Analysis Overview
SHA256
583aa0e582ed82eb4a51a653ac022c2a5cf34af0cbf50dd9c9d48ee74fbdf17f
Threat Level: Known bad
The file JaffaCakes118_583aa0e582ed82eb4a51a653ac022c2a5cf34af0cbf50dd9c9d48ee74fbdf17f was found to be: Known bad.
Malicious Activity Summary
DCRat payload
Process spawned unexpected child process
DcRat
Dcrat family
DCRat payload
Command and Scripting Interpreter: PowerShell
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Legitimate hosting services abused for malware hosting/C2
Drops file in Windows directory
Drops file in Program Files directory
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Modifies registry class
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Scheduled Task/Job: Scheduled Task
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-12-30 02:11
Signatures
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Dcrat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-12-30 02:11
Reported
2024-12-30 02:14
Platform
win7-20240903-en
Max time kernel
145s
Max time network
140s
Command Line
Signatures
DcRat
Dcrat family
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\providercommon\DllCommonsvc.exe | N/A |
| N/A | N/A | C:\Program Files\Windows Sidebar\de-DE\cmd.exe | N/A |
| N/A | N/A | C:\Program Files\Windows Sidebar\de-DE\cmd.exe | N/A |
| N/A | N/A | C:\Program Files\Windows Sidebar\de-DE\cmd.exe | N/A |
| N/A | N/A | C:\Program Files\Windows Sidebar\de-DE\cmd.exe | N/A |
| N/A | N/A | C:\Program Files\Windows Sidebar\de-DE\cmd.exe | N/A |
| N/A | N/A | C:\Program Files\Windows Sidebar\de-DE\cmd.exe | N/A |
| N/A | N/A | C:\Program Files\Windows Sidebar\de-DE\cmd.exe | N/A |
| N/A | N/A | C:\Program Files\Windows Sidebar\de-DE\cmd.exe | N/A |
| N/A | N/A | C:\Program Files\Windows Sidebar\de-DE\cmd.exe | N/A |
| N/A | N/A | C:\Program Files\Windows Sidebar\de-DE\cmd.exe | N/A |
| N/A | N/A | C:\Program Files\Windows Sidebar\de-DE\cmd.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Windows Defender\ja-JP\smss.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Windows Sidebar\de-DE\cmd.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\cmd.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\ebf1f9fa8afd6d | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\b75386f1303e64 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Windows Defender\ja-JP\smss.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Windows Defender\ja-JP\69ddcba757bf72 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\services.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\c5b4cb5e9653cc | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Uninstall Information\lsass.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Uninstall Information\6203df4a6bafc7 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\taskhost.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Windows Sidebar\de-DE\ebf1f9fa8afd6d | C:\providercommon\DllCommonsvc.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Branding\ShellBrd\sppsvc.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\Branding\ShellBrd\0a1fd5f707cd16 | C:\providercommon\DllCommonsvc.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_583aa0e582ed82eb4a51a653ac022c2a5cf34af0cbf50dd9c9d48ee74fbdf17f.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_583aa0e582ed82eb4a51a653ac022c2a5cf34af0cbf50dd9c9d48ee74fbdf17f.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_583aa0e582ed82eb4a51a653ac022c2a5cf34af0cbf50dd9c9d48ee74fbdf17f.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\providercommon\1zu9dW.bat" "
C:\providercommon\DllCommonsvc.exe
"C:\providercommon\DllCommonsvc.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\smss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\smss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\smss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\wininit.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\wininit.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\wininit.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\services.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\services.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\services.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Adobe\services.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\services.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Adobe\services.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Program Files\Uninstall Information\lsass.