Analysis Overview
SHA256
d6413f240a362cd8532e5e05c6b8ba9d59fcce6e4afb1bd11fd1a99fc6ff856f
Threat Level: Known bad
The file JaffaCakes118_d6413f240a362cd8532e5e05c6b8ba9d59fcce6e4afb1bd11fd1a99fc6ff856f was found to be: Known bad.
Malicious Activity Summary
DCRat payload
DcRat
Dcrat family
Process spawned unexpected child process
DCRat payload
Command and Scripting Interpreter: PowerShell
Executes dropped EXE
Checks computer location settings
Loads dropped DLL
Legitimate hosting services abused for malware hosting/C2
Drops file in Program Files directory
Drops file in Windows directory
Unsigned PE
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Modifies registry class
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Uses Task Scheduler COM API
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-12-30 02:03
Signatures
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Dcrat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-12-30 02:03
Reported
2024-12-30 02:05
Platform
win7-20240729-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
DcRat
Dcrat family
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\providercommon\DllCommonsvc.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Windows Portable Devices\wininit.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Windows Portable Devices\wininit.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Windows Portable Devices\wininit.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Windows Portable Devices\wininit.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Windows Portable Devices\wininit.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Windows Portable Devices\wininit.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Windows Portable Devices\wininit.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Windows Portable Devices\wininit.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Windows Portable Devices\wininit.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Windows Portable Devices\wininit.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Windows Portable Devices\wininit.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Windows Journal\de-DE\winlogon.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Windows Portable Devices\wininit.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\56085415360792 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Microsoft Games\Purble Place\es-ES\c5b4cb5e9653cc | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Windows Portable Devices\Idle.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Windows Portable Devices\6ccacd8608530f | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\wininit.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Microsoft Games\Purble Place\es-ES\services.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Windows Journal\de-DE\cc11b995f2a76d | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Windows Portable Devices\56085415360792 | C:\providercommon\DllCommonsvc.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\ehome\ja-JP\0a1fd5f707cd16 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\AppPatch\en-US\winlogon.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\AppPatch\en-US\cc11b995f2a76d | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\ehome\ja-JP\sppsvc.exe | C:\providercommon\DllCommonsvc.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d6413f240a362cd8532e5e05c6b8ba9d59fcce6e4afb1bd11fd1a99fc6ff856f.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d6413f240a362cd8532e5e05c6b8ba9d59fcce6e4afb1bd11fd1a99fc6ff856f.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d6413f240a362cd8532e5e05c6b8ba9d59fcce6e4afb1bd11fd1a99fc6ff856f.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\providercommon\1zu9dW.bat" "
C:\providercommon\DllCommonsvc.exe
