Analysis Overview
SHA256
b4d1df831ef65d1fc8458a43bdfa047510b3ea9569cac8a35809f0a3140cdca2
Threat Level: Known bad
The file JaffaCakes118_b4d1df831ef65d1fc8458a43bdfa047510b3ea9569cac8a35809f0a3140cdca2 was found to be: Known bad.
Malicious Activity Summary
Dcrat family
Process spawned unexpected child process
DCRat payload
DcRat
DCRat payload
Command and Scripting Interpreter: PowerShell
Executes dropped EXE
Checks computer location settings
Loads dropped DLL
Legitimate hosting services abused for malware hosting/C2
Drops file in Windows directory
Drops file in Program Files directory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Scheduled Task/Job: Scheduled Task
Uses Task Scheduler COM API
Suspicious use of WriteProcessMemory
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-12-30 02:01
Signatures
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Dcrat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-12-30 02:01
Reported
2024-12-30 02:03
Platform
win7-20240903-en
Max time kernel
146s
Max time network
144s
Command Line
Signatures
DcRat
Dcrat family
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\providercommon\DllCommonsvc.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Windows Media Player\dllhost.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Windows Media Player\dllhost.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Windows Media Player\dllhost.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Windows Media Player\dllhost.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Windows Media Player\dllhost.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Windows Media Player\dllhost.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Windows Media Player\dllhost.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Windows Media Player\dllhost.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Windows Media Player\dllhost.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Windows Media Player\dllhost.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Windows Media Player\dllhost.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\886983d96e3d3e | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\dllhost.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Windows Photo Viewer\de-DE\taskhost.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Windows Photo Viewer\de-DE\b75386f1303e64 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Windows Media Player\5940a34987c991 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\csrss.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Google\Chrome\WmiPrvSE.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Google\Chrome\24dbde2999530e | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\5940a34987c991 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Reference Assemblies\Microsoft\Framework\csrss.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Reference Assemblies\Microsoft\Framework\886983d96e3d3e | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Windows Media Player\dllhost.exe | C:\providercommon\DllCommonsvc.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\PLA\Rules\en-US\smss.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\PLA\Rules\en-US\69ddcba757bf72 | C:\providercommon\DllCommonsvc.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b4d1df831ef65d1fc8458a43bdfa047510b3ea9569cac8a35809f0a3140cdca2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b4d1df831ef65d1fc8458a43bdfa047510b3ea9569cac8a35809f0a3140cdca2.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b4d1df831ef65d1fc8458a43bdfa047510b3ea9569cac8a35809f0a3140cdca2.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\providercommon\1zu9dW.bat" "
C:\providercommon\DllCommonsvc.exe
