Analysis Overview
SHA256
a5d27a98f91803a0ed7919cbc8a4c44cecb02c72a13be111867a117783a7b72f
Threat Level: Known bad
The file JaffaCakes118_a5d27a98f91803a0ed7919cbc8a4c44cecb02c72a13be111867a117783a7b72f was found to be: Known bad.
Malicious Activity Summary
Dcrat family
DCRat payload
DcRat
Process spawned unexpected child process
DCRat payload
Command and Scripting Interpreter: PowerShell
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Legitimate hosting services abused for malware hosting/C2
Drops file in Windows directory
Drops file in Program Files directory
Enumerates physical storage devices
Unsigned PE
System Location Discovery: System Language Discovery
Modifies registry class
Uses Task Scheduler COM API
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Scheduled Task/Job: Scheduled Task
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-12-30 02:43
Signatures
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Dcrat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-12-30 02:43
Reported
2024-12-30 02:45
Platform
win7-20240903-en
Max time kernel
142s
Max time network
138s
Command Line
Signatures
DcRat
Dcrat family
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\providercommon\DllCommonsvc.exe | N/A |
| N/A | N/A | C:\Users\All Users\Favorites\WmiPrvSE.exe | N/A |
| N/A | N/A | C:\Users\All Users\Favorites\WmiPrvSE.exe | N/A |
| N/A | N/A | C:\Users\All Users\Favorites\WmiPrvSE.exe | N/A |
| N/A | N/A | C:\Users\All Users\Favorites\WmiPrvSE.exe | N/A |
| N/A | N/A | C:\Users\All Users\Favorites\WmiPrvSE.exe | N/A |
| N/A | N/A | C:\Users\All Users\Favorites\WmiPrvSE.exe | N/A |
| N/A | N/A | C:\Users\All Users\Favorites\WmiPrvSE.exe | N/A |
| N/A | N/A | C:\Users\All Users\Favorites\WmiPrvSE.exe | N/A |
| N/A | N/A | C:\Users\All Users\Favorites\WmiPrvSE.exe | N/A |
| N/A | N/A | C:\Users\All Users\Favorites\WmiPrvSE.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Windows Photo Viewer\es-ES\cc11b995f2a76d | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Windows Sidebar\it-IT\5940a34987c991 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Windows Media Player\ja-JP\csrss.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Windows Media Player\ja-JP\886983d96e3d3e | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\MSBuild\Microsoft\services.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\MSBuild\Microsoft\c5b4cb5e9653cc | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Windows Photo Viewer\es-ES\winlogon.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\lsm.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\101b941d020240 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Common Files\SpeechEngines\Microsoft\System.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\SpeechEngines\Microsoft\System.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Common Files\SpeechEngines\Microsoft\27d1bcfc3c54e0 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Windows Sidebar\it-IT\dllhost.exe | C:\providercommon\DllCommonsvc.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Boot\EFI\en-US\csrss.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\Setup\State\b75386f1303e64 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\SchCache\cmd.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\SchCache\ebf1f9fa8afd6d | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\Tasks\c5b4cb5e9653cc | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\L2Schemas\services.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\Setup\State\taskhost.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\Tasks\services.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\L2Schemas\c5b4cb5e9653cc | C:\providercommon\DllCommonsvc.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a5d27a98f91803a0ed7919cbc8a4c44cecb02c72a13be111867a117783a7b72f.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a5d27a98f91803a0ed7919cbc8a4c44cecb02c72a13be111867a117783a7b72f.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a5d27a98f91803a0ed7919cbc8a4c44cecb02c72a13be111867a117783a7b72f.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\providercommon\1zu9dW.bat" "
C:\providercommon\DllCommonsvc.exe
"C:\providercommon\DllCommonsvc.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Common Files\SpeechEngines\Microsoft\System.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Common Files\SpeechEngines\Microsoft\System.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Program Files\Common Files\SpeechEngines\Microsoft\System.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\csrss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\System.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Windows\Setup\State\taskhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\Setup\State\taskhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Windows\Setup\State\taskhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\providercommon\lsass.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Sidebar\it-IT\dllhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\it-IT\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Sidebar\it-IT\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\winlogon.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Media Player\ja-JP\csrss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\ja-JP\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Media Player\ja-JP\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Windows\SchCache\cmd.