"C:\providercommon\DllCommonsvc.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Desktop\spoolsv.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default\Desktop\spoolsv.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Desktop\spoolsv.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 7 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\DllCommonsvc.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\DllCommonsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 12 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\DllCommonsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Windows\AppPatch\en-US\winlogon.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\AppPatch\en-US\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Windows\AppPatch\en-US\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\providercommon\System.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Games\Purble Place\es-ES\services.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\Purble Place\es-ES\services.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Games\Purble Place\es-ES\services.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Windows\ehome\ja-JP\sppsvc.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\ehome\ja-JP\sppsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Windows\ehome\ja-JP\sppsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\System.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Default User\System.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\System.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Documents\csrss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\Documents\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Documents\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Portable Devices\Idle.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\Idle.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Portable Devices\Idle.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\taskhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\taskhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\taskhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Favorites\conhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Public\Favorites\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Favorites\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Journal\de-DE\winlogon.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\de-DE\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Journal\de-DE\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Portable Devices\wininit.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\wininit.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Portable Devices\wininit.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\winlogon.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Office\wininit.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\wininit.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Office\wininit.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\providercommon\spoolsv.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Desktop\spoolsv.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\DllCommonsvc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\AppPatch\en-US\winlogon.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\System.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Games\Purble Place\es-ES\services.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ehome\ja-JP\sppsvc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\System.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Documents\csrss.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\Idle.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\taskhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Favorites\conhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Journal\de-DE\winlogon.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\wininit.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\winlogon.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Office\wininit.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\spoolsv.exe'
C:\Program Files (x86)\Windows Portable Devices\wininit.exe
"C:\Program Files (x86)\Windows Portable Devices\wininit.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\b7oBPqXqtO.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files (x86)\Windows Portable Devices\wininit.exe
"C:\Program Files (x86)\Windows Portable Devices\wininit.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AWL6wsGpK7.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files (x86)\Windows Portable Devices\wininit.exe