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\lsass.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files\Uninstall Information\lsass.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\taskhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\taskhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\taskhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Sidebar\de-DE\cmd.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\de-DE\cmd.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Sidebar\de-DE\cmd.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Windows\Branding\ShellBrd\sppsvc.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\Branding\ShellBrd\sppsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Windows\Branding\ShellBrd\sppsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\cmd.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\cmd.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\cmd.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\taskhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\taskhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\taskhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\audiodg.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\cmd.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\cmd.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\cmd.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\Idle.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\Idle.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\Idle.exe'" /rl HIGHEST /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\ja-JP\smss.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\wininit.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\services.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\services.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\lsass.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\taskhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\de-DE\cmd.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Branding\ShellBrd\sppsvc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\cmd.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\taskhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\audiodg.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\cmd.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\Idle.exe'
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3zRe6kLImV.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\Windows Sidebar\de-DE\cmd.exe
"C:\Program Files\Windows Sidebar\de-DE\cmd.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\D5faDLbbQ0.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\Windows Sidebar\de-DE\cmd.exe
"C:\Program Files\Windows Sidebar\de-DE\cmd.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8NcI1AeIbp.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\Windows Sidebar\de-DE\cmd.exe
"C:\Program Files\Windows Sidebar\de-DE\cmd.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RnBkS9jGYw.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\Windows Sidebar\de-DE\cmd.exe
"C:\Program Files\Windows Sidebar\de-DE\cmd.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hbGxgnDDQj.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\Windows Sidebar\de-DE\cmd.exe
"C:\Program Files\Windows Sidebar\de-DE\cmd.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1CE969IshF.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\Windows Sidebar\de-DE\cmd.exe
"C:\Program Files\Windows Sidebar\de-DE\cmd.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MsSi1KDKJG.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\Windows Sidebar\de-DE\cmd.exe
"C:\Program Files\Windows Sidebar\de-DE\cmd.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gWC6ojzqIZ.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\Windows Sidebar\de-DE\cmd.exe
"C:\Program Files\Windows Sidebar\de-DE\cmd.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rBMLF9HJtT.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\Windows Sidebar\de-DE\cmd.exe
"C:\Program Files\Windows Sidebar\de-DE\cmd.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9avng9MHpa.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\Windows Sidebar\de-DE\cmd.exe
"C:\Program Files\Windows Sidebar\de-DE\cmd.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AWL6wsGpK7.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\Windows Sidebar\de-DE\cmd.exe