"C:\providercommon\DllCommonsvc.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\providercommon\sppsvc.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\providercommon\services.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\csrss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 7 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\DllCommonsvc.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\DllCommonsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 10 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\DllCommonsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Program Files\Google\Chrome\WmiPrvSE.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\WmiPrvSE.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Program Files\Google\Chrome\WmiPrvSE.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\winlogon.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\providercommon\lsass.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\dllhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\csrss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 9 /tr "'C:\Users\Public\DllCommonsvc.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Users\Public\DllCommonsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 8 /tr "'C:\Users\Public\DllCommonsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\cmd.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\Default User\cmd.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\cmd.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\csrss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dllhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\taskhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\taskhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\taskhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Media Player\dllhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Media Player\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Favorites\lsm.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Public\Favorites\lsm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Favorites\lsm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Windows\PLA\Rules\en-US\smss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\PLA\Rules\en-US\smss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Windows\PLA\Rules\en-US\smss.exe'" /rl HIGHEST /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sppsvc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\services.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\csrss.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\DllCommonsvc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\Chrome\WmiPrvSE.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\winlogon.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsass.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\dllhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\csrss.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\DllCommonsvc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\cmd.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\Framework\csrss.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dllhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\de-DE\taskhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\dllhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Favorites\lsm.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PLA\Rules\en-US\smss.exe'
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\D7EBp90Pxg.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files (x86)\Windows Media Player\dllhost.exe
"C:\Program Files (x86)\Windows Media Player\dllhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6qhkY4Aj1y.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files (x86)\Windows Media Player\dllhost.exe
"C:\Program Files (x86)\Windows Media Player\dllhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RjWoOVK6wo.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files (x86)\Windows Media Player\dllhost.exe