"C:\Program Files (x86)\Windows Portable Devices\wininit.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UWW2tbEWSD.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files (x86)\Windows Portable Devices\wininit.exe
"C:\Program Files (x86)\Windows Portable Devices\wininit.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\b6uRiEqY03.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files (x86)\Windows Portable Devices\wininit.exe
"C:\Program Files (x86)\Windows Portable Devices\wininit.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kXH0MsH7jV.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files (x86)\Windows Portable Devices\wininit.exe
"C:\Program Files (x86)\Windows Portable Devices\wininit.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\c0ZYbu3Enn.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files (x86)\Windows Portable Devices\wininit.exe
"C:\Program Files (x86)\Windows Portable Devices\wininit.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nlAvT1Qihc.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files (x86)\Windows Portable Devices\wininit.exe
"C:\Program Files (x86)\Windows Portable Devices\wininit.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eR3ydISl4k.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files (x86)\Windows Portable Devices\wininit.exe
"C:\Program Files (x86)\Windows Portable Devices\wininit.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Z87Ce65nyU.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files (x86)\Windows Portable Devices\wininit.exe
"C:\Program Files (x86)\Windows Portable Devices\wininit.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QUR8LTwG0H.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files (x86)\Windows Portable Devices\wininit.exe
"C:\Program Files (x86)\Windows Portable Devices\wininit.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
Files
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe
| MD5 | 8088241160261560a02c84025d107592 |
| SHA1 | 083121f7027557570994c9fc211df61730455bb5 |
| SHA256 | 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1 |
| SHA512 | 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478 |
C:\providercommon\1zu9dW.bat
| MD5 | 6783c3ee07c7d151ceac57f1f9c8bed7 |
| SHA1 | 17468f98f95bf504cc1f83c49e49a78526b3ea03 |
| SHA256 | 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322 |
| SHA512 | c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8 |
\providercommon\DllCommonsvc.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/2084-13-0x00000000002E0000-0x00000000003F0000-memory.dmp
memory/2084-14-0x00000000002C0000-0x00000000002D2000-memory.dmp
memory/2084-15-0x00000000004D0000-0x00000000004DC000-memory.dmp
memory/2084-16-0x00000000002D0000-0x00000000002DC000-memory.dmp
memory/2084-17-0x00000000005F0000-0x00000000005FC000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | d6444e46a43659ddcba6c30696b8ab96 |
| SHA1 | 644d15977e76fab3753346d8bbee6427873924fd |
| SHA256 | da311dedd965f4473a6e9209e4f7fd729e9c3f026dd53c7d771a13801dc4ce10 |
| SHA512 | 17955d62090ee5ace82159c78f3e93e4f481878cc0b98e68e6e2d40a5daa1811353b3a8a797049fa568097c6c0b37ba319c6538a7d1ebaff23b3724ce2233429 |
memory/1664-72-0x0000000001230000-0x0000000001340000-memory.dmp
memory/1988-79-0x000000001B700000-0x000000001B9E2000-memory.dmp
memory/1960-80-0x0000000002290000-0x0000000002298000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CabF5E5.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\TarF607.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\Local\Temp\b7oBPqXqtO.bat
| MD5 | e92ef90a4f0e22ccc1f03faf62fb971f |
| SHA1 | 0b2e483095e43cbfc4df2ee78f5219f906d66518 |
| SHA256 | 61e55edeaa1db42539866ac1ba696bbf081e94bbefb34781d762151bc0225767 |
| SHA512 | a2008278a322807d3f5fa83b985b050980ed42bac61979ef3bdc8513224bf7e30cf9ecb60d9aa6e729a984901c6a04ba7b00ddb41b15dd6a6e00e11e47a7b6c9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 01121dfdc9ed2d0a9a60581b949ec8c8 |
| SHA1 | 25c57f779b70dbda26e32c0f9f6ed497193ede0a |
| SHA256 | 42dc055dab14c5f33d9590a11b72f6f09f707cbd46c9c029ab44be82553fcfaf |
| SHA512 | 6ba61a43a9dab8c3473f9647585c1699fb542084b100ab26b7d459c2d191a513c20253fee59a0c6ee2f6802268790e1e3dfc0867121beb3e3ca507e0a6b20c19 |
C:\Users\Admin\AppData\Local\Temp\AWL6wsGpK7.bat
| MD5 | 9469ab82ab79c80816dc34574c04e7d3 |