"C:\Program Files\Windows Sidebar\de-DE\cmd.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
Files
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe
| MD5 | 8088241160261560a02c84025d107592 |
| SHA1 | 083121f7027557570994c9fc211df61730455bb5 |
| SHA256 | 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1 |
| SHA512 | 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478 |
C:\providercommon\1zu9dW.bat
| MD5 | 6783c3ee07c7d151ceac57f1f9c8bed7 |
| SHA1 | 17468f98f95bf504cc1f83c49e49a78526b3ea03 |
| SHA256 | 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322 |
| SHA512 | c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8 |
\providercommon\DllCommonsvc.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/1460-13-0x00000000002E0000-0x00000000003F0000-memory.dmp
memory/1460-14-0x0000000000240000-0x0000000000252000-memory.dmp
memory/1460-15-0x00000000004F0000-0x00000000004FC000-memory.dmp
memory/1460-16-0x00000000002D0000-0x00000000002DC000-memory.dmp
memory/1460-17-0x0000000000500000-0x000000000050C000-memory.dmp
memory/1540-59-0x0000000002060000-0x0000000002068000-memory.dmp
memory/1540-58-0x000000001B4A0000-0x000000001B782000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 1670e058b6a6ecde7901908b7ccd7529 |
| SHA1 | 69d42e02def541a93a674baba2d4747f207d890a |
| SHA256 | 6b4fa2e6e53a385c710314a2001c8f697a1766f9d9aa951ef1c2e0f93443ace6 |
| SHA512 | 338429f8811567a9041f0d38ae4727361353bd07cacaaa46d685abe4b3ece2dcbc1e7b67fb2ad80c725d969f0886ace0a936b148349e5875a48c75f1f48521d4 |
C:\Users\Admin\AppData\Local\Temp\3zRe6kLImV.bat
| MD5 | bee8b25cb063c5971a6877e1aa348664 |
| SHA1 | 94e8a7803d5e2bdc74b0b0f98140e43dbba79f7a |
| SHA256 | 2b91a594aa9fff6a36dc18de17c29aa708adffd231d4ce84846aa254dcd57148 |
| SHA512 | 7d7b43c325bb3e663fca4cb506ca70e026ff9a3cab710f3f1737db4921b14739d4030f9546a9093d7c403ef02984785feac6b2cbd8425ddb98d38a8dbf39e197 |
memory/884-122-0x0000000000FE0000-0x00000000010F0000-memory.dmp
memory/884-123-0x00000000001D0000-0x00000000001E2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab3E9.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\Tar40B.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\Local\Temp\D5faDLbbQ0.bat
| MD5 | 5c41b03c2f7c9df0d403f7556e812b7d |
| SHA1 | 947f2dc754ecc572afcc154749c99c7bc8aa49d6 |
| SHA256 | 355ab0e16d8a88e0aab69392175fedcd9cb3d46a79a80a00c245fe988efa80b0 |
| SHA512 | ad4fecb775e108b0ac96d590803054ca9e1d08c7ee586b97260ab30aead62694276ee91360b326c14cedd9bb2b3d7a3608b18c1c5609c06f45aad452a0393111 |
memory/2668-182-0x00000000003C0000-0x00000000003D2000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c4f914c75290a041619075ca35ffd925 |
| SHA1 | b62ef7e9813cf8b9accce29bb0c85cf8908b92d1 |
| SHA256 | 5183671d3556fe363aff27775b0d3707db82870db43865c22a1a48772490bf3f |
| SHA512 | 28c1ae0d6367a03ce6cb215bc178a39b31a921e82e2805703f36ce7e26fde1b5efa13eacd29fed4666fd2dd1087a4c6bdee09dd520da966a27b11d623ad6ab23 |
C:\Users\Admin\AppData\Local\Temp\8NcI1AeIbp.bat
| MD5 | 9236b2a8385b9db43af193a7f22849b7 |
| SHA1 | 0d9f67e3901fe89b7d89850ac00fd4012a76ddb1 |
| SHA256 | 0a47f3677601987d482499d680e473f66823cb6b4eefc737144f886c127a905b |
| SHA512 | 7dd11807e7ec76b106347582673ff9a2e41e556f3acd5267a624ae8166dd166e89538c61c15acb77eaa3bb98f808288506fa79de233036444e398853feeb00f0 |
memory/936-242-0x0000000000090000-0x00000000001A0000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 0e79f4c680a275dc1ac9b41fb8177174 |
| SHA1 | 9dcc675d2da050cdcd06f1476e67264cff75324d |
| SHA256 | c338dacd46090de2f8dabf830a3aa0d50d3f5908c9e1f5f37967ea3612e3318d |
| SHA512 | c29d8bbac8f5cf5ba33ccfcfc413a45cff4c097cfa464b0f259c5e1b1cd34721ce2771995b3405d8eb862fa31520c3b4b02f3d21b064b9512673050c47605612 |
C:\Users\Admin\AppData\Local\Temp\RnBkS9jGYw.bat
| MD5 | 122e4beaa485f3ae8cc5da9178ca18ea |
| SHA1 | de921c4f617183ac4623e01a8a39395e0acf5eee |
| SHA256 | ff6180c70123625eaf02dca1f95be6d82dd0b8d52944a3c5c4c899026dae5480 |
| SHA512 | c4872bd5169d9a6f3db9dd0be77bb7f2ff74eaa321662956eae130d4a479f6dfc02a9e12da0923beed248144e6106943071d878fa466b60779fb41ea38b458ee |
memory/2620-302-0x0000000000830000-0x0000000000940000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 67dc2114b279166dabc55693c1330cdb |
| SHA1 | af06de2b9b4dac83e781d1d84e4f157a83793c3b |
| SHA256 | 2a6f03aa2b93f565353ed05f21693e3d51eeaa642605c183daf81dc9877aecb7 |