"C:\Program Files (x86)\Windows Media Player\dllhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QqrgVo7Q94.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files (x86)\Windows Media Player\dllhost.exe
"C:\Program Files (x86)\Windows Media Player\dllhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xm2kK1SIVO.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files (x86)\Windows Media Player\dllhost.exe
"C:\Program Files (x86)\Windows Media Player\dllhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ys8lvSze9b.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files (x86)\Windows Media Player\dllhost.exe
"C:\Program Files (x86)\Windows Media Player\dllhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QVLs15dYuc.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files (x86)\Windows Media Player\dllhost.exe
"C:\Program Files (x86)\Windows Media Player\dllhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LBVLNHYHv1.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files (x86)\Windows Media Player\dllhost.exe
"C:\Program Files (x86)\Windows Media Player\dllhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cSLzsZ1i8q.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files (x86)\Windows Media Player\dllhost.exe
"C:\Program Files (x86)\Windows Media Player\dllhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Q3ZRkRg4YZ.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files (x86)\Windows Media Player\dllhost.exe
"C:\Program Files (x86)\Windows Media Player\dllhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AMKHlt6LWj.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files (x86)\Windows Media Player\dllhost.exe
"C:\Program Files (x86)\Windows Media Player\dllhost.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
Files
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe
| MD5 | 8088241160261560a02c84025d107592 |
| SHA1 | 083121f7027557570994c9fc211df61730455bb5 |
| SHA256 | 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1 |
| SHA512 | 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478 |
C:\providercommon\1zu9dW.bat
| MD5 | 6783c3ee07c7d151ceac57f1f9c8bed7 |
| SHA1 | 17468f98f95bf504cc1f83c49e49a78526b3ea03 |
| SHA256 | 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322 |
| SHA512 | c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8 |
C:\providercommon\DllCommonsvc.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/2860-13-0x0000000001380000-0x0000000001490000-memory.dmp
memory/2860-14-0x0000000000350000-0x0000000000362000-memory.dmp
memory/2860-15-0x0000000000470000-0x000000000047C000-memory.dmp
memory/2860-16-0x0000000000360000-0x000000000036C000-memory.dmp
memory/2860-17-0x0000000000480000-0x000000000048C000-memory.dmp
memory/2760-75-0x0000000002790000-0x0000000002798000-memory.dmp
memory/1992-73-0x000000001B640000-0x000000001B922000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | abeca5e9c2df995ec43df1ca199cdbfe |
| SHA1 | 9d378f1aa57361c6279469983039c01ac8522e1e |
| SHA256 | d6e9866ffef01d8ad79f2d2820998a25c04d2cb0a998699437cbd4e9e0364b1e |
| SHA512 | c22e92c90c074a829f90b9f3aac5b0eea2fb022e1c393f6d717281d6c9d880872c195af4350fa7a9f00d334956622914d27a26cdd07a6549a4e15c7ccfd01a2f |
C:\Users\Admin\AppData\Local\Temp\D7EBp90Pxg.bat
| MD5 | a0558142895798c915fe2d9cb05cbebd |
| SHA1 | fb81470aa959b2df364537a80860afdf56ced571 |
| SHA256 | d6bbb9e469dd4f09fb50b394c635716a6461d088338e1dbf24cf13c500f542d9 |
| SHA512 | 4f1b27bdafa3e4644382f22c1f3d3e2bdbad276a39a34deb9f5d016bfe3ebcef1cdbced0d6e0fd344583ec63c0bce0417393a8a9bfc14217cba8863fe6549461 |
memory/2920-148-0x0000000001090000-0x00000000011A0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab2DB7.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\Tar2DC9.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\Local\Temp\6qhkY4Aj1y.bat