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\SchCache\cmd.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Windows\SchCache\cmd.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Windows\Tasks\services.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\Tasks\services.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Windows\Tasks\services.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\services.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\services.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\services.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Windows\L2Schemas\services.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\L2Schemas\services.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Windows\L2Schemas\services.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Favorites\WmiPrvSE.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\All Users\Favorites\WmiPrvSE.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Favorites\WmiPrvSE.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Photo Viewer\es-ES\winlogon.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\es-ES\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Photo Viewer\es-ES\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\lsm.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\lsm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\lsm.exe'" /rl HIGHEST /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\SpeechEngines\Microsoft\System.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\csrss.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\System.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Setup\State\taskhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsass.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\it-IT\dllhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\winlogon.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\ja-JP\csrss.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SchCache\cmd.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Tasks\services.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\services.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\L2Schemas\services.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Favorites\WmiPrvSE.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\es-ES\winlogon.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\lsm.exe'
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4jUwetVEPL.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\All Users\Favorites\WmiPrvSE.exe
"C:\Users\All Users\Favorites\WmiPrvSE.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iIDKKqsGny.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\All Users\Favorites\WmiPrvSE.exe
"C:\Users\All Users\Favorites\WmiPrvSE.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9minE9DcLk.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\All Users\Favorites\WmiPrvSE.exe
"C:\Users\All Users\Favorites\WmiPrvSE.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wUI7DLfHyj.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\All Users\Favorites\WmiPrvSE.exe
"C:\Users\All Users\Favorites\WmiPrvSE.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\a4RGbRhdNM.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\All Users\Favorites\WmiPrvSE.exe
"C:\Users\All Users\Favorites\WmiPrvSE.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vlZZCFJNsh.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\All Users\Favorites\WmiPrvSE.exe
"C:\Users\All Users\Favorites\WmiPrvSE.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wzkVYe0vvu.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\All Users\Favorites\WmiPrvSE.exe
"C:\Users\All Users\Favorites\WmiPrvSE.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FnVhX1xwia.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\All Users\Favorites\WmiPrvSE.exe
"C:\Users\All Users\Favorites\WmiPrvSE.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SsFcJDxdf6.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\All Users\Favorites\WmiPrvSE.exe
"C:\Users\All Users\Favorites\WmiPrvSE.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rBMLF9HJtT.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\All Users\Favorites\WmiPrvSE.exe
"C:\Users\All Users\Favorites\WmiPrvSE.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
Files
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe
| MD5 | 8088241160261560a02c84025d107592 |
| SHA1 | 083121f7027557570994c9fc211df61730455bb5 |
| SHA256 | 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1 |
| SHA512 | 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478 |
C:\providercommon\1zu9dW.bat
| MD5 | 6783c3ee07c7d151ceac57f1f9c8bed7 |
| SHA1 | 17468f98f95bf504cc1f83c49e49a78526b3ea03 |
| SHA256 | 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322 |
| SHA512 | c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8 |
C:\providercommon\DllCommonsvc.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/2756-13-0x0000000000CB0000-0x0000000000DC0000-memory.dmp
memory/2756-14-0x00000000002D0000-0x00000000002E2000-memory.dmp
memory/2756-15-0x0000000000A20000-0x0000000000A2C000-memory.dmp
memory/2756-16-0x00000000002E0000-0x00000000002EC000-memory.dmp
memory/2756-17-0x00000000002F0000-0x00000000002FC000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 885627a70ae71ca9e7b87859bcde7cf8 |
| SHA1 | accf4fcb61a9c939c81a5f9c0a6f33beaa619e62 |
| SHA256 | 54dbec5d6dcb6c99797b50da9e9d0632ce1c8abd3c3e049a2c1d47cf7adaa9d8 |
