Windows Analysis Report
ywXeiXEvP2.exe

Overview

General Information

Sample name: ywXeiXEvP2.exe
renamed because original name is a hash value
Original sample name: a8a4603bc85e306e0fdd17655e4820e4.exe
Analysis ID: 1455415
MD5: a8a4603bc85e306e0fdd17655e4820e4
SHA1: 5aa5d092a699c319c4d000f61eb526445b11662d
SHA256: 4b7b7e697954f5882dd6d3e8ee6197bab6c445dbd3a5af1118caa0e1ad908a9a
Tags: DCRatexe
Infos:

Detection

DCRat, XWorm
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Schedule system process
Snort IDS alert for network traffic
Yara detected DCRat
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Creates an autostart registry key pointing to binary in C:\Windows
Creates an undocumented autostart registry key
Creates multiple autostart registry keys
Creates processes via WMI
Disable UAC(promptonsecuredesktop)
Disables UAC (registry)
Machine Learning detection for dropped file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: System File Execution Location Anomaly
Sigma detected: WScript or CScript Dropper
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to launch a program with higher privileges
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates a window with clipboard capturing capabilities
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
File is packed with WinRar
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: CurrentVersion NT Autorun Keys Modification
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection

barindex
Source: http://a0991799.xsph.ru/@=AjM2MDZ4kjN Avira URL Cloud: Label: malware
Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\RuntimeBroker.exe Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Users\user\AppData\Local\Temp\XClient.exe Avira: detection malicious, Label: HEUR/AGEN.1305769
Source: C:\Program Files\Windows Photo Viewer\en-GB\UserOOBEBroker.exe Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Recovery\XClient.exe Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Users\user\AppData\Roaming\XClient.exe Avira: detection malicious, Label: HEUR/AGEN.1305769
Source: C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\UGsUclNNu9UBh.vbe Avira: detection malicious, Label: VBS/Runner.VPG
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe Avira: detection malicious, Label: VBS/Runner.VPG
Source: C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\RuntimeBroker.exe Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files (x86)\jDownloader\config\conhost.exe Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Result.exe Avira: detection malicious, Label: VBS/Runner.VPG
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Result.exe Avira: detection malicious, Label: VBS/Runner.VPG
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Result.exe Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files\Uninstall Information\OfficeClickToRun.exe Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\SendTo\sihost.exe Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: 00000008.00000002.1902459797.000000001290D000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: DCRat {"SCRT": "{\"9\":\">\",\"A\":\"_\",\"a\":\"#\",\"4\":\"&\",\"j\":\"`\",\"i\":\")\",\"0\":\"(\",\"o\":\"~\",\"D\":\"!\",\"k\":\"$\",\"y\":\"|\",\"h\":\"@\",\"Q\":\"-\",\"H\":\"%\",\"S\":\" \",\"d\":\"<\",\"M\":\"*\",\"3\":\",\",\"J\":\";\",\"L\":\".\",\"m\":\"^\"}", "PCRT": "{\"O\":\"^\",\"U\":\"*\",\"v\":\"(\",\"V\":\")\",\"5\":\"!\",\"M\":\",\",\"Q\":\"$\",\"h\":\"-\",\"0\":\"_\",\"T\":\"~\",\"W\":\"@\",\"j\":\".\",\"1\":\"#\",\"L\":\"%\",\"K\":\"|\",\"t\":\";\",\"y\":\">\",\"a\":\"<\",\"o\":\" \",\"B\":\"&\",\"u\":\"`\"}", "TAG": "", "MUTEX": "DCR_MUTEX-s86YqWdFI22lJKKIYeYT", "LDTM": false, "DBG": false, "SST": 5, "SMST": 2, "BCS": 0, "AUR": 2, "ASCFG": {"savebrowsersdatatosinglefile": true, "ignorepartiallyemptydata": true, "cookies": true, "passwords": true, "forms": true, "cc": true, "history": true, "telegram": true, "steam": true, "discord": true, "filezilla": true, "screenshot": true, "clipboard": true, "sysinfo": true, "searchpath": "%UsersFolder% - Fast"}, "AS": true, "ASO": false, "AD": false, "H1": "http://a0991799.xsph.ru/@=AjM2MDZ4kjN", "H2": "http://a0991799.xsph.ru/@=AjM2MDZ4kjN", "T": "0"}
Source: 1.0.Result.exe.7c9678.2.raw.unpack Malware Configuration Extractor: Xworm {"C2 url": ["127.0.0.1", "letter-takes.gl.at.ply.gg"], "Port": "50230", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}
Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\RuntimeBroker.exe ReversingLabs: Detection: 87%
Source: C:\Program Files (x86)\jDownloader\config\conhost.exe ReversingLabs: Detection: 87%
Source: C:\Program Files\Uninstall Information\OfficeClickToRun.exe ReversingLabs: Detection: 87%
Source: C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe ReversingLabs: Detection: 87%
Source: C:\Program Files\Windows Multimedia Platform\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe ReversingLabs: Detection: 87%
Source: C:\Program Files\Windows Photo Viewer\en-GB\RuntimeBroker.exe ReversingLabs: Detection: 87%
Source: C:\Program Files\Windows Photo Viewer\en-GB\UserOOBEBroker.exe ReversingLabs: Detection: 87%
Source: C:\ProgramData\Microsoft\Windows\Templates\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe ReversingLabs: Detection: 87%
Source: C:\Recovery\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe ReversingLabs: Detection: 87%
Source: C:\Recovery\XClient.exe ReversingLabs: Detection: 87%
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe ReversingLabs: Detection: 72%
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Result.exe ReversingLabs: Detection: 94%
Source: C:\Users\user\AppData\Local\Temp\XClient.exe ReversingLabs: Detection: 95%
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe ReversingLabs: Detection: 87%
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\SendTo\sihost.exe ReversingLabs: Detection: 87%
Source: C:\Users\user\AppData\Roaming\XClient.exe ReversingLabs: Detection: 95%
Source: C:\Windows\ELAMBKUP\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe ReversingLabs: Detection: 87%
Source: C:\Windows\IME\IMEKR\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe ReversingLabs: Detection: 87%
Source: C:\Windows\IdentityCRL\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe ReversingLabs: Detection: 87%
Source: ywXeiXEvP2.exe ReversingLabs: Detection: 73%
Source: Submited Sample Integrated Neural Analysis Model: Matched 98.5% probability
Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\RuntimeBroker.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\XClient.exe Joe Sandbox ML: detected
Source: C:\Program Files\Windows Photo Viewer\en-GB\UserOOBEBroker.exe Joe Sandbox ML: detected
Source: C:\Recovery\XClient.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\XClient.exe Joe Sandbox ML: detected
Source: C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe Joe Sandbox ML: detected
Source: C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe Joe Sandbox ML: detected
Source: C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\RuntimeBroker.exe Joe Sandbox ML: detected
Source: C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\jDownloader\config\conhost.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Result.exe Joe Sandbox ML: detected
Source: C:\Program Files\Uninstall Information\OfficeClickToRun.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\SendTo\sihost.exe Joe Sandbox ML: detected
Source: C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe Joe Sandbox ML: detected
Source: C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe Joe Sandbox ML: detected
Source: C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe Joe Sandbox ML: detected
Source: 1.0.Result.exe.7c9678.2.raw.unpack String decryptor: 127.0.0.1,letter-takes.gl.at.ply.gg
Source: 1.0.Result.exe.7c9678.2.raw.unpack String decryptor: 50230
Source: 1.0.Result.exe.7c9678.2.raw.unpack String decryptor: <123456789>
Source: 1.0.Result.exe.7c9678.2.raw.unpack String decryptor: <Xwormmm>
Source: 1.0.Result.exe.7c9678.2.raw.unpack String decryptor: XWorm V5.6
Source: 1.0.Result.exe.7c9678.2.raw.unpack String decryptor: USB.exe
Source: 1.0.Result.exe.7c9678.2.raw.unpack String decryptor: %AppData%
Source: 1.0.Result.exe.7c9678.2.raw.unpack String decryptor: XClient.exe
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe Directory created: C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe Directory created: C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\d908c538d2e8d0
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe Directory created: C:\Program Files\Windows Multimedia Platform\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe Directory created: C:\Program Files\Windows Multimedia Platform\d908c538d2e8d0
