Analysis Overview
SHA256
ddb093f473d362f33fd0b4f6299dc3057fd6224d59584aa0d03f1c602a0d24b8
Threat Level: Known bad
The file JaffaCakes118_ddb093f473d362f33fd0b4f6299dc3057fd6224d59584aa0d03f1c602a0d24b8 was found to be: Known bad.
Malicious Activity Summary
DCRat payload
Dcrat family
Process spawned unexpected child process
DcRat
DCRat payload
Command and Scripting Interpreter: PowerShell
Executes dropped EXE
Checks computer location settings
Loads dropped DLL
Legitimate hosting services abused for malware hosting/C2
Drops file in System32 directory
Drops file in Program Files directory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Uses Task Scheduler COM API
Suspicious use of WriteProcessMemory
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-12-30 19:38
Signatures
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Dcrat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-12-30 19:38
Reported
2024-12-30 19:40
Platform
win7-20240903-en
Max time kernel
144s
Max time network
140s
Command Line
Signatures
DcRat
Dcrat family
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\providercommon\DllCommonsvc.exe | N/A |
| N/A | N/A | C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe | N/A |
| N/A | N/A | C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe | N/A |
| N/A | N/A | C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe | N/A |
| N/A | N/A | C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe | N/A |
| N/A | N/A | C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe | N/A |
| N/A | N/A | C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe | N/A |
| N/A | N/A | C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe | N/A |
| N/A | N/A | C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe | N/A |
| N/A | N/A | C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe | N/A |
| N/A | N/A | C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\WCN\fr-FR\winlogon.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\System32\WCN\fr-FR\cc11b995f2a76d | C:\providercommon\DllCommonsvc.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Windows Sidebar\taskhost.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Windows Photo Viewer\6cb0b6c459d5d3 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Windows Mail\en-US\dwm.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Windows Mail\fr-FR\lsm.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Windows Mail\en-US\6cb0b6c459d5d3 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Microsoft Office\Office14\1033\lsm.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Microsoft Office\Office14\1033\101b941d020240 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Windows Mail\fr-FR\101b941d020240 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\7-Zip\Lang\cmd.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft SQL Server Compact Edition\smss.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft SQL Server Compact Edition\69ddcba757bf72 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Windows Photo Viewer\dwm.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\7-Zip\Lang\ebf1f9fa8afd6d | C:\providercommon\DllCommonsvc.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\taskhost.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Windows Sidebar\b75386f1303e64 | C:\providercommon\DllCommonsvc.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ddb093f473d362f33fd0b4f6299dc3057fd6224d59584aa0d03f1c602a0d24b8.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ddb093f473d362f33fd0b4f6299dc3057fd6224d59584aa0d03f1c602a0d24b8.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ddb093f473d362f33fd0b4f6299dc3057fd6224d59584aa0d03f1c602a0d24b8.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\providercommon\1zu9dW.bat" "
C:\providercommon\DllCommonsvc.exe