| SHA1 | de2107dd0eec5843dd62301255deacebcd2188d9 |
| SHA256 | 453f70d02c2659c6f93b07a6593c6b52783a3a30550602147e621fd97c1b5ec2 |
| SHA512 | 920c754878b7c3196811e0b15f8206cb90dd6a5bfdd1fba48cf724ec3599f7975ffe16e8b15b1141f4d069c8d3e5c7cac962807412da8f1fe9fa970586295d0f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ee467dcc38357b63ed3c0e5270cfa76c |
| SHA1 | 0a6a42c4d3535bcec1b2f37f042d689e62bff821 |
| SHA256 | edafcf017a3da2fe28acb19b577e71117809b353d87fa583418f671da2f1211f |
| SHA512 | d846708097aba747d894644295f42fb8a6d058e6cf4210f7fcc69a87b88c7ee327c86df78fe135f551e2575f287e3cf998b82cb99b4d9a9fbc9ec371e353ba56 |
C:\Users\Admin\AppData\Local\Temp\UWW2tbEWSD.bat
| MD5 | 34cd834d235fe368d869d1c541c982fb |
| SHA1 | fca704fbc4260b8318995ecd33e1f1ed42d691bf |
| SHA256 | 1b2389cdfaeb045febcea4b2380fef1a4651fcfe7bf1054e9810b1e1dce815a0 |
| SHA512 | a2b0033cb51304e3d9d748d151ff8f12342c343db58b7e845a683a7efc8422689bbe00913e133ccb809d235d753eaaa63d106d69143f5aae4709e290a37c1342 |
memory/1728-323-0x00000000012C0000-0x00000000013D0000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1b33d83240e6359901d27c1ef6662f10 |
| SHA1 | 4499dcd9b38da6fdd0ed46e5ad97c095cfa51863 |
| SHA256 | a8cbfe0747ca8292400278c7924e7853a12853beae3f2389725517d658fd6263 |
| SHA512 | 78deccf11fa173107587606334826ab9240469df939a56a6c014874552e01d2e18453377d1edf23c78057219943b3ba308fdffa7ccd317f4cf1e71357ff1f55d |
C:\Users\Admin\AppData\Local\Temp\b6uRiEqY03.bat
| MD5 | 3b99e86bff36ea7ed401bf5062f9e0c4 |
| SHA1 | 94555219a8940cef697bcb74388c3468388a1bf9 |
| SHA256 | 678c00e7abf35123fd006eb6892c40f802910a9dcdfb4edfdf69d4eb48026df9 |
| SHA512 | 9d5b4fdf71b6eae0561d5ea3dba85c4ef846fe63b98fb3ff7e3bb11676329f93a2a6f2351e654b33fd74b57bae2d85af3b0b9c87d81291c8cff412cfd6abd53a |
memory/2404-383-0x0000000001300000-0x0000000001410000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3862f900c7ea9eb3426ef042f29d436a |
| SHA1 | 8aed7645cf68edef2c97a14976566cc78c8fe455 |
| SHA256 | 839b3d6b4d47da0df3d488f6ee20a4ae080e00dbea80b4a09958d04673df484c |
| SHA512 | 423b1d6cdf496390183cda0eb9c0990cd92a592dc1deb61b175c727537527440b16ee6b07d6b6bae6fd8aa09ce77d50c40be43dc6048c5ce00df40669f1cbd03 |
C:\Users\Admin\AppData\Local\Temp\kXH0MsH7jV.bat
| MD5 | 073ff69688b2d8f8745bb0f609a9f01d |
| SHA1 | 50c4f9475f02045567532f2c56ea134bb5252492 |
| SHA256 | 5d5c4a8265a5ee96c4373d1742b3dac31f85cc66082331cc2306b24f569f566e |
| SHA512 | 2503fc92a5d6bc19b08c281df5e919e4c801252a3094a03c5dae43ebe7f3bcd92a2b3b1e6acc672d7b23ed7ef1b2c1e624e7d5dd376ed4773c4a3b3e5ac0aa68 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3dee6084373f4d84c18670123178962f |
| SHA1 | af1b7409d2a26cbba4e1b5ce3d7806d50e2e90f7 |
| SHA256 | fd6b5693a86048ff516f9710c194e869ea32980093111b19fea76a470f4bf406 |
| SHA512 | 3ad11ce9761a96ee0eba2f6c724532064237fa2300fd8c3eeff8bf909b0a3b1319f466813bbd3dfe5a47153abbfa05887abce5d199fe59addea08ea248c14d25 |
C:\Users\Admin\AppData\Local\Temp\c0ZYbu3Enn.bat
| MD5 | cf3de6202a2f240b7fbe7826d7cccc0c |
| SHA1 | fa27f1b73a8534eedefd61b36205fa49d4952665 |
| SHA256 | a0a52041e08179895230698621fcdcefa859bc819e51567ce354ca833351c298 |
| SHA512 | 8566dedad52012f7da3a9db9d950497321f935593d48ab196a37e1d4cb0ef002564a61016a226e6a82337b04cdfb790c03b111d5e727922a73ac49aebff5b1b1 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | bd49529fef6eaa903b267a5ab0e72509 |
| SHA1 | 8728cff847805f4523206f28a32176ed7aa2bcc5 |
| SHA256 | fd4515a8157b0b355336b2544c9a9b9437aff5c8d1e8534696824d1821911021 |
| SHA512 | f0afd50aa83cf714fca44572a04e657920f1139659c8cc2bacbb6500aeef916635b2e2fc87a41d74c36fa36e485860754521f7d016cdd3c40c7f7de4b19da3b7 |
C:\Users\Admin\AppData\Local\Temp\nlAvT1Qihc.bat
| MD5 | 91d7986f3506754f6c12f4c4f0e65566 |
| SHA1 | 2bf3ad7e5feeb28bae8957b64aae071459903b6a |
| SHA256 | 15771d900a609c79b7c9d859013b6b99e780e10219775cc85f75eb63351c719a |
| SHA512 | 9db2c29d9a23ffd012275ae3cda15b65698f2c37291c9b87f8342dfade3ab8d4668b090146b795aad06d9e86ee1a533a047ddbafaf206eb262917dbfd5d32a03 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 64a7946c28362777335b27e3f956106d |
| SHA1 | dfb39f066928fe8488d26d9e64b7849c881f0543 |
| SHA256 | b536686ef9bbfc2a41191142f9d7278ae6b47796ff412795ed6f0557f0ebba5b |