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe Directory created: C:\Program Files\Windows Photo Viewer\en-GB\UserOOBEBroker.exe
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe Directory created: C:\Program Files\Windows Photo Viewer\en-GB\7ccfebd9e92364
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe Directory created: C:\Program Files\Windows Photo Viewer\en-GB\RuntimeBroker.exe
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe Directory created: C:\Program Files\Windows Photo Viewer\en-GB\9e8d7a4ca61bd9
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe Directory created: C:\Program Files\Uninstall Information\OfficeClickToRun.exe
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe Directory created: C:\Program Files\Uninstall Information\e6c9b481da804f
Source: ywXeiXEvP2.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: Result.exe
Source: Binary string: \Desktop\DCLIB-master\obj\Debug\DCLIB.pdbU.o. a._CorDllMainmscoree.dll source: ServerWeb.exe, 00000008.00000002.2226889345.000000001BF70000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: \Desktop\DCLIB-master\obj\Debug\DCLIB.pdb source: ServerWeb.exe, 00000008.00000002.2226889345.000000001BF70000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxzip64\Release\sfxzip.pdb source: ywXeiXEvP2.exe
Source: C:\Users\user\Desktop\ywXeiXEvP2.exe Code function: 0_2_00007FF7C018647C FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn, 0_2_00007FF7C018647C
Source: C:\Users\user\Desktop\ywXeiXEvP2.exe Code function: 0_2_00007FF7C019ECE0 EndDialog,SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,EndDialog,GetDlgItem,IsDlgButtonChecked,IsDlgButtonChecked,SetFocus,GetLastError,GetLastError,GetTickCount,GetLastError,GetCommandLineW,CreateFileMappingW,MapViewOfFile,ShellExecuteExW,WaitForInputIdle,Sleep,UnmapViewOfFile,CloseHandle,SetDlgItemTextW,SetDlgItemTextW,GetDlgItem,GetWindowLongPtrW,SetWindowLongPtrW,SetDlgItemTextW,IsDlgButtonChecked,SendDlgItemMessageW,GetDlgItem,IsDlgButtonChecked,GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,DialogBoxParamW,EndDialog,EnableWindow,IsDlgButtonChecked,SetDlgItemTextW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn, 0_2_00007FF7C019ECE0
Source: C:\Users\user\Desktop\ywXeiXEvP2.exe Code function: 0_2_00007FF7C01B3130 FindFirstFileExA, 0_2_00007FF7C01B3130
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe Code function: 2_2_008DA5F4 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError, 2_2_008DA5F4
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe Code function: 2_2_008EB8E0 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW, 2_2_008EB8E0

Networking

barindex
Source: Traffic Snort IDS: 2855924 ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound 192.168.2.4:53174 -> 147.185.221.19:50230
Source: Traffic Snort IDS: 2853193 ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound 192.168.2.4:53194 -> 147.185.221.19:50230
Source: Malware configuration extractor URLs: 127.0.0.1
Source: Malware configuration extractor URLs: letter-takes.gl.at.ply.gg
Source: Malware configuration extractor URLs: http://a0991799.xsph.ru/@=AjM2MDZ4kjN
Source: global traffic TCP traffic: 192.168.2.4:53164 -> 147.185.221.19:50230
Source: Joe Sandbox View IP Address: 147.185.221.19 147.185.221.19
Source: Joe Sandbox View ASN Name: SALSGIVERUS SALSGIVERUS
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic DNS traffic detected: DNS query: letter-takes.gl.at.ply.gg
Source: XClient.exe, 00000003.00000002.4161351133.00000000026A1000.00000004.00000800.00020000.00000000.sdmp, ServerWeb.exe, 00000008.00000002.1889481824.0000000002901000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe Window created: window name: CLIPBRDWNDCLASS

System Summary

barindex