"C:\providercommon\DllCommonsvc.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Sidebar\taskhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\taskhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Sidebar\taskhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Photo Viewer\dwm.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\dwm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Photo Viewer\dwm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\providercommon\csrss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Mail\en-US\dwm.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\en-US\dwm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Mail\en-US\dwm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Office\Office14\1033\lsm.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\lsm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Office\Office14\1033\lsm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\winlogon.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\wininit.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\wininit.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\wininit.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\providercommon\taskhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Windows\System32\WCN\fr-FR\winlogon.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\System32\WCN\fr-FR\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Windows\System32\WCN\fr-FR\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 14 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\WMIADAP.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\WMIADAP.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 8 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\WMIADAP.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\conhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Mail\fr-FR\lsm.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\fr-FR\lsm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Mail\fr-FR\lsm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Program Files\7-Zip\Lang\cmd.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\cmd.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\Program Files\7-Zip\Lang\cmd.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\smss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\smss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\smss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\cmd.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\taskhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\dwm.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\csrss.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\en-US\dwm.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\Office14\1033\lsm.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\winlogon.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\wininit.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\taskhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\WCN\fr-FR\winlogon.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\WMIADAP.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\conhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\fr-FR\lsm.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\Lang\cmd.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\smss.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\cmd.exe'
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Nmp3kJtbKc.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe
"C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\12JaEZR6zX.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe
"C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2U51WDObLZ.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe
"C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tfVhKC50lX.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe
"C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Yvohz7Nokj.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe
"C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WPmuDeaX4D.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe
"C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4stVUxPy0P.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe
"C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SRNviAgREO.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe
"C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5G5G1KH0qy.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe
"C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yQDva2PSBr.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe
"C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
Files
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe
| MD5 | 8088241160261560a02c84025d107592 |
| SHA1 | 083121f7027557570994c9fc211df61730455bb5 |
| SHA256 | 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1 |
| SHA512 | 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478 |
C:\providercommon\1zu9dW.bat
| MD5 | 6783c3ee07c7d151ceac57f1f9c8bed7 |
| SHA1 | 17468f98f95bf504cc1f83c49e49a78526b3ea03 |
| SHA256 | 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322 |
| SHA512 | c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8 |
\providercommon\DllCommonsvc.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/860-13-0x00000000009D0000-0x0000000000AE0000-memory.dmp
memory/860-14-0x0000000000980000-0x0000000000992000-memory.dmp
memory/860-15-0x0000000000990000-0x000000000099C000-memory.dmp
memory/860-16-0x00000000009A0000-0x00000000009AC000-memory.dmp
memory/860-17-0x00000000009B0000-0x00000000009BC000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 87b41dcc0767ad387ddd3492be40d4c9 |
| SHA1 | ddba120cea1f52d1435d2d18ee9b867adf62b4f6 |
| SHA256 | 05299005df00b1f87f5938c5231fe3045034ef476f1e98091abf8f83e1053e4b |
| SHA512 | 808f3beea439971853ac3ab0aab04db14e22889cf64f3b4ccfc9f18f775017a0a8aae26a42f56e539590ce5832674ae22967260ba00ad8784c8c79ba6bff11e7 |
memory/2152-81-0x000000001B7D0000-0x000000001BAB2000-memory.dmp
memory/1320-99-0x00000000020C0000-0x00000000020C8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Nmp3kJtbKc.bat
| MD5 | 11c4e07a5a64d17f181dff9476d2dc96 |
| SHA1 | 9ff997e24c622601f7ea36a146f3eb5a8212895c |
| SHA256 | 03313685cb2065d77852dadb6c6b8250faf9d6ce32735d90660d448d4ffbb5b2 |
| SHA512 | 44fc1c800832cabdd57d1694b18835de1418ec9bdbbc49765800e94af01cd466f30cebccc7e6e66e29644d9a186a26fad1bbea432056f46bf3c817a785b2be0e |
memory/2928-147-0x0000000001220000-0x0000000001330000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab41D3.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\Tar41E5.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\Local\Temp\12JaEZR6zX.bat
| MD5 | e243a90c72f4a3373441d214b1c5fbe1 |
| SHA1 | 2fdf55a1effc09ad2600b07c50391b638162bf08 |
| SHA256 | 6605ad6935c3e3cc5900b7e56a14da4bebdb352d93648ed290ebd6ec3285d9df |
| SHA512 | c4186a0b2663290e0d1d44cd8cad5c98740c7cd83aac75ac012980cc9d1d256ec0c9ce0dbf795da5c90d3303e59fab383df426db9ae740668850efbc53a75824 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 456b8ef188133520ae0848f9bb63d3c8 |
| SHA1 | 236de0364d6e99e6f2c579754b9cc959f200928c |
| SHA256 | 4d6ecf640f6690e530ca28c937b9807a23e67b86b1d765b8de9a44112630eccf |
| SHA512 | b2a97d567362ecc0b39a019750dab67e1bc53332de1866f9f73ece617c39af49f14735f709318c03e07321c482401518d644e922f74028a62a767e560771e3b9 |
C:\Users\Admin\AppData\Local\Temp\2U51WDObLZ.bat
| MD5 | 31625a0e5bb16e5f06e58f03c9c385c2 |
| SHA1 | 8768cfb863f0f800db69f394e666b4b93e8633b2 |
| SHA256 | 65051db0c8e095ba16bbd2ad6ca08401ee36a5d1ea87f438ca6da9dc9cec8eca |
| SHA512 | c49dc4a4fedf19de787242beec9a11ffd89843840faa43617f8206b03c336650b4ec3425729045bc9b502ab09743d15ad4526337b05c68fe2454a27c4154f344 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 16e6730f65ed8936039a65e6b42d1cdf |
| SHA1 | 4b2c4e7edafb8c62d6b1d696f45644d86ae7a48f |