| SHA512 | 04b30127df9b689c363e3b2e80893fedd538d6d2157af19d2c37931f3c7009fdfc496f78a65c4aba6a3b8c558cdec49258105ed56c316eec6b067bd010777258 |
C:\Users\Admin\AppData\Local\Temp\eR3ydISl4k.bat
| MD5 | 8edfc344c58685e6b722f1d2772d5b97 |
| SHA1 | 374621bd4f85b31956862ca5924264797122e107 |
| SHA256 | 323b15023973cb778ea85caad8664a7a0e4b04bd7ba147a318b42ec8827ac385 |
| SHA512 | db501fe483893482063d9d44873eb6f7afe530871e9fdb716277459b2379ac0b2d7868fbf99bef2a2a8c3f5f032d9f5a39b498d3659267ad6b05c6c048a2cbd1 |
memory/1408-620-0x00000000001E0000-0x00000000002F0000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a66357a144b23e75fd5b1300884d8773 |
| SHA1 | abd2fb9cc77a1f3d13fc37002ec9e10eab2ff39d |
| SHA256 | 93cc64f0e4338c7f7e26c325f9863a5950e46de2ebce2258532fe656b6e1a84c |
| SHA512 | a613466c357019e3fe7bc97358752af4337c0507060009a9087d566d3ae714ffa2e95de270ae5bff60d34a2a97f45e6072baac8026642eb1d3bef728eeef8f56 |
C:\Users\Admin\AppData\Local\Temp\Z87Ce65nyU.bat
| MD5 | 86a7eef6cb6be2a5b40bf17c4a89e190 |
| SHA1 | 65e81cd03a73c9697568c9891dd5d2108f23cd32 |
| SHA256 | b795afe56cded3660c640424f6c9398a3bdc126a1d32d667b61d24e4a0a6a27d |
| SHA512 | 4d546287b37e6d3cc574884cd251dd20605e490dcd37815e65707055fdbd67f8ea4d26373536e7b1616d6fba471c9317689f860c89eb2e6cfbab97ea8c0134a0 |
memory/1576-680-0x0000000000860000-0x0000000000970000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f0f123d68fff0d0f3dd4e0a2cfa639a1 |
| SHA1 | a5caa1c7806e872f52c4af29a21b80965ad6f683 |
| SHA256 | 695b7a2867e7b823efe98c062e8716ffdbac7f5acd6121ebb02979645deb0bcd |
| SHA512 | 4be03e3bbd8708d8ae7fd587270e3fe005f52ef360ebc22e384ada345a53fffe7a22698c7f28605d24c3fb7649ac29f1cf5383adc74e4a5d4688626ca42f49f5 |
C:\Users\Admin\AppData\Local\Temp\QUR8LTwG0H.bat
| MD5 | 7c9bc9a2acd905d42ddf90a11f5928ce |
| SHA1 | 534027db22abcd11a0aa322b43dc8454f049f42b |
| SHA256 | 146960e9092df2a3fad155d45fa9a9149bdeca2daa22f341845f3386460bbb00 |
| SHA512 | fe6def66ecc47e6343fb1b3decd25a1210ce3674a1368cb0894d61dafcde3411bf45d564fca05b3aebc602172dee112b8c025c94bc858da549b47809f35281bd |
memory/2312-740-0x0000000000E40000-0x0000000000F50000-memory.dmp
memory/2312-741-0x00000000002D0000-0x00000000002E2000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-12-30 02:03
Reported
2024-12-30 02:05
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
152s
Command Line
Signatures
DcRat
Dcrat family
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation | C:\providercommon\fontdrvhost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation | C:\providercommon\fontdrvhost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d6413f240a362cd8532e5e05c6b8ba9d59fcce6e4afb1bd11fd1a99fc6ff856f.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation | C:\providercommon\fontdrvhost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation | C:\providercommon\fontdrvhost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation | C:\providercommon\fontdrvhost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation | C:\providercommon\fontdrvhost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation | C:\providercommon\fontdrvhost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation | C:\providercommon\DllCommonsvc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation | C:\providercommon\fontdrvhost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation | C:\providercommon\fontdrvhost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation | C:\providercommon\fontdrvhost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation | C:\providercommon\fontdrvhost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation | C:\providercommon\fontdrvhost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation | C:\providercommon\fontdrvhost.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\providercommon\DllCommonsvc.exe | N/A |
| N/A | N/A | C:\providercommon\fontdrvhost.exe | N/A |
| N/A | N/A | C:\providercommon\fontdrvhost.exe | N/A |
| N/A | N/A | C:\providercommon\fontdrvhost.exe | N/A |
| N/A | N/A | C:\providercommon\fontdrvhost.exe | N/A |
| N/A | N/A | C:\providercommon\fontdrvhost.exe | N/A |
| N/A | N/A | C:\providercommon\fontdrvhost.exe | N/A |
| N/A | N/A | C:\providercommon\fontdrvhost.exe | N/A |
| N/A | N/A | C:\providercommon\fontdrvhost.exe | N/A |
| N/A | N/A | C:\providercommon\fontdrvhost.exe | N/A |