| SHA512 | c3d3fa912160a0648bf023ac734a0d0acd828374ffb3d8f9ed7663f1f1e9d0977b450533e440314f78b69d2a5c7066704e7b2761f667a1c3903bd5da2b4ecdde |
C:\Users\Admin\AppData\Local\Temp\hbGxgnDDQj.bat
| MD5 | 15373896f5db827b35caae17cac2363f |
| SHA1 | bd12d7dd08c2fddbd2df9cabd7dc251cbdfc7327 |
| SHA256 | 08af8ce0cb61425b24dcf8ca6cf86c2f5e8ec6600bb259a0a79756ccda8a69c8 |
| SHA512 | d26a76e166160aabfc151dc401e2b6e6abc0e16dd9355fc4c9f6858aaac6d4d576f99f7c5d8847fe3880ed15adcd6062e086a005dda0ca017fa5498cf06b6705 |
memory/2420-362-0x0000000000D90000-0x0000000000EA0000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | fd34ea5ed23eb6c1fbb1df00290ee0b4 |
| SHA1 | a9e19e7b0fc4b55df70de39d36c6e1eadb3fd772 |
| SHA256 | 1df918b27fa5a21c8529d752c4c3b86b1db83a642b76725c3caf0e22af3e8967 |
| SHA512 | 910ca5a6adcc6f22e9d3552cc82ead255631df654ca459b844ad64b6788a6dd15e0dddf5d2a72c1bcf78cef7014da9a80fe13baae20c3993cabc97f082f91fa9 |
C:\Users\Admin\AppData\Local\Temp\1CE969IshF.bat
| MD5 | cfefb0e720b98d318f3721a89b4e2aa1 |
| SHA1 | 996a15003bc9eea3272e134d64e549169e7179c5 |
| SHA256 | 4c5152dd862826606b4aebaed0434da0627c1973d8a567a4d5149361d2012dad |
| SHA512 | 6cf40d21c18cc10a6c793d862bf63c2170d05bf07df8609fce04911a62416418587f89e8105faf7667d60d55be140ce63873db10110dd8efa7d2681aca9bfe88 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e18085bfb19f98b4079a7d61d6f73f89 |
| SHA1 | 7b77c8178fde50ec92c9cb8758dfb280f74ac270 |
| SHA256 | e738dab4c00b7f159475a34e5319a3016c63d07a1f1dfad9b264935517f7d574 |
| SHA512 | fc11f17cfed6df63c8ca15122c787c63d84f955d4a21be9aecdbf1ebb7d1f70971db721fcb2b11ae1454bce0dbaf07af826b7a8ff7152b378655f62061f80d2a |
C:\Users\Admin\AppData\Local\Temp\MsSi1KDKJG.bat
| MD5 | 8ae900b24a7c7d98018bb6ee0ad0590b |
| SHA1 | 59454deaecaa185748bb6943064bc8c92254fd9e |
| SHA256 | 00520e42bb4a00cf5fb9dd87b07bc1b3a73ef6ea69ea3d7f5c6567481170b4a7 |
| SHA512 | 8d8c49cd96ae52d251b26aca52ff61043897d10269c5e8729f116db221072bd0beeaa7f2f9416436541fa796bc85f6d98fa77daed4b55f4d42e8183906203068 |
memory/1800-481-0x00000000012C0000-0x00000000013D0000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | cd64487b2fec381d8e4fba7a23e5b260 |
| SHA1 | c1ee05326f3a6d5929f3164aef41fbbd95674092 |
| SHA256 | ce57c0687b3b59f56bec2417f1ef432b81a9bb414d19d1ac960f2286ef9859b5 |
| SHA512 | 34d2e900d0c231a336962601cc3a33577786d9378ce4c6215e664facf76bbe2b35c399522320a66bfa8ccdd16ecf99a8989cb4b0b96d1777e7cd17862f5adda1 |
C:\Users\Admin\AppData\Local\Temp\gWC6ojzqIZ.bat
| MD5 | 40584d888cc1f2c8a25600eefc384dbf |
| SHA1 | cb596c9ac46b529232b6cd9582906b1a8949d234 |
| SHA256 | 07318bcc2e1475334c93c11e33a5c46710c32a9eba0dc0a6a06bec5cb954c4f9 |
| SHA512 | cb151664e93070796f1b0c944afbcbde67644dd38efa6d02f31228036a577d07f07b9a8a6937a0b79ecb064d48219c64cebfe83c2b16ddd6fe66ec2407f92529 |
memory/544-541-0x00000000002C0000-0x00000000002D2000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ab7b371c532190e17ab1f3a7e6f92c2a |
| SHA1 | 7dadc1ebe1d521e8c6e47e8a7215f0a04a952ea8 |
| SHA256 | 8db074f83eccd0b4ee91d63f4046f2759bb0e02dd09965afa06223ee333405be |
| SHA512 | 9ec895112d69b4f36631eca92d685fbd8d5c3b20872678eccfa138e70b4b579b7c9739e41098e55a621337ea5beeb4d8e088d8f788da2f4c437ffa8b6f271de3 |
C:\Users\Admin\AppData\Local\Temp\rBMLF9HJtT.bat
| MD5 | 4829de25a93da5b17854bfd5ae3b914f |
| SHA1 | 059791f4ffb534d8d18dc79a51b52613d5038210 |
| SHA256 | be90b09f7666a1b1eeacd40c80ba5319aec1c2a1929b53e277a51da10e9cc5ae |
| SHA512 | 27606a10dc793209b3a60c53d009cdd860e0b8926ad45d8bc5abbaed2fa93bb2124867b1e5b37389f587bdf00fbd14d47f0adb027d73f2956f435b466cb1ab30 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | adea10789a6e26f1e09700a7769cecef |
| SHA1 | 6b579f5345b6fbcfc6a33cb4c928070c7ded74c2 |
| SHA256 | 92ac9a06693476db7de9bab65168a9a6e689c3c5e6195089d258ebba109453f1 |
| SHA512 | 3ace940b914fe09c36d9c392240f0bee7862d0ec248d41b8dec430c51610da36c6cff7f22549513440fe5113c38a083240467aa103b6ed13e5101a23c15785d2 |
C:\Users\Admin\AppData\Local\Temp\9avng9MHpa.bat
| MD5 | 0b136734df40807bd1ab96fca2591ca7 |
| SHA1 | 02db6995345e7786b56e93f5091eaacdcc53511a |
| SHA256 | b8f1e3fe55575a0ee6a43c9097793ae372df5a12200b3a0be7a670da6b19040c |
| SHA512 | 8a73610140dd7dc2fd3e66ce27c3ded06720103e45f2adcf83e2d893dd6fa64f490e2ff079ed4f7592853cefc47a548516cf4e566bba336b35130d602b60bffe |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 35928abca8d7be29b6746ed946a4e509 |
| SHA1 | 9f64332731cc885189152f3d060a7a7e8c5a6856 |
| SHA256 | b44c2db2f6b0de7d0abd747099ce9228a68cae33f845ff07146088d2a7f05138 |