| SHA256 | 7a75bde31eb0293e598817235210f1c1997161004839115ae8c2a48e99d6756f |
| SHA512 | 61153255c9b2435ecb355599a90e1b8959087eb60c3dff694b279c4121315d8a5a675888d0235cbac3feabfa7128ae8f300a299fdc2d18a5b7156b6ac76c9dc7 |
C:\Users\Admin\AppData\Local\Temp\tfVhKC50lX.bat
| MD5 | c641a2686fecd0d81a6b43fca3653825 |
| SHA1 | cc1f4c7b3aa0efa1f7a51d917fddd371b3aa5c38 |
| SHA256 | 653dec7999ab0e83a1bb07d5bfe00085ee8d8f1b8ec0ce8db7182615a54106e1 |
| SHA512 | 5902e00e3e22a8b158465160eaee57b318ddfccb27ed652b78cb9cbc74a7796ee708c7a28eccec96564f7751c37ed11472b3672c676948e4fba648a65203eae6 |
memory/2144-324-0x0000000001320000-0x0000000001430000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | cb264d8bf97b2a415c3bda1145138b6b |
| SHA1 | 9557583208b2f6711f8e1fd074efae29763baeee |
| SHA256 | 31c4f9e327d964548c13580cb2bd7333ff559fb8e66616e750e8c6c7172541ad |
| SHA512 | ff68b0036015af8bbce8dca8a54fed84162c2c3e48929aa52adaa5e0d441bb9b644c8a3d806d3c9c0581bfc704a8a50457f7ebc20e4a2e31bc2f82f3650f5544 |
C:\Users\Admin\AppData\Local\Temp\Yvohz7Nokj.bat
| MD5 | 682c3154232774ebabfc6d48035ae321 |
| SHA1 | fd7b1f362822b17a30b92b176967f4989a5b4c23 |
| SHA256 | 4c972acfce6c271e68ae8ed67d6cc09f87e63f102ab6b3c0047aad2083273c00 |
| SHA512 | 0703cf9c5ef2dcf512ff0751b00c6fa1b98c99dfa387478387b8544c3e3c520dfc6bf9195e7024740d35c5a866fa478f65b6c0e7abd265c01e31802b6a6dba57 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 0807d34a9eab702c04b8abd8f8063750 |
| SHA1 | c7ca1ae6604a4ffda07d966dbb9d3fecfc4b06a7 |
| SHA256 | 98530b23e701e1983853c1cd5c0d81748808c5164ad90abe346e8f19180a3fa9 |
| SHA512 | aaaf77a693c109fe366453ab29eec255148759ea8eda85c5d4745e0acdefd61857789c1bee2270fb79062f2f271c757fa6ef42dc00857c96eac3e007ed3cdfc6 |
C:\Users\Admin\AppData\Local\Temp\WPmuDeaX4D.bat
| MD5 | 7dc01dae3501e2f80aa973219777c893 |
| SHA1 | e6c419ba8b92bc942fcf153c50e4e97764585b78 |
| SHA256 | dae77823b8211b61a1b369bfd00eaaf092a0a0cc60fce7432c45a635c3727c52 |
| SHA512 | aa5d5eb98aa2cf4529bd8cdef69a61586a4640802c5068fa91c2f720e745cb16a82231a6f387c1b28ade25832ba0d14b917d402aad1fb47036b8c4307a2f5344 |
memory/1532-443-0x00000000003C0000-0x00000000003D2000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 959010cd9a3e4e89316cf8e40beaea85 |
| SHA1 | f080deb643e62243ac02ece09639acb60b5875a2 |
| SHA256 | 8645870aaeac5fb43e41033572bbbb6ef0e866a4c64cb6337256e8c6a573e8e1 |
| SHA512 | 4b5e8118c72d4cf6c46c6b03c52c8d102bf9084a3748199665ce31cbe3f20088af34e2a2cc10982fb690091d29b4a16a4c89aa4f9ec240b4cd1c0314e94a794e |
C:\Users\Admin\AppData\Local\Temp\4stVUxPy0P.bat
| MD5 | 97f7e4965159349e690ba9846730dc5e |
| SHA1 | 4bac3ae9fe00409dbf7de35348c9adfe6a0a520b |
| SHA256 | aa6f5f1ffc6b7d80183937c244d83d46d29c2a4b4e61896c6dc4f9e3692522f1 |
| SHA512 | 95059a8e36be8d2c6dc0e5a8962a89029ac2db6e78958e7fc850e081d3182e79d6f1e07536ddc6de99aa43a3fc6702de47c96f7a37a05e4575121e6499cf983d |
memory/2304-503-0x00000000001D0000-0x00000000002E0000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 0ccf05fc4fca8a5494f77a78bbba08e7 |
| SHA1 | dc9441bdd0bc1f4360d23c6ac4fba574e32f3569 |
| SHA256 | 53ea12ef6e846bd0c5100d063c566ff71730c0afaa40ca2194762e1b427ed9cc |
| SHA512 | 385dc2ae7ef414390e47ac02ad4fce3827387b215f4a09ee7d9a7f8d180003b9f36290b6e89f3ce452ce1a083a3c7437481679ead88f64b18ee3ad41af3daf6e |
C:\Users\Admin\AppData\Local\Temp\SRNviAgREO.bat
| MD5 | f82ba89edc6ad2d56640e576f2fa4694 |
| SHA1 | 9deac0efb2db60fd80adc8d0ef6bb3f368384489 |
| SHA256 | d0ec0cfa1ed30f85559545f3c6e83cd4403a87472d2f0f81939d816cd88d5d25 |
| SHA512 | b6e3bab711c3b8422e05c729afd4ff0f5f4798f98b320ee9ddccce335b1ac39f1f0562c1cf8ed93a465e21bd52cd7e5b6372c1976bb127e2e8091ffb1bff9ef5 |
memory/1264-563-0x0000000000AD0000-0x0000000000BE0000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6ccc6ad1e01fafa58ebf017d666444bb |
| SHA1 | 4a68bdb06b4906ea322d0070ee67fcf4472318fc |
| SHA256 | 52d4a162f038ec16e9d2c59426d6e1d072f4f6efe11da4fe8e58d9528968b915 |