| N/A | N/A | C:\providercommon\fontdrvhost.exe | N/A |
| N/A | N/A | C:\providercommon\fontdrvhost.exe | N/A |
| N/A | N/A | C:\providercommon\fontdrvhost.exe | N/A |
| N/A | N/A | C:\providercommon\fontdrvhost.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Windows Media Player\9e8d7a4ca61bd9 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Windows Media Player\RuntimeBroker.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Media Player\RuntimeBroker.exe | C:\providercommon\DllCommonsvc.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d6413f240a362cd8532e5e05c6b8ba9d59fcce6e4afb1bd11fd1a99fc6ff856f.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings | C:\providercommon\fontdrvhost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings | C:\providercommon\fontdrvhost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings | C:\providercommon\fontdrvhost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings | C:\providercommon\fontdrvhost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings | C:\providercommon\fontdrvhost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d6413f240a362cd8532e5e05c6b8ba9d59fcce6e4afb1bd11fd1a99fc6ff856f.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings | C:\providercommon\DllCommonsvc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings | C:\providercommon\fontdrvhost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings | C:\providercommon\fontdrvhost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings | C:\providercommon\fontdrvhost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings | C:\providercommon\fontdrvhost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings | C:\providercommon\fontdrvhost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings | C:\providercommon\fontdrvhost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings | C:\providercommon\fontdrvhost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings | C:\providercommon\fontdrvhost.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d6413f240a362cd8532e5e05c6b8ba9d59fcce6e4afb1bd11fd1a99fc6ff856f.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d6413f240a362cd8532e5e05c6b8ba9d59fcce6e4afb1bd11fd1a99fc6ff856f.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
C:\providercommon\DllCommonsvc.exe
"C:\providercommon\DllCommonsvc.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Media Player\RuntimeBroker.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Media Player\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Downloads\Idle.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Admin\Downloads\Idle.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Downloads\Idle.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\providercommon\fontdrvhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\providercommon\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\providercommon\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\RuntimeBroker.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\Idle.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\fontdrvhost.exe'
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lKhhpQ3tH5.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\fontdrvhost.exe
"C:\providercommon\fontdrvhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WLCDTNV5Zk.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\fontdrvhost.exe
"C:\providercommon\fontdrvhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0tZmJrpaGF.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\fontdrvhost.exe
"C:\providercommon\fontdrvhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Jef2EZNQSo.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\fontdrvhost.exe
"C:\providercommon\fontdrvhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1kSioVLOLD.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\fontdrvhost.exe
"C:\providercommon\fontdrvhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9avng9MHpa.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\fontdrvhost.exe
"C:\providercommon\fontdrvhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GW80Ek08hx.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\fontdrvhost.exe