| SHA512 | cbb1ca910c7b0c0f4a85af1deac09748c6e400258757fe7592684afbb1163ff5d29dc325477ff25f53d0ddeb027a390760fbf04cdd1fd34a16fd49be8ba3c7a2 |
memory/2228-63-0x00000000022D0000-0x00000000022D8000-memory.dmp
memory/2952-62-0x000000001B700000-0x000000001B9E2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\4jUwetVEPL.bat
| MD5 | 883dca7463f9ce764f46c874b6eabe26 |
| SHA1 | 79f7b0fff2b9ba20e9e5c1f6e6aef44f3e4de879 |
| SHA256 | a18f7ce201b1289c26e044e9255f366c6704f64e178de5167fa1aa015c61eef4 |
| SHA512 | 5b5d69998c0a89253deb6ec4315adff3680d1e201a282d454a35874e842387502fbb12b7c55f2b9c5937c1ad29493f8aaa4de588d09d9afce55fcae62122db84 |
memory/2836-130-0x00000000000D0000-0x00000000001E0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab560E.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\Tar5621.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\Local\Temp\iIDKKqsGny.bat
| MD5 | 82dd01a08a209e21fe3c6784b2fcd1cb |
| SHA1 | 306aff79c2054726e429b3e3c1257ebc02e9a2c8 |
| SHA256 | 1933f2377b1afe3390fad58a1a62c420c5c9ea5b3e7ddb25f366af381bb6c5e5 |
| SHA512 | ee1039639e330da688bae0e323a3eb2b4ebb53d740566ab6c9e91db17b9bcd22632b341bef642377904d0029a5b6cfcc84dc54258f4fbbbb2012dfb8c398f72d |
memory/1724-189-0x0000000000A20000-0x0000000000B30000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | bf791f7401ce6ab96ee6c7043468b560 |
| SHA1 | 671d8aeb5bca76d006d57c9ffd02f520f3cab104 |
| SHA256 | 55af8c6815c47d3d67a3ce4a72a0a819fa5069a3d308c7ce8a13f7e5433b1111 |
| SHA512 | 6001cc5286342dfe88f0a68b1e7c81af9f1e8aa15012ff557c0b765c344e25766a9778e886e9258522b93b92c2ab404c0f8ec884d44756f769b0059ff70f28be |
C:\Users\Admin\AppData\Local\Temp\9minE9DcLk.bat
| MD5 | 071c1ad329c71ba16a5d19da03a5c712 |
| SHA1 | 0f820f751f2639609f45c4047dced7f8a92421d7 |
| SHA256 | 488bc0b7d057114680579e422f4519198fb576c80d40b441fe3118789cf46f49 |
| SHA512 | 93271ba0a80237a36b981f096be759ce2cb85e7c7a29f18702a5d105c4da6f2e1b307e2acb0d87486f463db320dcdd92fbb0dbd876b50e0a3509fd2490b181aa |
memory/2064-249-0x00000000003D0000-0x00000000004E0000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 483b92c3b8df0f07e1e5adabaef54e1b |
| SHA1 | 1435158110dbf7ca74cd483b8c060b459d8cdae0 |
| SHA256 | a4ea3f5add637cf0a5d65a0ade24ea1f6e623c7f085318a1408f9bfb46c49c68 |
| SHA512 | 7f7527839d18f4f018a6c2d63c9c01d0b61a8eaeafa0b8d278ab1d06d1eb4d66715666b82aaa1866325a96046f0c884ab22be53bedbda02c1a2b1ba209f13f62 |
C:\Users\Admin\AppData\Local\Temp\wUI7DLfHyj.bat
| MD5 | aca9005852148ff12661298eec51afba |
| SHA1 | f323e27a40516a7c4cf78eb37691790bbece6819 |
| SHA256 | 4ae4b90f87c6a30b107eae74d689045d5cd4cd6889768d428b92f69b93a84352 |
| SHA512 | 6d4f05e727202bdd2e8685df7186ac9e40d12f886112e68f9491fcf817817e02d4326350d7b39c98cfbde78b0b66b3375a55e0ec1125def64b7d67b4ba712f21 |
memory/840-309-0x0000000001240000-0x0000000001350000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c2c97ce17fa1c06c35e6679aacb3b882 |
| SHA1 | a3ecc243ff4fd898dc9f95baf5776f831370aa72 |
| SHA256 | 2b836a9e0ab552197417e70d6d0f42f27dc703ecbc4e17acfb93c3bc12ed26bc |
| SHA512 | 609e2c564f3697596404c37e8d0683de208926f808032f8ff309ef3178626594ec6dd6b4aa0b7145b7d851bf3551365aafeb492526dad2b40f67e72fe90aad3f |
C:\Users\Admin\AppData\Local\Temp\a4RGbRhdNM.bat
| MD5 | ebbf649fd51e21ad53d17f0b945b16c4 |
| SHA1 | 6489230da53a96a44e762d6acb72a1c37b9ca2b0 |
| SHA256 | cef5b463036b734980ae3f63477563331b05d05ccd980960097214c4028717ec |
| SHA512 | b4d31dc296131568974847bcc94ad9afa6ccc6f5d03dcd532efe26ee9ed3fc8c90be566af18a605ae9bdc561bc431b55f016342e7f4b985f873ca3ad9fa8ed8d |
memory/1168-369-0x0000000001390000-0x00000000014A0000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f9c2ea2e2f724825012bbecafad297f5 |
| SHA1 | 0c8d021e1eb9ca5ceda79f6fe67189f23148fd54 |
| SHA256 | b5746040271c38f81998df5909e0f53b1c99d36cfea99c43c4b1c7648a97d422 |
| SHA512 | e6ae42c57c677bb1fd5b445e47d9f990f2b5b8f5f7ede019a67bc55ba1c8dada49aabb4bc1497c1119f240149f0fe7799d17f7323d84157f765c2e8bc3fcf487 |
C:\Users\Admin\AppData\Local\Temp\vlZZCFJNsh.bat
| MD5 | 0e6d7eeebd251e3a75fc110b5c9fe248 |
| SHA1 | dab8892ebfbbd45d5e858ed0871cd45be3584807 |
| SHA256 | c42defba150e00cf1e6f13aa2e4e78bd249ad3d355e9f82492239d6d404af4b7 |
| SHA512 | bfe1cdcfcf0bf00c4f58a32610c10684ed7fbf073e07bbf9e5a71ca2d95ddafed77a886f7ab41372189f67cdee49191e1daad9f61309101acb3d7cddcc433e50 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | fdba1f88db444821824b9fba4ad9cb50 |
| SHA1 | 2e3078236ac92407773d1996514eb62b9288b571 |
| SHA256 | 2a06d8b83c3dc7b22c919d713f321484b05d99e791a1adcbcb9a5483054677da |
| SHA512 | c338f009b6a108ef1f6770315003fea95afd330e3b6412ebff26dfd4d1036bf465f79619c9758475bc58607cfb8f170d5bc7116727534105829643647e4cab02 |
C:\Users\Admin\AppData\Local\Temp\wzkVYe0vvu.bat
| MD5 | 647f23a2ebb03606579840b3a16c322c |
| SHA1 | 21255a8b4e7ac573aeaa6672ea69ae11af0433e2 |
| SHA256 | 57675aa87c8a66763321d393421c215465be110fa8be11f938edee69fb284bdd |
| SHA512 | 947857adc60ee267b6b08535b6a9678582e5d197b9d9e62df912bcb0ea7e0037995a03cc4d4989fea222239f96c73c1d44a8508c05e238551fd3b4226cbd9682 |
memory/1120-488-0x00000000006C0000-0x00000000006D2000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7d30450ea1a1ad6cbebbd6bb7bd2af7e |
| SHA1 | fa1345ca833d1440b0061766c9f5d42d9307c70f |
| SHA256 | 8bf3c94df37b166425ef68a241084ff4b1e4e27380b584d27d41758ec6c6b3f2 |
| SHA512 | d225e76396cbf5e64eb036d514eb4fa533abbd9cfed706e0538c8f15448034c440e4c20a7227121d3e28289f19225b096e115891cd087b25af03833fd01c0968 |
C:\Users\Admin\AppData\Local\Temp\FnVhX1xwia.bat
| MD5 | 24a947b3721825cb366c27eb2ae488c3 |