| SHA512 | 57c44d699bb53d00c7a0c286925ba6f28176ce73297db141eb9654173c3dd08b27528026d5e63c4e6910df62f9052c83ff8b0bc9879ed949d820c514f9b5b69c |
C:\Users\Admin\AppData\Local\Temp\5G5G1KH0qy.bat
| MD5 | 0b4688e256931570dd6d14f4815d7b2d |
| SHA1 | f59f36919882f85a1ddaa61bafc9e585bf9af58b |
| SHA256 | 8a4b11e78e175330f6412cbd72e76b92f732da360687cb483f3871ad449d2a66 |
| SHA512 | b7516f0587ca1527f6fb6ca3f7dda7a24e57c04f592604477d9d0042f1cd2a103cd1632069b074ae7847ab140f4f9f1ca9597cdaf76cae462a04f536b3b85947 |
memory/1644-623-0x0000000000240000-0x0000000000350000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 24ac099f14a4f104859a918bdf304173 |
| SHA1 | ad547c527338f3779de690ee32366cf256467b94 |
| SHA256 | ec01912941c4da47868a0d5e4e79eeb1034500b627163a057446930182bbe6a0 |
| SHA512 | bedccdef01fe5771863e0bf9fbef3c2e2ffe2a787b92fd6865e93a887e79d394e76924eb8a27b7c6058bf3ecab98f037a3cdacbbc0cf26dccf4f11bee2e7f4a7 |
C:\Users\Admin\AppData\Local\Temp\yQDva2PSBr.bat
| MD5 | ec125ef596af446fbd5883ccb82c3ae0 |
| SHA1 | 7384be108caab0888657141fd0c15af7d68023b8 |
| SHA256 | 9a39f2779a97bfa8ffe25245e156497fc9b838333f46504d1b69828e17e053c4 |
| SHA512 | f894a117a5897fc39f2e2c7028500fdd3002eaa659bfaaf7f863adcca1f4abb6080eee3ff09fa7f383f2e34fa6cb0113a4bbc577d0db479099345c25b6453d4e |
memory/2616-683-0x0000000000B10000-0x0000000000C20000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-12-30 19:38
Reported
2024-12-30 19:40
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
151s
Command Line
Signatures
DcRat
Dcrat family
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Default\Downloads\Registry.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ddb093f473d362f33fd0b4f6299dc3057fd6224d59584aa0d03f1c602a0d24b8.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Default\Downloads\Registry.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Default\Downloads\Registry.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Default\Downloads\Registry.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Default\Downloads\Registry.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\providercommon\DllCommonsvc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Default\Downloads\Registry.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Default\Downloads\Registry.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Default\Downloads\Registry.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Default\Downloads\Registry.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Default\Downloads\Registry.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Default\Downloads\Registry.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Default\Downloads\Registry.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Default\Downloads\Registry.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\providercommon\DllCommonsvc.exe | N/A |
| N/A | N/A | C:\Users\Default\Downloads\Registry.exe | N/A |
| N/A | N/A | C:\Users\Default\Downloads\Registry.exe | N/A |
| N/A | N/A | C:\Users\Default\Downloads\Registry.exe | N/A |
| N/A | N/A | C:\Users\Default\Downloads\Registry.exe | N/A |
| N/A | N/A | C:\Users\Default\Downloads\Registry.exe | N/A |
| N/A | N/A | C:\Users\Default\Downloads\Registry.exe | N/A |
| N/A | N/A | C:\Users\Default\Downloads\Registry.exe | N/A |
| N/A | N/A | C:\Users\Default\Downloads\Registry.exe | N/A |
| N/A | N/A | C:\Users\Default\Downloads\Registry.exe | N/A |
| N/A | N/A | C:\Users\Default\Downloads\Registry.exe | N/A |
| N/A | N/A | C:\Users\Default\Downloads\Registry.exe | N/A |
| N/A | N/A | C:\Users\Default\Downloads\Registry.exe | N/A |
| N/A | N/A | C:\Users\Default\Downloads\Registry.exe | N/A |