| MD5 | 6ee65545091c107f727103b4c3b7de31 |
| SHA1 | bbd1e8efa11a098a8583e436f9b99618b6d992bb |
| SHA256 | 23cb4c1a521cfee2889993e24e7611ab41db6fb78ecf81d0c3dc682788601959 |
| SHA512 | 89e6c28b2b3702b68e5a7da248030ddec13bdc1dcac1cdb03fb233ee83164b0166aa02907d1207799a58c849a5208cec852def48e1b7998ab66b47d0879931c9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 59072839ee960dd04a327d4332531a5e |
| SHA1 | a0ab9f4fd04b54b7c2b83e993477a9abcd93b644 |
| SHA256 | 59c442a94f4962ba78df88959a1298d735e53af53e261efe1e79d675d7c289a5 |
| SHA512 | 61a9fca060a7de3ebbdac86725f9f7b808c2fc0328341d7c1956bc28301a8e7711d6b90cefd8e9a03dffdbcbda6e610b213923b5b4dd21123220162b3a323bd2 |
C:\Users\Admin\AppData\Local\Temp\RjWoOVK6wo.bat
| MD5 | b229017f22310c8b9d1f05c30991eb8a |
| SHA1 | 8232d20339b18a485f2481e690337bd283ffd6b9 |
| SHA256 | 62de0373a7b35d7f726e253f7c6eb631eceff0ae1fb281abc79795499dc45a87 |
| SHA512 | 04cb78c127131efef93bc3e70f599a18c00fbc824362472272e81c24e0bcb2fbcd31a167c990e5c5a77e376f5aa63f5120ab0631f8f6224a217b419fa4afc0fe |
memory/2184-266-0x0000000001320000-0x0000000001430000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1c67805f76357bf4fa91c74cfa94499f |
| SHA1 | 381195862024d5f40d7241000e088dbbbdc95403 |
| SHA256 | 3747082d873e2c751708ff3b99d5801e22e645872fde6d8060d69a555775e374 |
| SHA512 | ef0d35f60dac27cbafa49a3ce9b49e9d3850bba2e684ab4c457ed48e6f15742e90d2adcbfe75526ad910ff2d06a7ad3c7215bcbb319fc9ba17f70215c63d0e4c |
C:\Users\Admin\AppData\Local\Temp\QqrgVo7Q94.bat
| MD5 | ab8410fe35ea6a38c02b067a1b6b178c |
| SHA1 | fa35205f4f0107a6f9e48a6c391aa6bcf1a37c04 |
| SHA256 | 94c526622f287da4e6f6fc06ccc71c5e39f353ac4a69f73242108a1be228cd01 |
| SHA512 | bba8dcb837afc78e2c19b63681cb770f44a70e42de70b6d20095559142c620cf3bd0e4f2b0cbc264048d66e043821544d2fb8b93374ec3794c2800587e49b25b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f75b5a569b26b5ed80c717cb0a9aa2ef |
| SHA1 | 9bc911f8ee950beb616665cdb8d51924918890e5 |
| SHA256 | ab3b154c405d1d8e5188326dcf9f7f2cb33ca119a42ecc080ea9deb86c9b722b |
| SHA512 | f178b19f70d17875b2d0a0cf61ec5d69d6c95f9e116085db511de3ca3d9f411805ae9d6ebd89474c18fdcffa9caa122323103ce2254a3bcd35747390c9edf110 |
C:\Users\Admin\AppData\Local\Temp\xm2kK1SIVO.bat
| MD5 | 2d68adc297ba15436f12f0aaae2d4071 |
| SHA1 | d0797bca48cb12826935cf1c0dfa9ab436aa641a |
| SHA256 | a1cb3a3a7a4b06f4649b8f6e41ebacc014e44c6902e83683082b96dc15409175 |
| SHA512 | f07b7e95c4a3f505165f709d31557e74a4d7bb90cef8586454f75007169e278cfc8fb77383eaf6c25e246cab94bf55f718b4acd181eb00c59e0ff3a6795eec1e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4067748b2bf4b4a51410977e261807b8 |
| SHA1 | 9c71032e4f8886a416c8ba89e1b34c9c9c9f46bc |
| SHA256 | 6aa02f0a2c19b668e80813faca68fcb562afa8ed4306fbf1feb81f69298c4620 |
| SHA512 | dbe9901658e571400b225f84e35713fd7ea43a979631b61466c47ed0b513c7b16b1029bead2aa3a83e015c5a5ff1a377aaddf9b3aa7f5915fea6d1d7ef597b47 |
C:\Users\Admin\AppData\Local\Temp\Ys8lvSze9b.bat
| MD5 | 5929c883abe77a485cd673712e6157cd |
| SHA1 | 6c4350f263841285bdb4151f15f8826214e35db6 |
| SHA256 | 5aa35028cc6760b422be3fcecfdbe1596b7696a08bccfbf1ee895b21ae48db9d |
| SHA512 | 285854de724bacb90aa4f8ba536766759a93befe609150daabd5afd75c89f60065e325b1f8c3545c86bc48225f7bf1c77ade8854abf779a7e2224ab16717c308 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 330c57bd87c17d42ee4e2788d2ea4029 |
| SHA1 | df9a8ab8defd407563acc26a33c48d5898b0afa7 |
| SHA256 | dce7945e04bb9cc21f600e962449583aee6623801565aaecd2564033e0395aa4 |
| SHA512 | d42a9d7ed1f2830136e8403a121054dc5ad7a78c1ac499563a8a28c6f8174c8909f116baf40d9bdad85375f05fcf42fc1e51f40f2ddf49e8be26b4a1f1c95be9 |
C:\Users\Admin\AppData\Local\Temp\QVLs15dYuc.bat
| MD5 | 396b6bdcd5e5069f244b1eeb16bfa7d6 |
| SHA1 | 6868e291ee94ca91fc2da6bdfa1dc31033941904 |