| SHA1 | d5cf0c92250c67ef1ee3a5121b5321a3914635ae |
| SHA256 | 06964247543633f9d602a78df7ce4c14d6e93053b9c05fea243f782469e6b8ac |
| SHA512 | 56996b6336c2d6f9d2a2bfa61635066e4dc785c3b2f11ed8b822fb5340b6ddadf1430561f1d2b243cfb1ad3da0ecee76c8865efa984d52da50fe891ad329faae |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | acce86892c78acb3186989f017437513 |
| SHA1 | 61bdca392e9249a359252103cd4dfe2c40af29ca |
| SHA256 | 31521a28e0e070691ad7bb2aa8488d79cb66e4361f9a8cc97e39c2a345e9b4b8 |
| SHA512 | 4895c9689fef28b4c6e4f1558a736beb34c4e86c7c98bb6a2efa8f986f9c5542c52e3af864fd0f878d07b6644f8c446b17b743f162cb1ed4042ee0bd9c52d4ca |
C:\Users\Admin\AppData\Local\Temp\SsFcJDxdf6.bat
| MD5 | 0b15c323649227a5d47cfc6c191057f7 |
| SHA1 | bff9a44ac4c3880b3f385337201ebd984fa98df0 |
| SHA256 | 53e8425e5f9a8b6d29a9dec11a683fa41e7336089e3037775cb0c90308aabfbc |
| SHA512 | 1df91db263fe6f833b318715271be7f53e192fc1c0cb71c6ff1c69dfab920640d0842fa21bce6c3649f558ffbbbd095e9350b0dd528b84551316c41fec339fce |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 126d4e5bd25001ead5be5720c0d7dff8 |
| SHA1 | 8a7f5a22df393a70d913786ffed6cd05be489ead |
| SHA256 | 71542a73c57538b1ceffc50c1f14df55c3cd539d669043d89c96b7f4ace2ca5d |
| SHA512 | 584d56c0885096d1d65882b0764b184433960ab2eacfb919819a1cb11d718a3f55c1b8018c7ce0ec4d60c36df0eca41f133b28d21872bc3f1b1c025cf4337826 |
C:\Users\Admin\AppData\Local\Temp\rBMLF9HJtT.bat
| MD5 | f659c0ced0971eb9cee38fb7f9d2c22b |
| SHA1 | 32d3155f0925189bea6461fe997252a279eefd2c |
| SHA256 | ab3a3e84b57d65ced9180be1978fcd4b76aa9da4bd92aba571591e45c49dbcf9 |
| SHA512 | 563bc936efb9d2d6eb46e3e73ca6ed2b39d5e057091ae8aa1f6742fea08d3446c975d98901e6cbb26157f5d49ac6f3f0140e588ae51b6a4a8a325fec4bbe3895 |
memory/2976-666-0x00000000006C0000-0x00000000006D2000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-12-30 02:43
Reported
2024-12-30 02:45
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
DcRat
Dcrat family
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\providercommon\DllCommonsvc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\providercommon\DllCommonsvc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Recovery\WindowsRE\sihost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Recovery\WindowsRE\sihost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Recovery\WindowsRE\sihost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Recovery\WindowsRE\sihost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Recovery\WindowsRE\sihost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Recovery\WindowsRE\sihost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Recovery\WindowsRE\sihost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Recovery\WindowsRE\sihost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Recovery\WindowsRE\sihost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Recovery\WindowsRE\sihost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a5d27a98f91803a0ed7919cbc8a4c44cecb02c72a13be111867a117783a7b72f.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Recovery\WindowsRE\sihost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Recovery\WindowsRE\sihost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Recovery\WindowsRE\sihost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Recovery\WindowsRE\sihost.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\providercommon\DllCommonsvc.exe | N/A |
| N/A | N/A | C:\providercommon\DllCommonsvc.exe | N/A |
| N/A | N/A | C:\Recovery\WindowsRE\sihost.exe | N/A |
| N/A | N/A | C:\Recovery\WindowsRE\sihost.exe | N/A |
| N/A | N/A | C:\Recovery\WindowsRE\sihost.exe | N/A |
| N/A | N/A | C:\Recovery\WindowsRE\sihost.exe | N/A |
| N/A | N/A | C:\Recovery\WindowsRE\sihost.exe | N/A |
| N/A | N/A | C:\Recovery\WindowsRE\sihost.exe | N/A |
| N/A | N/A | C:\Recovery\WindowsRE\sihost.exe | N/A |
| N/A | N/A | C:\Recovery\WindowsRE\sihost.exe | N/A |
| N/A | N/A | C:\Recovery\WindowsRE\sihost.exe | N/A |
| N/A | N/A | C:\Recovery\WindowsRE\sihost.exe | N/A |
| N/A | N/A | C:\Recovery\WindowsRE\sihost.exe | N/A |
| N/A | N/A | C:\Recovery\WindowsRE\sihost.exe | N/A |
| N/A | N/A | C:\Recovery\WindowsRE\sihost.exe | N/A |
| N/A | N/A | C:\Recovery\WindowsRE\sihost.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Mozilla Maintenance Service\121e5b5079f7c0 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Mozilla Firefox\defaults\pref\wininit.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Mozilla Firefox\defaults\pref\56085415360792 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Windows Mail\9e8d7a4ca61bd9 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\9e8d7a4ca61bd9 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\System\uk-UA\6cb0b6c459d5d3 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Oracle\Java\RuntimeBroker.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Mozilla Maintenance Service\sysmon.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\RuntimeBroker.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\System\uk-UA\dwm.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Oracle\Java\9e8d7a4ca61bd9 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Windows Mail\RuntimeBroker.exe | C:\providercommon\DllCommonsvc.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\ShellComponents\sppsvc.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\pris\explorer.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\pris\7a0fd90576e088 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\CbsTemp\fontdrvhost.