| N/A | N/A | C:\Users\Default\Downloads\Registry.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ddb093f473d362f33fd0b4f6299dc3057fd6224d59584aa0d03f1c602a0d24b8.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ddb093f473d362f33fd0b4f6299dc3057fd6224d59584aa0d03f1c602a0d24b8.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings | C:\providercommon\DllCommonsvc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings | C:\Users\Default\Downloads\Registry.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings | C:\Users\Default\Downloads\Registry.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings | C:\Users\Default\Downloads\Registry.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings | C:\Users\Default\Downloads\Registry.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings | C:\Users\Default\Downloads\Registry.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings | C:\Users\Default\Downloads\Registry.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings | C:\Users\Default\Downloads\Registry.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings | C:\Users\Default\Downloads\Registry.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings | C:\Users\Default\Downloads\Registry.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings | C:\Users\Default\Downloads\Registry.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings | C:\Users\Default\Downloads\Registry.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings | C:\Users\Default\Downloads\Registry.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings | C:\Users\Default\Downloads\Registry.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ddb093f473d362f33fd0b4f6299dc3057fd6224d59584aa0d03f1c602a0d24b8.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ddb093f473d362f33fd0b4f6299dc3057fd6224d59584aa0d03f1c602a0d24b8.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
C:\providercommon\DllCommonsvc.exe
"C:\providercommon\DllCommonsvc.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Downloads\Registry.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Users\Default\Downloads\Registry.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Downloads\Registry.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Favorites\SearchApp.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Users\Default\Favorites\SearchApp.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Favorites\SearchApp.exe'" /rl HIGHEST /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Downloads\Registry.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\wininit.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Favorites\SearchApp.exe'
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\i6FNlRHyuX.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default\Downloads\Registry.exe
"C:\Users\Default\Downloads\Registry.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6uMgbjYtd5.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default\Downloads\Registry.exe
"C:\Users\Default\Downloads\Registry.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WRY5ahHPmz.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default\Downloads\Registry.exe
"C:\Users\Default\Downloads\Registry.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\r7gOBUt9HL.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default\Downloads\Registry.exe
"C:\Users\Default\Downloads\Registry.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7lFc7N4hi3.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default\Downloads\Registry.exe
"C:\Users\Default\Downloads\Registry.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7lFc7N4hi3.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default\Downloads\Registry.exe
"C:\Users\Default\Downloads\Registry.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WRY5ahHPmz.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default\Downloads\Registry.exe
"C:\Users\Default\Downloads\Registry.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fH1ASKIIFN.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default\Downloads\Registry.exe
"C:\Users\Default\Downloads\Registry.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3npectBbsF.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default\Downloads\Registry.exe