| SHA256 | 5395f9b7a648022efc5cd8b8eddbf5468b3de092104f646de5766d8a7b3899b5 |
| SHA512 | 12371ba9f02fee6efc156e1f8eabfd33d2088d6c6a1c9837fa1ddeb59add8d1c211796d457a20b7d56d8cc90e873f05975b3c9fe9f3a7cfad7bd9caad28c8644 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | bc0c286438eb45cb50c6231cefbf8738 |
| SHA1 | 7882d0d80d1b8f92c0a8fb6a84a2a8b017072a35 |
| SHA256 | c7e15bb3f1549d4e78fe540189860fb36502ab7e1417d2fe8ad3ae6f17ba6bae |
| SHA512 | 6467e3b56280584081e8304cbf169f6dee47ef09a1566f57d92f11fdef9483382bccd56877446f11662dc96efcc6ec874520a21ca5a7b0f2d650829322f17cad |
C:\Users\Admin\AppData\Local\Temp\LBVLNHYHv1.bat
| MD5 | f399cc4c701a67a4c565fbdb8b728b64 |
| SHA1 | f7ea9b60c123fe32534f92a8619bd73d3e510461 |
| SHA256 | 3e52c028ff897d02ca40b85d3eccf2d9e72acd273c5a3f02e89e203361d7f394 |
| SHA512 | 3da43f4275fe93047bbdf4226fbb4bdda058fe9de7a9c2f2ea293009f3f91ba41cb760368cc3ac629ce6390ba41c85784178b595a2b0b7f3a3dd76008025d79e |
memory/1184-562-0x0000000000280000-0x0000000000390000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7169006b1ec248d66b375dbb38cde3c5 |
| SHA1 | 8b51c871e56bba2736cd211ca5167e0f747ca24f |
| SHA256 | e689ec16271e1907f83234ab7a085b3913f94dd7af2a42d950e62b986f5301a1 |
| SHA512 | b8b4a198b85996bd749ed9e37bafef7c9af89ce90be02248e7b4640514ef6c281092d108073fdf3ade0439680266477a61de0531cf51f19d53ea1b75df44356a |
C:\Users\Admin\AppData\Local\Temp\cSLzsZ1i8q.bat
| MD5 | d53357e2c8f39eac0ee58f6caba60b60 |
| SHA1 | 5b16748f2e5dcc8d9714f3c1a6bf843ea8eb0ab7 |
| SHA256 | edfc7335e0e4196748346280d5865d72efd608ce4407d2cfa9754c43adc0d62b |
| SHA512 | 18721a834a756bad3b6412c4d851546eecd33cd034da5d176db426bbbe34b12de639924985a4e5f206e1448823eebde2e3b52f8cfbef89d45f943b74debb11c4 |
memory/2132-622-0x0000000000BE0000-0x0000000000CF0000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7871f69675f7bb8654e370bfc71122b3 |
| SHA1 | 77c63486edceaaf5c03c16f5a0c0accda09936c5 |
| SHA256 | 0be4af2a40ae102387b565377b04d2a8c2573de8f7ffecf2e83edd8643a2b0d6 |
| SHA512 | 304ebb07a698334afd21c7885b325024e38cc94fbe04e072b98b41aed79964d0e67c08ce41580568c73741c77a5484ea3ea04728e71f872d65531d1bc45791d0 |
C:\Users\Admin\AppData\Local\Temp\Q3ZRkRg4YZ.bat
| MD5 | 56a20d8878cd3cb9bca7f9d37d280423 |
| SHA1 | cde388d248f1b59223da6d1b9aa3d51fa2ecdf89 |
| SHA256 | a063a5b4352e62309c9311051b8299f62e33621739c5e8797b6ed83e399be1b1 |
| SHA512 | e75a43b1701c5692b09dfc3f8fc827049d3dbc463a4eb697489f2f39be51d3e806cd6d79f82041ee4eb1b5f8e2930c67793d1f03534a1d76db14b6accc3d5d18 |
memory/2868-682-0x0000000000260000-0x0000000000370000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f9e3d6c5e88ebe264bf1ffff4303f839 |
| SHA1 | 60da5d11b95d5655dc365a53306efc5f002cbe64 |
| SHA256 | f26f04f0c736e8fdf3163d38371748a2e0b0b9a019f9b284a0d4ac10eecab73f |
| SHA512 | 0ef7487237bcf4ceb0a841934421bb4e1048b3d2aee6ab1487bb6f2a0ebe37061e7444fdd6f19d64041d05ae4c6869822e3c01af40a7d7b563b9a96cd25fb2cd |
C:\Users\Admin\AppData\Local\Temp\AMKHlt6LWj.bat
| MD5 | 9df396c5e0d7a57e38d8ae4bb6264236 |
| SHA1 | 47916441423647a4032ec84a73b39ed0263eb0de |
| SHA256 | 32aff5481abb5f3efa3f61b234fa0ea96978863d3730902d80ec35fe5276685a |
| SHA512 | ee82d31bbc2c202f7642eafc88b95dca4c2ab51a4e19c81af9fd0e3a6a5d210ab2812bc7475662c578bf2ee1a446ef6263741a8de9c332b17b0cac1fd4bb5672 |
memory/2460-742-0x0000000000960000-0x0000000000A70000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-12-30 02:01
Reported
2024-12-30 02:03
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
157s
Command Line
Signatures
DcRat
Dcrat family
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b4d1df831ef65d1fc8458a43bdfa047510b3ea9569cac8a35809f0a3140cdca2.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\providercommon\DllCommonsvc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\providercommon\DllCommonsvc.exe | N/A |
| N/A | N/A | C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe | N/A |