Source: Result.exe, type: SAMPLE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 1.3.Result.exe.b10a30.1.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 1.0.Result.exe.7c9678.2.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 3.0.XClient.exe.480000.0.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 1.0.Result.exe.7c9678.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 1.3.Result.exe.b10a30.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 1.2.Result.exe.b08218.0.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 1.0.Result.exe.466afd.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 1.0.Result.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 1.0.Result.exe.415eec.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000001.00000003.1702782236.0000000000B09000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000003.00000000.1702689242.0000000000482000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000001.00000002.1703441913.0000000000B0E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000002.1719076090.00007FF7C01D6000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000001.00000000.1684955911.0000000000408000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\XClient.exe, type: DROPPED Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\XClient.exe, type: DROPPED Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Result.exe, type: DROPPED Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Windows\SysWOW64\wscript.exe COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8} Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe Code function: 2_2_008D718C: __EH_prolog,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW, 2_2_008D718C
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe File created: C:\Windows\IdentityCRL\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe File created: C:\Windows\IdentityCRL\d908c538d2e8d0
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe File created: C:\Windows\IME\IMEKR\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe File created: C:\Windows\IME\IMEKR\d908c538d2e8d0
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe File created: C:\Windows\ELAMBKUP\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe File created: C:\Windows\ELAMBKUP\d908c538d2e8d0
Source: C:\Users\user\Desktop\ywXeiXEvP2.exe Code function: 0_2_00007FF7C01A09D8 0_2_00007FF7C01A09D8
Source: C:\Users\user\Desktop\ywXeiXEvP2.exe Code function: 0_2_00007FF7C0196294 0_2_00007FF7C0196294
Source: C:\Users\user\Desktop\ywXeiXEvP2.exe Code function: 0_2_00007FF7C018DC4C 0_2_00007FF7C018DC4C
Source: C:\Users\user\Desktop\ywXeiXEvP2.exe Code function: 0_2_00007FF7C019ECE0 0_2_00007FF7C019ECE0
Source: C:\Users\user\Desktop\ywXeiXEvP2.exe Code function: 0_2_00007FF7C019569C 0_2_00007FF7C019569C
Source: C:\Users\user\Desktop\ywXeiXEvP2.exe Code function: 0_2_00007FF7C01A400C 0_2_00007FF7C01A400C
Source: C:\Users\user\Desktop\ywXeiXEvP2.exe Code function: 0_2_00007FF7C018A8AC 0_2_00007FF7C018A8AC
Source: C:\Users\user\Desktop\ywXeiXEvP2.exe Code function: 0_2_00007FF7C018B948 0_2_00007FF7C018B948
Source: C:\Users\user\Desktop\ywXeiXEvP2.exe Code function: 0_2_00007FF7C018E91C 0_2_00007FF7C018E91C
Source: C:\Users\user\Desktop\ywXeiXEvP2.exe Code function: 0_2_00007FF7C01A400C 0_2_00007FF7C01A400C
Source: C:\Users\user\Desktop\ywXeiXEvP2.exe Code function: 0_2_00007FF7C01B59E0 0_2_00007FF7C01B59E0
Source: C:\Users\user\Desktop\ywXeiXEvP2.exe Code function: 0_2_00007FF7C019CA30 0_2_00007FF7C019CA30
Source: C:\Users\user\Desktop\ywXeiXEvP2.exe Code function: 0_2_00007FF7C01872AC 0_2_00007FF7C01872AC
Source: C:\Users\user\Desktop\ywXeiXEvP2.exe Code function: 0_2_00007FF7C018B318 0_2_00007FF7C018B318
Source: C:\Users\user\Desktop\ywXeiXEvP2.exe Code function: 0_2_00007FF7C01B5510 0_2_00007FF7C01B5510
Source: C:\Users\user\Desktop\ywXeiXEvP2.exe Code function: 0_2_00007FF7C01AFD18 0_2_00007FF7C01AFD18
Source: C:\Users\user\Desktop\ywXeiXEvP2.exe Code function: 0_2_00007FF7C01ABDF8 0_2_00007FF7C01ABDF8
Source: C:\Users\user\Desktop\ywXeiXEvP2.exe Code function: 0_2_00007FF7C018BF0C 0_2_00007FF7C018BF0C
Source: C:\Users\user\Desktop\ywXeiXEvP2.exe Code function: 0_2_00007FF7C01B2F24 0_2_00007FF7C01B2F24
Source: C:\Users\user\Desktop\ywXeiXEvP2.exe Code function: 0_2_00007FF7C01B9008 0_2_00007FF7C01B9008
Source: C:\Users\user\Desktop\ywXeiXEvP2.exe Code function: 0_2_00007FF7C01AC074 0_2_00007FF7C01AC074
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe Code function: 2_2_008D857B 2_2_008D857B
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe Code function: 2_2_008E70BF 2_2_008E70BF
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe Code function: 2_2_008FD00E 2_2_008FD00E
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe Code function: 2_2_008D407E 2_2_008D407E
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe Code function: 2_2_00901194 2_2_00901194