"C:\Users\Default\Downloads\Registry.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BcIiUXCUMc.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default\Downloads\Registry.exe
"C:\Users\Default\Downloads\Registry.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Nc51i3GWIc.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default\Downloads\Registry.exe
"C:\Users\Default\Downloads\Registry.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iIDKKqsGny.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default\Downloads\Registry.exe
"C:\Users\Default\Downloads\Registry.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0rnbwo7iYS.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default\Downloads\Registry.exe
"C:\Users\Default\Downloads\Registry.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ssDSZpddA3.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default\Downloads\Registry.exe
"C:\Users\Default\Downloads\Registry.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.109.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 220.190.18.2.in-addr.arpa | udp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 85.49.80.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
Files
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe
| MD5 | 8088241160261560a02c84025d107592 |
| SHA1 | 083121f7027557570994c9fc211df61730455bb5 |
| SHA256 | 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1 |
| SHA512 | 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478 |
C:\providercommon\1zu9dW.bat
| MD5 | 6783c3ee07c7d151ceac57f1f9c8bed7 |
| SHA1 | 17468f98f95bf504cc1f83c49e49a78526b3ea03 |
| SHA256 | 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322 |
| SHA512 | c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8 |
C:\providercommon\DllCommonsvc.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/4556-12-0x00007FFA23AF3000-0x00007FFA23AF5000-memory.dmp
memory/4556-13-0x0000000000760000-0x0000000000870000-memory.dmp
memory/4556-14-0x0000000001040000-0x0000000001052000-memory.dmp
memory/4556-15-0x0000000002950000-0x000000000295C000-memory.dmp
memory/4556-16-0x0000000002960000-0x000000000296C000-memory.dmp
memory/4556-17-0x0000000002970000-0x000000000297C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cwl4sec3.bgy.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1348-42-0x000002116B730000-0x000002116B752000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\i6FNlRHyuX.bat
| MD5 | c481a6a5a825a8a7faddedc4a4725b05 |
| SHA1 | aa4f049b4b6119a3af7eefbf79a7cbe99bfa723d |
| SHA256 | 7359d9e71e4deac7ba825aa9488d182dc6568ba574ac10e3992dd112d1c5fc48 |
| SHA512 | d7b393746ba2f37bef374c6096aec899282f28567198fb01b93173cd205e8e27b79e3ec2f7c4f076c64a9af3f952f8426b1fc852d35cdf0332c45d30778ebe44 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d28a889fd956d5cb3accfbaf1143eb6f |
| SHA1 | 157ba54b365341f8ff06707d996b3635da8446f7 |
| SHA256 | 21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45 |
| SHA512 | 0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
memory/2356-79-0x0000000000DA0000-0x0000000000DB2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\6uMgbjYtd5.bat
| MD5 | 94155e5abbbbd3204aa6788bcea4ebf2 |
| SHA1 | af648b937f5ff1c4c1acf7908d8f5451ca39e3d5 |
| SHA256 | 5af2eeb05e4813d6051c58698fe58bad3b3570fbb579d2c31c1cf66c88dc0385 |
| SHA512 | f2ecd9c3e3b08c00ccda8474f7d79c4770c2173ea3187cd8191bad4895169a2535d9a317aacec821e03873306362b0e883030bc7e1e760b872042c4a544519a0 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Registry.exe.log
| MD5 | baf55b95da4a601229647f25dad12878 |
| SHA1 | abc16954ebfd213733c4493fc1910164d825cac8 |
| SHA256 | ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924 |
| SHA512 | 24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545 |
C:\Users\Admin\AppData\Local\Temp\WRY5ahHPmz.bat