| N/A | N/A | C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe | N/A |
| N/A | N/A | C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe | N/A |
| N/A | N/A | C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe | N/A |
| N/A | N/A | C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe | N/A |
| N/A | N/A | C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe | N/A |
| N/A | N/A | C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe | N/A |
| N/A | N/A | C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe | N/A |
| N/A | N/A | C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe | N/A |
| N/A | N/A | C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe | N/A |
| N/A | N/A | C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe | N/A |
| N/A | N/A | C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe | N/A |
| N/A | N/A | C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Windows Sidebar\Gadgets\5940a34987c991 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Uninstall Information\winlogon.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Uninstall Information\cc11b995f2a76d | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\RuntimeBroker.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe | C:\providercommon\DllCommonsvc.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b4d1df831ef65d1fc8458a43bdfa047510b3ea9569cac8a35809f0a3140cdca2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings | C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings | C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings | C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings | C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings | C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings | C:\providercommon\DllCommonsvc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings | C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings | C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings | C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings | C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings | C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings | C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings | C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b4d1df831ef65d1fc8458a43bdfa047510b3ea9569cac8a35809f0a3140cdca2.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b4d1df831ef65d1fc8458a43bdfa047510b3ea9569cac8a35809f0a3140cdca2.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b4d1df831ef65d1fc8458a43bdfa047510b3ea9569cac8a35809f0a3140cdca2.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
C:\providercommon\DllCommonsvc.exe
"C:\providercommon\DllCommonsvc.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Local Settings\sihost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\Default\Local Settings\sihost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Local Settings\sihost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Program Files\Uninstall Information\winlogon.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files\Uninstall Information\winlogon.exe'" /rl HIGHEST /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Local Settings\sihost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\winlogon.exe'
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6kHtwRJ3KO.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe
"C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9gNv7qRJ8U.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe
"C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KRs2fZV4we.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe
"C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\or7X1gMNi7.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe
"C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7bDnwPuEug.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe
"C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7bDnwPuEug.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe
"C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZDYK5nApHO.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe
"C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2sHl3bGdB9.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe
"C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SQTB2Yz9K3.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe
"C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4oJokgKWVw.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe
"C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QUR8LTwG0H.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe
"C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QO5FEA9wo1.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe
"C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MNu5MeZyGQ.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe
"C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.110.199.185.in-addr.arpa | udp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 31.73.42.20.in-addr.arpa | udp |
Files
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe
| MD5 | 8088241160261560a02c84025d107592 |
| SHA1 | 083121f7027557570994c9fc211df61730455bb5 |
| SHA256 | 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1 |
| SHA512 | 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478 |
C:\providercommon\1zu9dW.bat
| MD5 | 6783c3ee07c7d151ceac57f1f9c8bed7 |
| SHA1 | 17468f98f95bf504cc1f83c49e49a78526b3ea03 |
| SHA256 | 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322 |
| SHA512 | c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8 |
C:\providercommon\DllCommonsvc.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/4256-12-0x00007FFDF1813000-0x00007FFDF1815000-memory.dmp
memory/4256-13-0x00000000000C0000-0x00000000001D0000-memory.dmp
memory/4256-14-0x0000000002290000-0x00000000022A2000-memory.dmp
memory/4256-15-0x000000001ACF0000-0x000000001ACFC000-memory.dmp
memory/4256-16-0x00000000023B0000-0x00000000023BC000-memory.dmp
memory/4256-17-0x00000000023C0000-0x00000000023CC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cgjg3jmg.bpd.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1196-34-0x0000020C4C340000-0x0000020C4C362000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\6kHtwRJ3KO.bat
| MD5 | 2f00d970324926e019257770114abf9d |
| SHA1 | 9aa3ebe152f3730e8ac1d89cb3f7f91d4d1921cf |
| SHA256 | 3c21286ae39f5065784042fa96683614f4c41a25d1946c2426faf8c6069494b5 |
| SHA512 | d78a7fdba18e47c7c8356c12adfab458aa85b8c29f559a5a3ae5200887bad84a80f75e76ab679375b8a538bcf10bcc0a8529b1528db6721d94fc493cde1aead3 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 6d3e9c29fe44e90aae6ed30ccf799ca8 |
| SHA1 | c7974ef72264bbdf13a2793ccf1aed11bc565dce |
| SHA256 | 2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d |
| SHA512 | 60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/4720-79-0x0000000002350000-0x0000000002362000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\9gNv7qRJ8U.bat
| MD5 | dcd7c1166dbf6182c727a27d18c1be7d |
| SHA1 | 7d04a10517933952ead697514a64be24a10c3919 |
| SHA256 | 047f472434ba5b4852e88ff2a077d34102421e9923290bace95832072d305123 |
| SHA512 | 4cfabec7695d46532c3e4e3273c4b3c2381cd4e856bd2d4382170e0bbf5d3a055335773061e9f1d586d3acfa67ad007139ce90382762e2355ae8a6f06953b95c |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dllhost.exe.log
| MD5 | baf55b95da4a601229647f25dad12878 |
| SHA1 | abc16954ebfd213733c4493fc1910164d825cac8 |
| SHA256 | ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924 |
| SHA512 | 24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545 |
memory/1652-88-0x0000000002250000-0x0000000002262000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\KRs2fZV4we.bat