"C:\providercommon\fontdrvhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LZh5ueQJla.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\fontdrvhost.exe
"C:\providercommon\fontdrvhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hGpPWS23Hw.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\fontdrvhost.exe
"C:\providercommon\fontdrvhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uxMZkGAiOs.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\fontdrvhost.exe
"C:\providercommon\fontdrvhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\X5jGqiFaSS.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\fontdrvhost.exe
"C:\providercommon\fontdrvhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FdUsM3mSuD.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\fontdrvhost.exe
"C:\providercommon\fontdrvhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ISA3vp411k.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\fontdrvhost.exe
"C:\providercommon\fontdrvhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ST975DOJvB.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.49.80.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.109.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
Files
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe
| MD5 | 8088241160261560a02c84025d107592 |
| SHA1 | 083121f7027557570994c9fc211df61730455bb5 |
| SHA256 | 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1 |
| SHA512 | 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478 |
C:\providercommon\1zu9dW.bat
| MD5 | 6783c3ee07c7d151ceac57f1f9c8bed7 |
| SHA1 | 17468f98f95bf504cc1f83c49e49a78526b3ea03 |
| SHA256 | 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322 |
| SHA512 | c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8 |
C:\providercommon\DllCommonsvc.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/4964-12-0x00007FFBB48D3000-0x00007FFBB48D5000-memory.dmp
memory/4964-13-0x0000000000A10000-0x0000000000B20000-memory.dmp
memory/4964-14-0x0000000002BA0000-0x0000000002BB2000-memory.dmp
memory/4964-15-0x000000001B630000-0x000000001B63C000-memory.dmp
memory/4964-16-0x000000001B640000-0x000000001B64C000-memory.dmp
memory/4964-17-0x000000001B650000-0x000000001B65C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xxjjlmzg.izs.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2380-34-0x000002012C9E0000-0x000002012CA02000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\lKhhpQ3tH5.bat
| MD5 | e3bdfa489691341f085535281ee55e0c |
| SHA1 | 4354a4a777928ea6cb360c5a0c947ec34b481c26 |
| SHA256 | 282c705fd5bb783157a9b2f87f5ce742d78f0416cfc111afd03d2cd1aa5dac41 |
| SHA512 | aebe764795f56c1e428946bc83ad15ef593c40fe1e039156d54dda2285814db6393d0774859b71f2bcd07fa5dc39dfe41fcd9f9c22c669bafcc59096ac045538 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 6d3e9c29fe44e90aae6ed30ccf799ca8 |
| SHA1 | c7974ef72264bbdf13a2793ccf1aed11bc565dce |
| SHA256 | 2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d |
| SHA512 | 60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a |
memory/3048-79-0x00000000026E0000-0x00000000026F2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\WLCDTNV5Zk.bat
| MD5 | 363cfc351a44e32bbe86789ffa7b7ca4 |
| SHA1 | 533094355ccb13f2bb35a5672762c6742b4f62c8 |
| SHA256 | 7bcd6d5558c5be8a7842e8090964a86e4145597899a3ac68f146a0320a0380a0 |
| SHA512 | 2a40da5320bdb6311ec1b71d126b145a55339a8ecfbe6796bd68b56450ff51c8d897140255ce6daa141dbbadb1f6385c9279fde68ccc45446cd6b72e23de6a43 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\fontdrvhost.exe.log
| MD5 | baf55b95da4a601229647f25dad12878 |
| SHA1 | abc16954ebfd213733c4493fc1910164d825cac8 |
| SHA256 | ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924 |
| SHA512 | 24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545 |
memory/216-88-0x0000000001810000-0x0000000001822000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\0tZmJrpaGF.bat
| MD5 | 7583a7ef4a37be1cc33f96379eb81d02 |
| SHA1 | b5bb0eba38a70b23060ac6f73835f0e8f6c3cbbf |
| SHA256 | b166fad19d806bf0f1c171218e709f5f3eab76a7eabe8f44b10a57723160e9ff |
| SHA512 | 102982421bad4fdd8f0b232e9e976d89dd4c52ac607b24e773b81efd1f7408bb9f1493d0b0c583f8cbac4930dec9c7aad9b31222e1bed4f372be4049c50ac21d |
C:\Users\Admin\AppData\Local\Temp\Jef2EZNQSo.bat
| MD5 | 2969e05f9f84993f8165bc123b01d184 |