| MD5 | 5a04d7fbf2c80014581e18e0c7223cee |
| SHA1 | 7f094783cbd247b671a82c036d507c259dc64576 |
| SHA256 | fb28fa8433e1de6a3061eb067e2cb3b528641f6662ecd949d35cf2fb3b1b0a2a |
| SHA512 | 1821cd6dbc11bf44f22ac3fb1685a9a27a4cdaebce0ba2d85e61fd77dc04b7efedd871dc8d3671e3e41ce072896d0a2e5981f3a2a2f927644a57fa792c34d3ae |
C:\Users\Admin\AppData\Local\Temp\r7gOBUt9HL.bat
| MD5 | c78b31368beeb09a5c99e2de30f5892d |
| SHA1 | 1df88c7fad68faa67e9c93920e4437fd3d8e14c1 |
| SHA256 | 41f23b7ab3be3320db7a85b83449d1ef7e8edf45634c847d9e9b2fd136f18642 |
| SHA512 | 848c59b23bf65bd662f738890dd089ee6db0b0d18472af5ce98247132805de0cc03578d4eebf51df3984b032ccbbfc21e35c9d6ba47e0071fcee1ff6788e5e36 |
C:\Users\Admin\AppData\Local\Temp\7lFc7N4hi3.bat
| MD5 | bb5781bf8ebfc46e0d0d00599324d86d |
| SHA1 | 3f6dbf84d87099d02196250caa5c2b844827973b |
| SHA256 | 888dc3df4c945a0be30e1428c8b9a8460a3778c85898275d6de7b540aad33c67 |
| SHA512 | 65adadfd5282761ade6e65b9cb1aa50659a25e16e4ca30cc8a373f61d45bac1d448893c9c52722ade52ac58725d70a45206b4cb7f7adcf45e3f61c5d18994e70 |
memory/876-106-0x00000000010B0000-0x00000000010C2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\fH1ASKIIFN.bat
| MD5 | 1b781902246e6f66ebd40d1dbaf79808 |
| SHA1 | cb41777bb526ab172acadfe7e7a8cc84c540afcc |
| SHA256 | 03234cfed4c497e3c373f9e96ff322e40d8195d237a771c75b07f11d33e3b304 |
| SHA512 | b68d942c9f9a144a29ff8ef1c971fa515635b3b2db7413e1376696537b8fc5b475f20c53de71576517703d95e8806037a257c07f21666c8ce0643353b454638a |
memory/3028-125-0x00000000012A0000-0x00000000012B2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\3npectBbsF.bat
| MD5 | b06fb4f98f36ee3dd7c256480ca77acb |
| SHA1 | 473263343752c6f160de850589402b17b77a0e51 |
| SHA256 | 3012def1d9450e6675dbe93c24f44fd462de74c10a536d7a96a9f7085ac48d6c |
| SHA512 | 917743de1239a419e5fb66b70a820cde56c19b6cf1cf4cc09c31f4125999246a707aaa6f3854fae32f5bb5e59a1a5eac9c18142b7893f509cae9f4789abc154d |
C:\Users\Admin\AppData\Local\Temp\BcIiUXCUMc.bat
| MD5 | c06907db4471e716e6123fe5338ab444 |
| SHA1 | e5f7db57d7df936a91429d3e670931e8e0cfaae1 |
| SHA256 | d7ab6239d27270c1345f0fda04de110739681a8a1bae74ca77dd257129605487 |
| SHA512 | 45fe330f788335aca1db3a4d0b71b72658a20c7f33f21cda9e35bd7c92e3264979770c5f90d5673ddcfe9556c3e84d5bf96d7c07417b54f1e9f8b45ebe733236 |
C:\Users\Admin\AppData\Local\Temp\Nc51i3GWIc.bat
| MD5 | f52993bb53596dbc2775bd821c97ac13 |
| SHA1 | 4f78f970265818ebe1ba96878847eb8d286a58c3 |
| SHA256 | 02fe1d70d03a5383deac7465ad086e502a8697046c7337ad84dc5511f008594d |
| SHA512 | 128c2b293f739e2fd4ceb7750729b7ebb40f94968a4d6014dac9453638150c61d70223b3b80c7ecfdfc293c286e5ba0aa7592b92b181a0bf1900b86b4c5ee705 |
memory/2732-144-0x0000000002140000-0x0000000002152000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\iIDKKqsGny.bat
| MD5 | 35b8cdc94e95557ab212107ac146fcd9 |
| SHA1 | ef34c560cc310f06104d30a8147c75b946750cea |
| SHA256 | 2c5a22254b4b87cfdae2165584210eec593cc8986cab2d442786030553fbd897 |
| SHA512 | c5918bb1bbeca5824f3a3ed5cd727bf6b755bdfed6db7cb9290d9820057f95daf051faae370f64736a86155f49fd023aaef25943c4e1a990c161ea8592d23b0d |
memory/2672-151-0x0000000002970000-0x0000000002982000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\0rnbwo7iYS.bat
| MD5 | b5499a0ff31fe65796772c4e67b9969a |
| SHA1 | 6f554457d8b4d1e7ab80da5c481163cc9d08f91d |
| SHA256 | 2f48f51f150baa9d2bb15fb7b6851796f761bddf1ecd86e2131215ac4554014b |
| SHA512 | a007a90202eadc74a5f412fe548ba049d662b2affbdf403e75d287d96b7130abb15764cfd66439f24d3d5fb85bc7256aa2dc12a2f7d7e41d338879d81768a461 |
C:\Users\Admin\AppData\Local\Temp\ssDSZpddA3.bat
| MD5 | 41f42d636bb85e5928b1ad62fcd064f1 |
| SHA1 | 0567156817659b495950627611bc6e1044825897 |
| SHA256 | 1a01a2c0131ab86b7c48bd6514d6ce2cb5019c37c0f995effd449ffc821c1c28 |
| SHA512 | 6dfa22a76889105e3a0f9abaf1278ded10d6a048d1581d93d62b3a257a3397db492089b965cc4fad1f7878ee7e7f98560d2be2b45f8d1577ccb8ab7d2c71a606 |
memory/1192-164-0x0000000002C30000-0x0000000002C42000-memory.dmp