673613b6eeb71ea2045c3c0bf54b5f7b |
| SHA1 | dd2f5857c10e9caab0667d8779a2f86afd5fcb22 |
| SHA256 | 8a272484eae83e8069f17b51c35bb68c31a8ca2ab4d3713518c5a2bb4456486e |
| SHA512 | 09d69270859047eba48b3af10e92dd1c108d313b36cac93434ad3fe45be8c2cf8a3c7ee1a92b920dcb5647dd755b56d4a16424509916aa674e084850b7850825 |
C:\Users\Admin\AppData\Local\Temp\KRs2fZV4we.bat
| MD5 | 4feb793cf5b2ad46c5b866e215d6b77b |
| SHA1 | 1284a4817d711f690dbac362ac3c9d12a88733f5 |
| SHA256 | 8ce77367b9f2fe66b73324964ffe4790160fb690d13ebe03c68fa5ea8ddadb33 |
| SHA512 | 4f1bdd6a33e3c5c2f4fc56313c31724c843dedb004506bc902499c6fda4cdc78ff85cd9f7e32695be5c4ddd8b540bffd1485ceab95171951d036eb68fcfb1cde |
C:\Users\Admin\AppData\Local\Temp\THL7XCWxQ1.bat
| MD5 | f30c9ae917f93bfa8d976ccecb3fd40d |
| SHA1 | ddbb74b289e418386bcda79609156ae47f51a173 |
| SHA256 | ab8dea7180ae07cca8194728c4d56c9f5d1e9f7de8acc370408474059b8375af |
| SHA512 | 60fb22da1d6767fa2071713a9d0c1a4a245e338c57e0bdc742e57452a46296bf42363be2d00fb4ac5d2decf524e5efae3425d249d945f3945c0361e321c96dde |
memory/2680-313-0x0000000001800000-0x0000000001812000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\UMVEid32eq.bat
| MD5 | 22583372efab20a34e0b8d45dbb212b7 |
| SHA1 | 04f6182d6cdd3c8ecfb5218729a162cb5fd8bf32 |
| SHA256 | 61e5d8219132a23918f0011e90b1c1259602ff7db2574376318ed62ac31a341e |
| SHA512 | 6f60d88ecf8735251fefe4c396e48a40e77c0c4a09b92feef18615428130ad413ce23653fc555bc8b1dafdc74d346746d297b77f7995fa658d496d8e69e4b010 |
C:\Users\Admin\AppData\Local\Temp\q2cXKRfm9B.bat
| MD5 | fe86b378055bf4368e355cc299b954f4 |
| SHA1 | 1c334ddc77e23aa2ff652bdce7ecfd972d021bf1 |
| SHA256 | e3a57c53116524bec892caa827fb7a9a7279b463b152b02c44b6e988a63d7ac6 |
| SHA512 | 8382ad44b250809452b5523fdfc3921a25b9c9fa698f1ee0a310efab108b260dd4d025716a76f577f1f6edd0fe798bf62fe1ad523f810eee4df31598db7fa5d4 |
C:\Users\Admin\AppData\Local\Temp\QLJ4q7S46F.bat
| MD5 | d0191c792d790bf38f3a71839fd23855 |
| SHA1 | d6a61665dc1f01b2d7bb5709700d3f3667bab9ce |
| SHA256 | c6c739ae96519d32a4b0d90c90eb8f165b92cd1a23183893d51f93a2689063bf |
| SHA512 | c468d9143c1ff47a9f0160747d914adfea1812ffb3b0c8aa30179bd6dbc2e9bf5fa494dcc2ae9880e4c1f423ab9ec2c259ba67148deee53da425704d60da3241 |
memory/2244-332-0x0000000002C40000-0x0000000002C52000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\XIXHPi7vyc.bat
| MD5 | adc94517cfda2db49600737cefbfe01e |
| SHA1 | 5a1a745f59432c38f8fac2d29077553efbfc7c4d |
| SHA256 | d7784b0bff450c824df459fc40e19d425a61f9478406b3507501436a19067c46 |
| SHA512 | 08fed47f50cb3ba45bc6c395b26afb6b483ec81052b3dd4a82f7cb92a8a36f962537ce59c41f48c447b529b545aa472c5e7a79009d547aee1e21a72340563af8 |
C:\Users\Admin\AppData\Local\Temp\a4RGbRhdNM.bat
| MD5 | 25a0298f92ec1074c5b45e6497db965d |
| SHA1 | 8f1027e1e0ad14954e34f028e351615fa921d3c0 |
| SHA256 | 834f62e9ab508518397adfc73eb0a826d1013f2c336b616705b3418f319d2756 |
| SHA512 | 98bc98999468cc8bc6dc129e7017e775ff9e3480c7fe9dd61d230e7f6a0cbe3822b27fc230b2227ff5e5175607a217a4ed1ddee34e367741ed86bc2470327f15 |
memory/2644-345-0x0000000000D50000-0x0000000000D62000-memory.dmp