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe Code function: 2_2_008D3281 2_2_008D3281
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe Code function: 2_2_008DE2A0 2_2_008DE2A0
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe Code function: 2_2_008F02F6 2_2_008F02F6
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe Code function: 2_2_008E6646 2_2_008E6646
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe Code function: 2_2_008E37C1 2_2_008E37C1
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe Code function: 2_2_008D27E8 2_2_008D27E8
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe Code function: 2_2_008F070E 2_2_008F070E
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe Code function: 2_2_008F473A 2_2_008F473A
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe Code function: 2_2_008DE8A0 2_2_008DE8A0
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe Code function: 2_2_008DF968 2_2_008DF968
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe Code function: 2_2_008F4969 2_2_008F4969
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe Code function: 2_2_008E3A3C 2_2_008E3A3C
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe Code function: 2_2_008E6A7B 2_2_008E6A7B
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe Code function: 2_2_008F0B43 2_2_008F0B43
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe Code function: 2_2_008FCB60 2_2_008FCB60
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe Code function: 2_2_008E5C77 2_2_008E5C77
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe Code function: 2_2_008EFDFA 2_2_008EFDFA
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe Code function: 2_2_008DED14 2_2_008DED14
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe Code function: 2_2_008E3D6D 2_2_008E3D6D
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe Code function: 2_2_008DBE13 2_2_008DBE13
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe Code function: 2_2_008DDE6C 2_2_008DDE6C
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe Code function: 2_2_008D5F3C 2_2_008D5F3C
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe Code function: 2_2_008F0F78 2_2_008F0F78
Source: C:\Users\user\AppData\Local\Temp\XClient.exe Code function: 3_2_00007FFD9B7C6406 3_2_00007FFD9B7C6406
Source: C:\Users\user\AppData\Local\Temp\XClient.exe Code function: 3_2_00007FFD9B7C05A0 3_2_00007FFD9B7C05A0
Source: C:\Users\user\AppData\Local\Temp\XClient.exe Code function: 3_2_00007FFD9B7C71B2 3_2_00007FFD9B7C71B2
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe Code function: 8_2_00007FFD9B803555 8_2_00007FFD9B803555
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe Code function: 8_2_00007FFD9B815B00 8_2_00007FFD9B815B00
Source: C:\Program Files (x86)\jDownloader\config\conhost.exe Code function: 37_2_00007FFD9B7C3555 37_2_00007FFD9B7C3555
Source: C:\Program Files (x86)\jDownloader\config\conhost.exe Code function: 38_2_00007FFD9B7C3555 38_2_00007FFD9B7C3555
Source: C:\ProgramData\Microsoft\Windows\Templates\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe Code function: 41_2_00007FFD9B8033AC 41_2_00007FFD9B8033AC
Source: C:\ProgramData\Microsoft\Windows\Templates\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe Code function: 41_2_00007FFD9B80C740 41_2_00007FFD9B80C740
Source: C:\ProgramData\Microsoft\Windows\Templates\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe Code function: 41_2_00007FFD9B802B20 41_2_00007FFD9B802B20
Source: C:\ProgramData\Microsoft\Windows\Templates\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe Code function: 41_2_00007FFD9B802B20 41_2_00007FFD9B802B20
Source: C:\ProgramData\Microsoft\Windows\Templates\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe Code function: 41_2_00007FFD9B802B20 41_2_00007FFD9B802B20
Source: C:\ProgramData\Microsoft\Windows\Templates\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe Code function: 41_2_00007FFD9B802B20 41_2_00007FFD9B802B20
Source: Joe Sandbox View Dropped File: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\RuntimeBroker.exe B59342163EA5752E627B1EB236F42A9882F15FDFF96CA77EBA7B20E416F4A4F3
Source: Joe Sandbox View Dropped File: C:\Program Files (x86)\jDownloader\config\conhost.exe B59342163EA5752E627B1EB236F42A9882F15FDFF96CA77EBA7B20E416F4A4F3