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\CbsTemp\5b884080fd4f94 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\Containers\serviced\conhost.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File opened for modification | C:\Windows\Containers\serviced\conhost.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\Containers\serviced\088424020bedd6 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\ShellComponents\0a1fd5f707cd16 | C:\providercommon\DllCommonsvc.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a5d27a98f91803a0ed7919cbc8a4c44cecb02c72a13be111867a117783a7b72f.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings | C:\Recovery\WindowsRE\sihost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings | C:\Recovery\WindowsRE\sihost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings | C:\Recovery\WindowsRE\sihost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings | C:\Recovery\WindowsRE\sihost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings | C:\Recovery\WindowsRE\sihost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings | C:\Recovery\WindowsRE\sihost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings | C:\Recovery\WindowsRE\sihost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a5d27a98f91803a0ed7919cbc8a4c44cecb02c72a13be111867a117783a7b72f.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings | C:\providercommon\DllCommonsvc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings | C:\Recovery\WindowsRE\sihost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings | C:\Recovery\WindowsRE\sihost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings | C:\Recovery\WindowsRE\sihost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings | C:\Recovery\WindowsRE\sihost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings | C:\providercommon\DllCommonsvc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings | C:\Recovery\WindowsRE\sihost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings | C:\Recovery\WindowsRE\sihost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings | C:\Recovery\WindowsRE\sihost.exe | N/A |
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a5d27a98f91803a0ed7919cbc8a4c44cecb02c72a13be111867a117783a7b72f.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a5d27a98f91803a0ed7919cbc8a4c44cecb02c72a13be111867a117783a7b72f.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
C:\providercommon\DllCommonsvc.exe
"C:\providercommon\DllCommonsvc.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Windows\Containers\serviced\conhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\Containers\serviced\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Windows\Containers\serviced\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Windows\ShellComponents\sppsvc.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\ShellComponents\sppsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Windows\ShellComponents\sppsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 14 /tr "'C:\providercommon\sysmon.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\providercommon\sysmon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 11 /tr "'C:\providercommon\sysmon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\RuntimeBroker.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Containers\serviced\conhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ShellComponents\sppsvc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sysmon.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\RuntimeBroker.exe'
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MvPowJiOmF.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\DllCommonsvc.exe
"C:\providercommon\DllCommonsvc.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\providercommon\RuntimeBroker.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\providercommon\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\providercommon\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Common Files\System\uk-UA\dwm.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\System\uk-UA\dwm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Common Files\System\uk-UA\dwm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\pris\explorer.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\pris\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\pris\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Common Files\Oracle\Java\RuntimeBroker.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Oracle\Java\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Common Files\Oracle\Java\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Windows\CbsTemp\fontdrvhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\CbsTemp\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Windows\CbsTemp\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Packages\System.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\All Users\Packages\System.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Packages\System.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\sysmon.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\sysmon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\sysmon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\providercommon\RuntimeBroker.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\providercommon\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\providercommon\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Package Cache\dllhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\All Users\Package Cache\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Package Cache\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Program Files\Mozilla Firefox\defaults\pref\wininit.