| SHA512 | 2cefb6d336148acb24a17ab4df077a3bd78ebb99db021ef03a01966ddea2b853d7d8655fff6d94de6867ddb6d01554159fca3fd11f14f2a993d755188a4e443e |
C:\Users\Admin\AppData\Local\Temp\AWL6wsGpK7.bat
| MD5 | 101187cd8c7e13ce683c1c9375435d77 |
| SHA1 | 9d446f7a81b588f4e59dc09dcd088fae10f0e1d7 |
| SHA256 | c0fd6b9caecd8853f541fbf56c01be6c8c7b3cb5d806d7a06becf66635ad5b24 |
| SHA512 | b25fa272a598b5348d9a17f662e84a012e05a93b7671ceb6977f7d01e9a0289968af47296f9372470d680d1d758309f5ff187ba389eaddec62e694efb1ce0b40 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-12-30 02:11
Reported
2024-12-30 02:14
Platform
win10v2004-20241007-en
Max time kernel
146s
Max time network
147s
Command Line
Signatures
DcRat
Dcrat family
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\Google\Temp\RuntimeBroker.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\Google\Temp\RuntimeBroker.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\Google\Temp\RuntimeBroker.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\Google\Temp\RuntimeBroker.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\Google\Temp\RuntimeBroker.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\Google\Temp\RuntimeBroker.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_583aa0e582ed82eb4a51a653ac022c2a5cf34af0cbf50dd9c9d48ee74fbdf17f.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\providercommon\DllCommonsvc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\Google\Temp\RuntimeBroker.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\Google\Temp\RuntimeBroker.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\Google\Temp\RuntimeBroker.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\Google\Temp\RuntimeBroker.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\Google\Temp\RuntimeBroker.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\Google\Temp\RuntimeBroker.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\Google\Temp\RuntimeBroker.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\providercommon\DllCommonsvc.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Google\Temp\RuntimeBroker.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Google\Temp\RuntimeBroker.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Google\Temp\RuntimeBroker.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Google\Temp\RuntimeBroker.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Google\Temp\RuntimeBroker.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Google\Temp\RuntimeBroker.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Google\Temp\RuntimeBroker.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Google\Temp\RuntimeBroker.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Google\Temp\RuntimeBroker.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Google\Temp\RuntimeBroker.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Google\Temp\RuntimeBroker.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Google\Temp\RuntimeBroker.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Google\Temp\RuntimeBroker.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Windows Mail\ea1d8f6d871115 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Windows Defender\fr-FR\Idle.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\ModifiableWindowsApps\dwm.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Google\Temp\RuntimeBroker.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Google\Temp\9e8d7a4ca61bd9 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\upfc.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Windows Mail\upfc.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File opened for modification | C:\Program Files\Windows Mail\upfc.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Windows Defender\fr-FR\6ccacd8608530f | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\ea1d8f6d871115 | C:\providercommon\DllCommonsvc.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\PrintDialog\System.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\PrintDialog\27d1bcfc3c54e0 | C:\providercommon\DllCommonsvc.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_583aa0e582ed82eb4a51a653ac022c2a5cf34af0cbf50dd9c9d48ee74fbdf17f.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings | C:\Program Files (x86)\Google\Temp\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings | C:\Program Files (x86)\Google\Temp\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_583aa0e582ed82eb4a51a653ac022c2a5cf34af0cbf50dd9c9d48ee74fbdf17f.