| SHA1 | 2c753644f13ca0848c7966737aa872753e31de87 |
| SHA256 | 6a53155ded93c57321242f4b6b93fb8853cd6c1a315f083bb1c0ab931d44631e |
| SHA512 | 0c5ee6e8efce57953e57909055ba9ecebc7d7c2d3a9fb576f5c12217cacb13e8697cc17a3ca8882e4472c78b921ee04e3a09537d0f6f960381a83dbd02aa5e46 |
memory/4440-101-0x000000001B4E0000-0x000000001B4F2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1kSioVLOLD.bat
| MD5 | d1f6f5176642e3463d541d0730b03be8 |
| SHA1 | 9f5ed4402f1bac0abc0260d5a6e0f2db6338d042 |
| SHA256 | 31ff8918e2edb39ad01ba64cea9482e24685a9885d507b2ff3469fbb07b93dc3 |
| SHA512 | 6037b9708b3ebde754cc990719aae4f882e37d5f24d5a974714f6c4c074a33bfd0373e23852ccc786b737ca595af6a0f51f3b70ab20ef27f5c5972174317e0bc |
C:\Users\Admin\AppData\Local\Temp\9avng9MHpa.bat
| MD5 | 52bcfb629bcd451fdd85a63f9dc03036 |
| SHA1 | 19c7c776099ae74e82cc32011cbed318295afe10 |
| SHA256 | 1c9542fd01a9fd902be3ba76a98c66502124c52333da9a4b83cdd6773cf9df0c |
| SHA512 | 26bcb89191f7e8899a76876bbffee222029efd195a4b2a81b9d9e2a6a184280a5092214caa69db16c90767e433dd03c439da74f6de12d91ad7f4f30fb51a4809 |
C:\Users\Admin\AppData\Local\Temp\GW80Ek08hx.bat
| MD5 | 82d8822d55e56c5ade7ea743f2afa125 |
| SHA1 | a19d381a9f708ed8c344b26a603e536cae6d0b77 |
| SHA256 | bff074fdc5eef03db8eedefc6fbf8be975206c6461c38957c4362d4b92069ce1 |
| SHA512 | 2eb9e21fcf283480583b5cca448b996a528539d3697e34a2526edd4adb68bb653628b780e800e897ea2cf55f958a823db33c75f11b97627f3b29378b98ddaee5 |
C:\Users\Admin\AppData\Local\Temp\LZh5ueQJla.bat
| MD5 | de6179249f5dbf92647b7c621ddecf38 |
| SHA1 | 20307d272c4695341484f5304eaf0509f5c27cd0 |
| SHA256 | cc0624f190f03bb61654101bb61fe342c9d3c2ce792bcf4deff95a354aa50113 |
| SHA512 | c491795308dc6dbef4f1fa8d90363699f8b85031def8964fab9076fb24b946f528198e2bf6b18c515a70d99814de4793f85d996833c50bf98cf9fa163839ec02 |
C:\Users\Admin\AppData\Local\Temp\hGpPWS23Hw.bat
| MD5 | 0558342c2953c9531f29c834e0a4ee1e |
| SHA1 | 42693e1bf4b28ad3e847a22380d657db90039c29 |
| SHA256 | 954b8d1a1c0e6c6d73e7e04f6d8443a6c2611715a76d9e5609aab4808b6805a7 |
| SHA512 | 35f04e68debb956ebe874f3b33a8f6bc21f303bb65c359efd12198111a909df80fcf28255a894636fc4a1e074cbef49d58ae779dae7d2feb3d9d7a39b4fe07e3 |
memory/1596-132-0x0000000000AF0000-0x0000000000B02000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\uxMZkGAiOs.bat
| MD5 | 43235aa5c1537e6a2a16f108adb36bb2 |
| SHA1 | 1dbf3e131968addb22f264701b388c62a1013a83 |
| SHA256 | 8d11b984dc3c2ef2a10ccb8c12e0db1192a1f936edd9b44aec0ec642022f9886 |
| SHA512 | 8f581fbdd9cba32bf876ea4c6b27cdd71a02277112892b527bac36af5ed042db37624a44a3cd805e46f80cbb9d7854d488d774afa42482fa8afc2da906a03630 |
memory/3356-139-0x00000000011D0000-0x00000000011E2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\X5jGqiFaSS.bat
| MD5 | 04feb437f70b2ee5be02310d6b3d1adc |
| SHA1 | 9b856313e13ecf138c264a4c15375838db3ab13c |
| SHA256 | 0cdd8834b2898a5f6b5b926462ae9caa35ab34baf06925746a82ea73b979b9fd |
| SHA512 | b505c13a3f6137e26efc9c47408cf8edf93b278c6c8aee90b68536c97d385e6c848c4ccd2a74593d5ad87fea6a1dd4e73b956fd20cbc7330ca11b1ba5b5dda32 |
memory/2488-146-0x0000000000E80000-0x0000000000E92000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\FdUsM3mSuD.bat
| MD5 | 1ce12b3d8c7397510e5943c11befe93f |
| SHA1 | 8ad66eeab03745fa0cf963d4a0e8022cb8167cd6 |
| SHA256 | 4d83e08e2931148d2f68296a10dd7d61ede4ad29b6a89845c0dff245d1298792 |
| SHA512 | 6daf126539fbd800e7c05cdc7891ce1d0aa5fe6e428106b895cc97883cecd6e22561aa10c2c1bd831f26264a485ca66fc2a537df85b7fde3302698f77168a711 |
memory/112-153-0x0000000001740000-0x0000000001752000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ISA3vp411k.bat
| MD5 | 137d81770bc2e605ef4dc4b8e20c1d6b |
| SHA1 | 4c9a4302594589d883424441ae5c7116110cfe70 |
| SHA256 | 7cecd5d862b4aa5c7ed79996bfbb433fa54b239b3e5888b81b8f7e29f99fddeb |
| SHA512 | a909cea93d126ec329fe5ba5ed81cc26ab866b21791663ee594d00ca7b577d9ad87cd46b614c5856cb121b2125c6d48b482e87cfc01fa50dc7cf36d63cb372bd |
C:\Users\Admin\AppData\Local\Temp\ST975DOJvB.bat
| MD5 | 393facc3db4fd4f18d0aa7507c4ef990 |
| SHA1 | dfacbfbc143e728fab6cace39a39822933cdb5f6 |
| SHA256 | 1fb62c8c044f0b081cc7f1fac91ab1ee12b0539e907ce904917ae85ae36bb6fe |
| SHA512 | fca93f08ec0b46ba9967f368c4d5e651b62f740ec129acb7b6242f9c7221cc203f239f9c2119f8ed21cfa033948b656da00ceeb738a87aab818db9fa4d304851 |