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\defaults\pref\wininit.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files\Mozilla Firefox\defaults\pref\wininit.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\providercommon\OfficeClickToRun.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\providercommon\OfficeClickToRun.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\providercommon\OfficeClickToRun.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\providercommon\csrss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Mail\RuntimeBroker.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Mail\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\RuntimeBroker.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\System\uk-UA\dwm.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\RuntimeBroker.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\pris\explorer.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\Oracle\Java\RuntimeBroker.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\CbsTemp\fontdrvhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Packages\System.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\sysmon.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\sihost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\RuntimeBroker.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Package Cache\dllhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\defaults\pref\wininit.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\OfficeClickToRun.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\RuntimeBroker.exe'
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kNIZ5bH39N.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Recovery\WindowsRE\sihost.exe
"C:\Recovery\WindowsRE\sihost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Recovery\WindowsRE\sihost.exe
"C:\Recovery\WindowsRE\sihost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fdSjcfTSOA.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Recovery\WindowsRE\sihost.exe
"C:\Recovery\WindowsRE\sihost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zHC6P4FzNT.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Recovery\WindowsRE\sihost.exe
"C:\Recovery\WindowsRE\sihost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\F5GJdikwFG.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Recovery\WindowsRE\sihost.exe
"C:\Recovery\WindowsRE\sihost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RkPY472Oq9.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Recovery\WindowsRE\sihost.exe
"C:\Recovery\WindowsRE\sihost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1CE969IshF.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Recovery\WindowsRE\sihost.exe
"C:\Recovery\WindowsRE\sihost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dhQfvaPZ4N.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Recovery\WindowsRE\sihost.exe
"C:\Recovery\WindowsRE\sihost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zHC6P4FzNT.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Recovery\WindowsRE\sihost.exe
"C:\Recovery\WindowsRE\sihost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qX4ufk0Q6M.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Recovery\WindowsRE\sihost.exe
"C:\Recovery\WindowsRE\sihost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2Oj9OucH8K.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Recovery\WindowsRE\sihost.exe
"C:\Recovery\WindowsRE\sihost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iYTmIkWLiw.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Recovery\WindowsRE\sihost.exe
"C:\Recovery\WindowsRE\sihost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fmZn61weJC.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Recovery\WindowsRE\sihost.exe
"C:\Recovery\WindowsRE\sihost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\M1TWCJOn7d.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Recovery\WindowsRE\sihost.exe
"C:\Recovery\WindowsRE\sihost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AMKHlt6LWj.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.49.80.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 88.16.208.104.in-addr.arpa | udp |
Files
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe
| MD5 | 8088241160261560a02c84025d107592 |
| SHA1 | 083121f7027557570994c9fc211df61730455bb5 |
| SHA256 | 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1 |
| SHA512 | 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478 |
C:\providercommon\1zu9dW.bat
| MD5 | 6783c3ee07c7d151ceac57f1f9c8bed7 |
| SHA1 | 17468f98f95bf504cc1f83c49e49a78526b3ea03 |
| SHA256 | 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322 |
| SHA512 | c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8 |
C:\providercommon\DllCommonsvc.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/2600-12-0x00007FFDEEC63000-0x00007FFDEEC65000-memory.dmp
memory/2600-13-0x0000000000820000-0x0000000000930000-memory.dmp
memory/2600-14-0x00000000029A0000-0x00000000029B2000-memory.dmp
memory/2600-15-0x000000001B500000-0x000000001B50C000-memory.dmp
memory/2600-16-0x0000000002B10000-0x0000000002B1C000-memory.dmp
memory/2600-17-0x000000001B510000-0x000000001B51C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pha3eze5.l42.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1148-39-0x000001A7FD6C0000-0x000001A7FD6E2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\MvPowJiOmF.bat