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings | C:\Program Files (x86)\Google\Temp\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings | C:\Program Files (x86)\Google\Temp\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings | C:\Program Files (x86)\Google\Temp\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings | C:\Program Files (x86)\Google\Temp\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings | C:\Program Files (x86)\Google\Temp\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings | C:\Program Files (x86)\Google\Temp\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings | C:\Program Files (x86)\Google\Temp\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings | C:\Program Files (x86)\Google\Temp\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings | C:\Program Files (x86)\Google\Temp\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings | C:\Program Files (x86)\Google\Temp\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings | C:\Program Files (x86)\Google\Temp\RuntimeBroker.exe | N/A |
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_583aa0e582ed82eb4a51a653ac022c2a5cf34af0cbf50dd9c9d48ee74fbdf17f.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_583aa0e582ed82eb4a51a653ac022c2a5cf34af0cbf50dd9c9d48ee74fbdf17f.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
C:\providercommon\DllCommonsvc.exe
"C:\providercommon\DllCommonsvc.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Mail\upfc.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\upfc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Mail\upfc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Users\Default\PrintHood\RuntimeBroker.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default\PrintHood\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Users\Default\PrintHood\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Windows\PrintDialog\System.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\PrintDialog\System.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Windows\PrintDialog\System.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Defender\fr-FR\Idle.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\fr-FR\Idle.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Defender\fr-FR\Idle.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Searches\Registry.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Users\Admin\Searches\Registry.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Searches\Registry.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Google\Temp\RuntimeBroker.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Temp\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Google\Temp\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\upfc.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\upfc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\upfc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Start Menu\TextInputHost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Users\Admin\Start Menu\TextInputHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Start Menu\TextInputHost.exe'" /rl HIGHEST /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\upfc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\PrintHood\RuntimeBroker.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PrintDialog\System.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\fr-FR\Idle.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Searches\Registry.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dwm.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\Temp\RuntimeBroker.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\upfc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Start Menu\TextInputHost.exe'
C:\Program Files (x86)\Google\Temp\RuntimeBroker.exe
"C:\Program Files (x86)\Google\Temp\RuntimeBroker.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tbw0avzYF4.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files (x86)\Google\Temp\RuntimeBroker.exe
"C:\Program Files (x86)\Google\Temp\RuntimeBroker.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8Lq6d7xQt2.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files (x86)\Google\Temp\RuntimeBroker.exe
"C:\Program Files (x86)\Google\Temp\RuntimeBroker.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kYBl3UyOdq.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files (x86)\Google\Temp\RuntimeBroker.exe