| MD5 | 5bb96bf6328de313d299638f01192e5b |
| SHA1 | 1b04693ae73dd2e57f4bd9b454c6601dded80973 |
| SHA256 | 50e20e01ef779868980a2123f4ea04eb9ec642010c5b11b4241a3a232f561b40 |
| SHA512 | 29687b1df8de94796f3df4a9c5477d59109761eee6c8a28b40dcf450306ac9f04ff93dafa2db42afe98cf79eaf30dfc01ca179b57e6bfbd661796331754d2101 |
memory/4524-95-0x0000000003010000-0x0000000003022000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\or7X1gMNi7.bat
| MD5 | 8cf869d8ac0b9f0f7072e30ef243caa7 |
| SHA1 | 363107f124ac71bb261f69419fb027cfa4dd789a |
| SHA256 | b5755586eebbfbed973453bf38a28cbe201a0467b929c9a9dd2ed92c904e4053 |
| SHA512 | cb023648ffcbaa345035460865aba28e2a5b9fd5669bc64ef5c2035b5bc3f183a2d11196504262482013935d9fd33261f94ecddd9d540873f08912aa2d20bd75 |
C:\Users\Admin\AppData\Local\Temp\7bDnwPuEug.bat
| MD5 | 0b68816464a3130b1ccebc1dbc42dda2 |
| SHA1 | ff5eac6e35d2e9bc4f9cb38ba98e7bfbe61b807e |
| SHA256 | 5ac3259613379e0dde45cc4e0945c31e2660c65dc1ac8575aad1ba9c4684fa42 |
| SHA512 | c8b2531baf8b59b728a1ba16593767ad5e05db5caa95c2f5c2c009d851c2149f79d21a1a60df877b95c140b08dbb6e43625c8f426cc083939bd933546eca3137 |
C:\Users\Admin\AppData\Local\Temp\ZDYK5nApHO.bat
| MD5 | 93fe14af2ec2a9cf697ee9d79ca83afa |
| SHA1 | 1caea778544cf597d70a28868a73536197cd29aa |
| SHA256 | 0eb08f15a004a90aeafc565b4d0a844bceefd916100ba9018d3bb8607b2fd50a |
| SHA512 | 9b0e122ac5acfe75a497b916f874048c5050b0ffdc86040d95a30896567de43fa5197778bee2964cb7f0ff3e3fa53e0f9ebb0248c4b83fae963df95e5b5484bf |
C:\Users\Admin\AppData\Local\Temp\2sHl3bGdB9.bat
| MD5 | d20df6e4d4ad860dd339e157dca06d59 |
| SHA1 | 1cda8136ec8345069b6349d4a60c9be990ced39f |
| SHA256 | 2d43a4b5ebb84fc3c26a2431cf375c4075d9f0cd4ab85d2650c2be1091c6f25c |
| SHA512 | db88574cedfaf74e1ac9a88e962d1f3e2a7aff44427c5aa965b85f3b7646ab4ea91fa4506f6408150ab97e7c9d072e15aab7a57d7d59ee593e290d4b7263d994 |
C:\Users\Admin\AppData\Local\Temp\SQTB2Yz9K3.bat
| MD5 | 75337f8691dc9c196dd1856836c92305 |
| SHA1 | faf6af7f9a63851584e78ff28b61f82f713b8ade |
| SHA256 | 1c4fabf8bdda2d82b421c65ad2483e0c9c8616213268fef2ad4cfb957cacf484 |
| SHA512 | be5a3bd4cd74aae4a45ee62ca0bdd7f89d7aa9f3bb20d19e8b6dd807ca13c2df32121add344df72f1992c7006324b3615130a34ed56c80c857fbb19d4052aeb5 |
memory/984-132-0x0000000001680000-0x0000000001692000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\4oJokgKWVw.bat
| MD5 | d078d08efe29118ad576173b8a5570d7 |
| SHA1 | 764384ba347058307e3caf3c141b81aa89de6479 |
| SHA256 | 5ac284d0b3bda9f5ab3aaef9bb49b76c9ae4f1d1bdb3a1174daaff7fe76216c7 |
| SHA512 | 3f6809f14bfa0922f7fcfb29c25e6226e7cc8ab7f3c79895340b4c50357b5dac9141c9116cf1ab080f2d91f08ccf1588fa0fc1dcbdbfff71b80534dc4a5e21eb |
C:\Users\Admin\AppData\Local\Temp\QUR8LTwG0H.bat
| MD5 | 0bc81441f2cbd90177888a5a4d4f7986 |
| SHA1 | 9e4648eda84b29bbdeaed6cac6917b2cc4cdd139 |
| SHA256 | ad6d5e229659dec7e6219051bb932f8bdbce86276a2ef7dca1a7922fb12fa7cf |
| SHA512 | 3155850f209927c606191ea364b052ed4a2434fe6eff0404a1b1c8f0552b44881282316662908a185c45841d4aa65f0a8b23a760f0ecdb5e561a9650772b06cf |
memory/3404-145-0x0000000000C40000-0x0000000000C52000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\QO5FEA9wo1.bat
| MD5 | a5b3eac5a5094cc3498ddac4be8cafc3 |
| SHA1 | 0757b15acc8d09c0ea6bfc57919fe0b51863db91 |
| SHA256 | f894dddf2ddc660649ef050fa1b3ae7707b8593620831f8f3ddfabacbcb3b48d |
| SHA512 | 04dd6bae14205b5957852d3bdb3ec1c190d960144fd5d927973e0d223543f9f24f44672a362cbd83cffe51f570524b2f4423315c1ee0de633414ced3872755ba |
C:\Users\Admin\AppData\Local\Temp\MNu5MeZyGQ.bat
| MD5 | ebc3b1b3deeccee588ac6b63002cfd66 |
| SHA1 | 1d93e65168a15d87ff63083608e9b608aa5a4d9d |
| SHA256 | 49946d8dc79103a10902140b13011659545990a883f6a22b2697ce7f7d090c0c |
| SHA512 | 551c32a6debea76832d83fdb4720aa66626fe73b789ee16bb5cec52aa4f1175d91cb539e1e3a004b4b29306c19175ca02cc1f1c529652725d0bc7bc1cd9aaae2 |