| MD5 | 8dd6c4761e247be8daa027e6f294954b |
| SHA1 | 3a38d6df1946e6fb56157d86504c3024613ff572 |
| SHA256 | ea50dd9f14bf6c0564420534665878c8a047384674b22f9f97b339c34f8761c2 |
| SHA512 | 2a7bde6593254f0c809a27a9bdcb07273eeabde481c2c78791b5f986383ab2e08798924e00136e223d6b4d6244b6e973046c666ce388aa90999b6fbc180fbd66 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 6d3e9c29fe44e90aae6ed30ccf799ca8 |
| SHA1 | c7974ef72264bbdf13a2793ccf1aed11bc565dce |
| SHA256 | 2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d |
| SHA512 | 60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 6d42b6da621e8df5674e26b799c8e2aa |
| SHA1 | ab3ce1327ea1eeedb987ec823d5e0cb146bafa48 |
| SHA256 | 5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c |
| SHA512 | 53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 2e907f77659a6601fcc408274894da2e |
| SHA1 | 9f5b72abef1cd7145bf37547cdb1b9254b4efe9d |
| SHA256 | 385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233 |
| SHA512 | 34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\DllCommonsvc.exe.log
| MD5 | 7f3c0ae41f0d9ae10a8985a2c327b8fb |
| SHA1 | d58622bf6b5071beacf3b35bb505bde2000983e3 |
| SHA256 | 519fceae4d0dd4d09edd1b81bcdfa8aeab4b59eee77a4cd4b6295ce8e591a900 |
| SHA512 | 8a8fd17eef071f86e672cba0d8fc2cfed6118aff816100b9d7c06eb96443c04c04bc5692259c8d7ecb1563e877921939c61726605af4f969e3f586f0913ed125 |
memory/3088-91-0x00000000023D0000-0x00000000023E2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\kNIZ5bH39N.bat
| MD5 | 60496e201c24b37f6fce8fddd2cf2620 |
| SHA1 | 5da7a11445482871328d2348028351b5f708e18c |
| SHA256 | 7f82d87f024b734341d91a3559a7b0eb79f0833eaf70581815003a8ceca499c3 |
| SHA512 | 9be386990cd79cd195e7cbedcbc7a5d41916f82b7a0cd98867f7c5e776425e43db800db39bb3387e0c557b118dae6ff146ac684355c327662bb44ec8fb68bedc |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 51cf8df21f531e31f7740b4ec487a48a |
| SHA1 | 40c6a73b22d71625a62df109aefc92a5f9b9d13e |
| SHA256 | 263d9b98a897d1d66da4832af640c4bf5ab0ae91125ba12243453dfe714f3d0d |
| SHA512 | 57a85461f6ea96b26a8b53d3a9cca18543e4ddbe996e8f412fc4cf7cf6e9ffe558c96da7b322a42f18bef62020e65aee119bed6102f75e2f605df09b02ec6368 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 66c1af19164d3b08179f388a26c2bde9 |
| SHA1 | 599bb2101a033126bc82001419b94a3467fe86f2 |
| SHA256 | 48950437c36bb693eae5049f0eef84824d76169e0cd736590b401b0713be3b30 |
| SHA512 | 5b575918813e354824c07ac91ea7c1fb121d903065d1f2cab92393ae215825b1392c50f8658a5c482c6a1fdd9922b1f29f9f34fe53a584169285cbe0ea10a17b |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | c65338524586fc00cf00e679a7d4a1f4 |
| SHA1 | 62abf26bfb979dcbf7c7649cf8a681c2a8c7c9ae |
| SHA256 | faa246e6b356f55ad8b18cea908dbf9035f67feaa06f8259d934306e13e88bf6 |
| SHA512 | c6721362afa4998c60ff60225a7b7571aaf1dbc8cb624ad7557b365a37df26e629763fa052dc31904b3175587e940d7e0630362620870c2c7351960a14c29310 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | fdf15f7d08f3f7538ae67e5b3e5d23f4 |
| SHA1 | 953ff0529053ce3a1930b4f5abba2364a8befbfc |
| SHA256 | 9f4964b9cf2c6d4915a8f2b9746dc5ff73d6f327c81370f92e0e7a611b28a707 |
| SHA512 | 4fee933635376d1467e0be63d12fa897f83cbbf9cdd1ac79cce30dfaa2621d47e137e991b701f1ed9910767904dbfb6b89db2a02ce32edc410c83351f351d7ed |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | bc113211a3e72478c93989952aee3251 |
| SHA1 | 5eeb2f2e4642ef5f147dd118742ea3c3dcf0cd16 |
| SHA256 | c6059355503eca5b35ac8446442eb5031ab610b7353cd2e8a3cf07dc99469fae |
| SHA512 | c0748cc3a4b701f5cefeeaf9ac1bdbae28cfcf1dad8e89a2db2c756b908011ee8e945b6d02bef816763fc5acc38a72657316f5cd56c62342c8e779a50f4f4460 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 17ea263ce8c38396c330fd30047d0522 |
| SHA1 | 65304731eecbe75dd17c1bafbcc48dbf25e17eb7 |
| SHA256 | e82e800314f4323137889614c5094bd5005946be034263b84ca957a992b099e8 |
| SHA512 | 0799a50c0c6fe5eeca124395e57b38da73ae57554fa0063beb720bba8116e256f91f86c9138e452541e1672b349a4eb4154b3787dda67d481a6f67c97c336eba |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 58d5391a088420e4f58d801ed9f217a6 |
| SHA1 | 3a9795e248a126b315449549980768729ac2d517 |
| SHA256 | 5bfe4b5e9492f71d0f90fd6db10ac170c0aaaa932ebc5da9a30b80ab47a6d51f |
| SHA512 | e650e3e9102f9200780215a596549b030fca83433d6fb2e5ecd6bdcc561826a673a83fa75694fb689a1dcd6b049d2fcae324b9dc9bfcd3fcced4f74326a04943 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | c249d1546fa74aeda0e13ad7d0dc2815 |
| SHA1 | 3fc3ae47b0d7fa3a2acb9347cb94e70c89c2467d |
| SHA256 | 9d30870071199e5fd2f9b6c73cec8ac9fe1503c3d60dbcb5591b775e9d166414 |
| SHA512 | 2eb90f4da8fa278eaf6f46c13fd2477af3ea428d688049a45643c1c047203adee2389e42943b327f52b808cf7cac583f70ffef20f827908d59fc30af97ffc988 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 2c30103cc6b103339cfe44137ca0edf0 |
| SHA1 | ecdc8c1685831e906cbb8ca6065ab4bb06fe3db4 |
| SHA256 | 85ea59925c660ced52ba5095323e580d61aa8f8de82f31cdde85a5ed7e75cfae |
| SHA512 | a870be1cb86f955187170d99c7e6200f6871bc7858885d3b2f431bfa6f9af1d3d86a00add6f6f5a0396ed25fc19c4181b985cf08921ad98bf4903568fe59a482 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 205f6010c033eefc37d63d8ce846bce4 |
| SHA1 | 417b1aabb447765a2aa149529a1f4f52ded194ea |
| SHA256 | 993dbee9fb487dbdff56c09a1df360ea68b583bd8b28b2c315ec9d92639f3697 |
| SHA512 | c6bbd60c82ffbc3297d1d355ab3c6692de97da0b3bdd60ea4aacec6d27d360341cefa11a4411d7b8877d54d1177b48f4dc003e2a391031cc1a304b177689bfaf |