"C:\Program Files (x86)\Google\Temp\RuntimeBroker.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jnfhf9Euk8.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files (x86)\Google\Temp\RuntimeBroker.exe
"C:\Program Files (x86)\Google\Temp\RuntimeBroker.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Or3SRhMf8V.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files (x86)\Google\Temp\RuntimeBroker.exe
"C:\Program Files (x86)\Google\Temp\RuntimeBroker.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TA6UjH3MJQ.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files (x86)\Google\Temp\RuntimeBroker.exe
"C:\Program Files (x86)\Google\Temp\RuntimeBroker.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nfin2KLgOh.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files (x86)\Google\Temp\RuntimeBroker.exe
"C:\Program Files (x86)\Google\Temp\RuntimeBroker.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pakqiPPahT.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files (x86)\Google\Temp\RuntimeBroker.exe
"C:\Program Files (x86)\Google\Temp\RuntimeBroker.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Q3ZRkRg4YZ.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files (x86)\Google\Temp\RuntimeBroker.exe
"C:\Program Files (x86)\Google\Temp\RuntimeBroker.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Or3SRhMf8V.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files (x86)\Google\Temp\RuntimeBroker.exe
"C:\Program Files (x86)\Google\Temp\RuntimeBroker.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TA6UjH3MJQ.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files (x86)\Google\Temp\RuntimeBroker.exe
"C:\Program Files (x86)\Google\Temp\RuntimeBroker.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dk6czFnjgV.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files (x86)\Google\Temp\RuntimeBroker.exe
"C:\Program Files (x86)\Google\Temp\RuntimeBroker.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Mw1PlbJmoj.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.110.199.185.in-addr.arpa | udp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.49.80.91.in-addr.arpa | udp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
Files
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe
| MD5 | 8088241160261560a02c84025d107592 |
| SHA1 | 083121f7027557570994c9fc211df61730455bb5 |
| SHA256 | 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1 |
| SHA512 | 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478 |
C:\providercommon\1zu9dW.bat
| MD5 | 6783c3ee07c7d151ceac57f1f9c8bed7 |
| SHA1 | 17468f98f95bf504cc1f83c49e49a78526b3ea03 |
| SHA256 | 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322 |
| SHA512 | c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8 |
C:\providercommon\DllCommonsvc.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/4024-12-0x00007FFDCE993000-0x00007FFDCE995000-memory.dmp
memory/4024-13-0x00000000001C0000-0x00000000002D0000-memory.dmp
memory/4024-14-0x0000000000B90000-0x0000000000BA2000-memory.dmp
memory/4024-15-0x0000000000BB0000-0x0000000000BBC000-memory.dmp
memory/4024-16-0x0000000000BC0000-0x0000000000BCC000-memory.dmp
memory/4024-17-0x0000000002520000-0x000000000252C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rzuuo3d0.vrc.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2208-47-0x0000023577470000-0x0000023577492000-memory.dmp
memory/4452-102-0x000000001BDE0000-0x000000001BDF2000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 6d42b6da621e8df5674e26b799c8e2aa |
| SHA1 | ab3ce1327ea1eeedb987ec823d5e0cb146bafa48 |
| SHA256 | 5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c |
| SHA512 | 53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 59d97011e091004eaffb9816aa0b9abd |
| SHA1 | 1602a56b01dd4b7c577ca27d3117e4bcc1aa657b |
| SHA256 | 18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d |
| SHA512 | d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | bd5940f08d0be56e65e5f2aaf47c538e |
| SHA1 | d7e31b87866e5e383ab5499da64aba50f03e8443 |
| SHA256 | 2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6 |
| SHA512 | c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406 |
C:\Users\Admin\AppData\Local\Temp\tbw0avzYF4.bat
| MD5 | 2fa2c1a11d8f12fc32b2d74be5997d86 |
| SHA1 | 19930aeff12a5ef38c2aa644b04a308eff924845 |