C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat
| MD5 | 411e85561030dd40269e3a5f59b9c62c |
| SHA1 | 5b0e0ec82c39fed0cce513fa54846db31e43def3 |
| SHA256 | 6663976e679d8c92948009b59afa76f798de179c81bcdcccca6bcd771b954bbe |
| SHA512 | 65d8d834d460692e7b5f896d55842ba272b090caa56c60f68c9f7090603f50200d208457446e9fb2978ce5635db3fe648120ba080cfc989f9b00ebe60fa6fd60 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\sihost.exe.log
| MD5 | baf55b95da4a601229647f25dad12878 |
| SHA1 | abc16954ebfd213733c4493fc1910164d825cac8 |
| SHA256 | ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924 |
| SHA512 | 24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545 |
C:\Users\Admin\AppData\Local\Temp\fdSjcfTSOA.bat
| MD5 | 3b27e91e2eb8480dba5231b9b5c341e9 |
| SHA1 | aaefefd50b894bb5e3c2eb1cbfc8c859110e848f |
| SHA256 | 947e788122a8a2b8d1e17a030060c779eca6de38ec2e9bb1bb9ae702dc761fba |
| SHA512 | 37e8b996ab4e42ef53fa7a3573490f59826be18bd13f15873921944ecf656200f7d5bc4e8a16b9987f14b78c78bb0c0fdd51924aff0f4615bab6a566d01dc133 |
C:\Users\Admin\AppData\Local\Temp\zHC6P4FzNT.bat
| MD5 | 930bfab69c486fc10f0df112b87bd414 |
| SHA1 | 079ae16b7358fd341d78103645af245bdf815963 |
| SHA256 | 19efa1f7879da13635c5787a046f69a6c0787f5ebcf505d77024b97ecce25d60 |
| SHA512 | 75d3595fd47849d481235e3a7bf1109ede8c28ae7187550847d7b9d8e72dd6311ef4b0fb78868b985db587e8aad11edb5e32e16a94f8a1be9af8035ff995140f |
memory/4780-326-0x0000000001170000-0x0000000001182000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\F5GJdikwFG.bat
| MD5 | 2b9cb924fb731b1de01c4b0263b75778 |
| SHA1 | 675d149afd8138958f1d4d6a2bfc913cdd6df892 |
| SHA256 | 22d8f49d4dcf59ba167973d0990d36fede4e485e0dea7c56e7a0dcad4a978909 |
| SHA512 | d74d3402c67004cca17565f92d2ec18dca5f2565dd94c2a2085d8aa869473689dcfa67beb6eb56b571e94c089106ed2ad57539b3f1ae76d82165e77e1f8b704a |
memory/1380-333-0x0000000001400000-0x0000000001412000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RkPY472Oq9.bat
| MD5 | 444df971b2b833beef7aa4a99ad658ea |
| SHA1 | a122aaddfd8198e9bb9e046db2d2698fff0a6e9f |
| SHA256 | e9136a7ede4ee6214ee6ab181242cc3833e512f69741d01eb571b58b9fe5e558 |
| SHA512 | 4030a83f019b306fd5dc62b641dda255067010ad652e097ce65244d9a5b92fc01aa5e64882e64fa0af48ee3ffd248a47e4e42289150df305a05c9e834a9130db |
C:\Users\Admin\AppData\Local\Temp\1CE969IshF.bat
| MD5 | 435f2266b03739ed35dd14a6507406a2 |
| SHA1 | 7b98a5d55750ccfab7491e16d2e362cba7e9b7ce |
| SHA256 | 5119a45f33cd09a0fc6e511b5c3279d57cc9cf50ed1981c766f4dc96deeac294 |
| SHA512 | 19319d736f2c54270a8ea361b8a8cb6d0db01343c0bec70583903a5ac44f35be313d76e92caf103005d8c60d5b5380018f4ad8180bd7d78430502d1346ade55d |
memory/4224-346-0x00000000010C0000-0x00000000010D2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\dhQfvaPZ4N.bat
| MD5 | d46bc16f5893af8bcaaca138d5e5dbf9 |
| SHA1 | 3bb677aca9a509ac6672f17e275df6531a2e096e |
| SHA256 | 8a4c856861db0046fa9d1893b52f8211089d602af7acaefdf28398070940390f |
| SHA512 | 0f5309378214058cc8d167627169d6da2728d2b996ad732b6ef847e3a6464a7541604b3c4111c0eafe614b73d4a4eccefcd3e7334c3a05f95bd167f73621b3a1 |
memory/2188-353-0x0000000003160000-0x0000000003172000-memory.dmp
memory/4112-360-0x0000000002A80000-0x0000000002A92000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\qX4ufk0Q6M.bat
| MD5 | 1fa9b6305c893a012744be18de738eae |
| SHA1 | 6c57d3449c8d1a163963d5c2e8ccd0e0450e20e3 |
| SHA256 | 0db5e483be47e8861d00f10c88be98f885ea3e223d87dfb4442cbf6c7eeb75a0 |
| SHA512 | 5c8139681d9cd0a1b940e1d4974cd929010d0631e45962212a520c73a4b05b9a344e18ff279180b5e03328c5bf1c8d8b20eaad92ab71647a7c6eb61617805979 |
C:\Users\Admin\AppData\Local\Temp\2Oj9OucH8K.bat
| MD5 | 29fe4e8c0558abd1c6ca7dde80f77a6b |
| SHA1 | 39479ac0ff61b7f41d9637e9ee993eacb9ddf2f3 |
| SHA256 | 62616b92a50f3c0efa1c61c50de965e978fcb48a1dc1515eeb5ad2f3e020a1aa |
| SHA512 | b99b98035dfe3f7333592ed22d16fa6100a5b9ce196554cff483f452a44a23b6c3e2be46756951dbbbbee884e57c3687d7910fdda5bb11db5d929e5602342bc4 |
C:\Users\Admin\AppData\Local\Temp\iYTmIkWLiw.bat
| MD5 | c794a4ec87b3f7f3353143e4b6d89654 |
| SHA1 | 7aaf0c66161eb485ce63f095ae44522f0c2d5bb1 |
| SHA256 | 0b053bd4c73ca51b8df83eb42087d0b04c883e0342e1e8a7987b5cc0aafb2154 |
| SHA512 | 10e9b40a22d6cd32edeb6a2b7c5013fa2fa28b5d9478f61fd5d09d4c9ff2a6882ca7df5ee75c4a368d35539051aa021f258309dfbef2ab279b4086919a9ae90c |
memory/4812-379-0x0000000002BD0000-0x0000000002BE2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\fmZn61weJC.bat
| MD5 | f985ecf2f3959549d6646b7a3e8f4261 |
| SHA1 | 48f51b2eee29c6e39dd4c130f630f7ece6086a6a |
| SHA256 | 41fab08ae6bb20bb373ce15a3b40b12e0647d6b5127d8b9a5b9f827beff4ede1 |
| SHA512 | 1de414c0513d8d91b96e5d83e688f21475eef14203398257b23a52662d6f0c57652c520f8c41b1f8f2d97af2ee8a3cb206b26fa9a9c96bf4ceac0125ada679d7 |
memory/2928-386-0x0000000002670000-0x0000000002682000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\M1TWCJOn7d.bat
| MD5 | 8e7c6b7d2d633828ce70f00d43b7324e |
| SHA1 | 868d4cc711704501539c4cf28b7ce275cde88717 |
| SHA256 | 6ee90a0a417aa80e068167b549afd0b278cebc0f85434a3a9d3a8be81df19aa5 |
| SHA512 | 28ec36b2af66bd795b25208ff189d02b1f04d4aff4ce8bc89720e09d8301d342f8b2378472efeaf40e77c441157e5a7a135d408d5569ea52c0194b5f123079fd |
C:\Users\Admin\AppData\Local\Temp\AMKHlt6LWj.bat
| MD5 | 34c6e9e00386de2760656fae1522b4fd |
| SHA1 | 7047b6e3ed0b99f42720b849a4d3c9dcbe68f2a1 |
| SHA256 | cf34226765243f95d603cf6c9f07d6cabc2381beea0e8d42471703399f90713c |
| SHA512 | 2da0c21136a9c542c766a12e5b023b22a464ace24db9da963341c4c52c0c57a5f4839901fc462cae0507e78641a3202862b47017b54d6a31cdad59c46bef0824 |