| SHA256 | befaf9debb88a9aeca39e982e863a207a23c652825ad3f0d6170407a19e2e4de |
| SHA512 | 2c8b3b1b48b274401508e27d02f409647a0a938cc668480f5cdd20ad0796b66e3d9363e4b79c12c21b0b65abdd879c0df2e4b31a1521ef5917d519b95b7e705f |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RuntimeBroker.exe.log
| MD5 | baf55b95da4a601229647f25dad12878 |
| SHA1 | abc16954ebfd213733c4493fc1910164d825cac8 |
| SHA256 | ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924 |
| SHA512 | 24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545 |
memory/3872-172-0x000000001D000000-0x000000001D102000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\8Lq6d7xQt2.bat
| MD5 | 99ea97c08b62f3c7b30fe265ab1b309f |
| SHA1 | 5249d56e2ea828b83be26817f02476860db7e22a |
| SHA256 | 655500cc6629e7631f595ae5f1949d08090f493618bac51549314a8c8a40d008 |
| SHA512 | 38dcf0d84f0ebd98d7f8b84211ef144c15bcb2452145fac3a52094698d104f5c6bccefe7b409c980c4237c5cc2fdb0e10f09ef841553ccdfb60b43879d5c9720 |
memory/2948-175-0x000000001B7F0000-0x000000001B802000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\kYBl3UyOdq.bat
| MD5 | 8bc8d97f9d75dc90ed9443441dd55abe |
| SHA1 | 4750521ef16f4f5a3dc3339d8c4eaeebe2981b1e |
| SHA256 | 7f5a2e97eca59eabc32c2757e56231837c67fe319c1d42964749d7bd0c0678bf |
| SHA512 | 4737f6d3949b23460c78a2fd57f5db0ac74f4ec78e388c1a3b49e3129709cffb4f4950987b8205196b258b5990813c3d767964d180bf3f1a44fc1f8af402650d |
memory/4528-182-0x000000001BDF0000-0x000000001BE02000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\jnfhf9Euk8.bat
| MD5 | 50e3da5143a885b8731bda4125cad2ae |
| SHA1 | 577250d35a3cd1690f6ed734b7fc7a19bffbc47e |
| SHA256 | 035e9fcd1fa128f97d314ac934a07fb6b6001989adc09b6aa920690a86d6b590 |
| SHA512 | 5b16c4909765918013ae786c8ffab3ba8bd1eff641a34e8e4678094f98b56dc57eb7c7a7aef2846b740c56abeb68cace301cb0961f5a9fde470926dac28bedfb |
C:\Users\Admin\AppData\Local\Temp\Or3SRhMf8V.bat
| MD5 | 0b758ce52eee88140d0afc639bd163fb |
| SHA1 | bea0d1425d5aff3ea31b5e0333497f664c10e7c3 |
| SHA256 | ae95b0d2fd5a08c8e6db8dcf45cdab2e72e2926e8943b9d67676e2a869318949 |
| SHA512 | 2df6f2b0486ca8e69383bd59d973cc3f5577c0dc61b418654bf7a1638adadd2d776b8d63ab5f4e3284dfb9e79d9052765d3e1e5ec6b6222cd91438a3ee8e421f |
memory/2152-195-0x000000001B5F0000-0x000000001B602000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TA6UjH3MJQ.bat
| MD5 | 94b5ab0af7bab5418dd4a80687b9d524 |
| SHA1 | c4929ace28dc65710705d29d65c425e8c077b840 |
| SHA256 | 1a387147fd7bec6e1e17ec5ce1a8549ecc61ceadb64fe206894a9ca610c99b73 |
| SHA512 | e63e7e71f6bfd5ba4b2f84293c4073775c99a188845ae1903c115da55f14070cc4c0d4b31a45af748abbaa0f19e7db10380408d59b3e3754708c9b30643b8dab |
C:\Users\Admin\AppData\Local\Temp\nfin2KLgOh.bat
| MD5 | a45ed1a843871f5fd13efadb60f4036a |
| SHA1 | 341a6fc6de392ffda26f9c0011433ccc3fdf72c7 |
| SHA256 | c3211fb8719af412dbdc1b391575d0037a9a4bcaad47419a944fae9aa5048b94 |
| SHA512 | 89f8daa28c92cb5ba7f00f1eb6aaa81bd5309e4620ee59cea317084a00f2235e7eed293eca4e93581b13cae2a8cdbe37791d8eee1dd02e6b4c9694cc6f4f9b86 |
C:\Users\Admin\AppData\Local\Temp\pakqiPPahT.bat
| MD5 | 7f2bb36bfd129f3af99b953c630b25b3 |
| SHA1 | 28699bf97cf7c8283ad3b9876ad7e96216eae57a |
| SHA256 | fda53238dc89ace15cdb98ec1620487a852e04bda463aa91ccc3f62a7ab08278 |
| SHA512 | de18f7b81478131dfabc7d5dd575e9ccba7cc9ee078c5c44f819acb7429a00307487550bb85a1598da980c1cdb2adc07e7689a8e4b4ef4a61aeda71a20cda2ec |
C:\Users\Admin\AppData\Local\Temp\Q3ZRkRg4YZ.bat
| MD5 | 84ea4c439d15e03853c8562cbf459907 |
| SHA1 | 45bbf44a1b4f11e000e0c64d191e4d84539f7afa |
| SHA256 | 58b66a64474201553c8b440d9700de3f01a26450066cc405f360dd61e6a6d39d |
| SHA512 | 3f4c38314615be66c0677b2f314390f4aad93ba04ce73ab09321d222cd24e3f09aab3e313a681e99988f191a836987c12d14a71b673291c404487cd84c837dd7 |
C:\Users\Admin\AppData\Local\Temp\dk6czFnjgV.bat
| MD5 | 4ce7af8128d57e0fa46e7d979dfb4ca5 |
| SHA1 | 483ad49ea8d587e0774e3b273a3bc2475969fae4 |
| SHA256 | 0c82b46e305a30c519825a604172dc8eddd4afe6fdc93d89134bf9999be8f885 |
| SHA512 | 66ac0ba1411129242da3ab0b777607be1a12d5e8b5c356b5075170dd536325421b772deddcd285d60b9a46b2919f2009b75a37b73244398e1ac1813d4af35c62 |
C:\Users\Admin\AppData\Local\Temp\Mw1PlbJmoj.bat
| MD5 | df32b16d09a0e160a9c5e405ad3e4ba3 |
| SHA1 | 0b61dcc64096ed57f8285af1d55ff959afc0c742 |
| SHA256 | 6be8c21e6577c673f8e6dcc45e9da7bb76300f5da25c006a70ef95be004016a4 |
| SHA512 | 9ccf9cd7fc3ada0c91abcc24f6e7f375daf30b883796f4197b9a4918867af9659b89fecb65d686433588337ca2f009555d17e33192abc53bea3d4f5ae8b272bb |