Source: Joe Sandbox View Dropped File: C:\Program Files\Uninstall Information\OfficeClickToRun.exe B59342163EA5752E627B1EB236F42A9882F15FDFF96CA77EBA7B20E416F4A4F3
Source: Joe Sandbox View Dropped File: C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe B59342163EA5752E627B1EB236F42A9882F15FDFF96CA77EBA7B20E416F4A4F3
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe Code function: String function: 008EE28C appears 35 times
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe Code function: String function: 008EE360 appears 52 times
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe Code function: String function: 008EED00 appears 31 times
Source: Result.exe.0.dr Static PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows
Source: Result.exe.0.dr Static PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Source: Result.exe.0.dr Static PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Source: ServerWeb.exe.2.dr Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: ywXeiXEvP2.exe, 00000000.00000002.1719076090.00007FF7C01D6000.00000004.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameXClient.exe4 vs ywXeiXEvP2.exe
Source: Result.exe, type: SAMPLE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 1.3.Result.exe.b10a30.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 1.0.Result.exe.7c9678.2.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 3.0.XClient.exe.480000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 1.0.Result.exe.7c9678.2.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 1.3.Result.exe.b10a30.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 1.2.Result.exe.b08218.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 1.0.Result.exe.466afd.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 1.0.Result.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 1.0.Result.exe.415eec.3.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000001.00000003.1702782236.0000000000B09000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000003.00000000.1702689242.0000000000482000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000001.00000002.1703441913.0000000000B0E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000002.1719076090.00007FF7C01D6000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000001.00000000.1684955911.0000000000408000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\Users\user\AppData\Local\Temp\XClient.exe, type: DROPPED Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\Users\user\AppData\Roaming\XClient.exe, type: DROPPED Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Result.exe, type: DROPPED Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: XClient.exe.1.dr, Helper.cs Cryptographic APIs: 'TransformFinalBlock'
Source: XClient.exe.1.dr, Helper.cs Cryptographic APIs: 'TransformFinalBlock'
Source: XClient.exe.1.dr, AlgorithmAES.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 1.0.Result.exe.466afd.1.raw.unpack, ef7UDCGv7gcEUFZT1op.cs Cryptographic APIs: 'TransformBlock'
Source: 1.0.Result.exe.466afd.1.raw.unpack, ef7UDCGv7gcEUFZT1op.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 1.0.Result.exe.466afd.1.raw.unpack, g357BcsySpWm2aqpGZs.cs Cryptographic APIs: 'CreateDecryptor'
Source: 1.0.Result.exe.466afd.1.raw.unpack, g357BcsySpWm2aqpGZs.cs Cryptographic APIs: 'CreateDecryptor'
Source: 1.0.Result.exe.7c9678.2.raw.unpack, Helper.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 1.0.Result.exe.7c9678.2.raw.unpack, Helper.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 1.0.Result.exe.7c9678.2.raw.unpack, AlgorithmAES.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 1.3.Result.exe.b10a30.1.raw.unpack, Helper.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 1.3.Result.exe.b10a30.1.raw.unpack, Helper.cs Cryptographic APIs: 'TransformFinalBlock'
Source: XClient.exe.1.dr, Settings.cs Base64 encoded string: 'rBjz7U/o2BFlwrIwGW6YVD/jeOSVunTMlvpBAz8+qFFueMbxy0zRw9MoYV6Lr0cj'
Source: 1.0.Result.exe.7c9678.2.raw.unpack, Settings.cs Base64 encoded string: 'rBjz7U/o2BFlwrIwGW6YVD/jeOSVunTMlvpBAz8+qFFueMbxy0zRw9MoYV6Lr0cj'
Source: 1.3.Result.exe.b10a30.1.raw.unpack, Settings.cs Base64 encoded string: 'rBjz7U/o2BFlwrIwGW6YVD/jeOSVunTMlvpBAz8+qFFueMbxy0zRw9MoYV6Lr0cj'
Source: 1.3.Result.exe.2642c39.0.raw.unpack, fCvAaGJbOISiMM9DuTO.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 1.3.Result.exe.2642c39.0.raw.unpack, fCvAaGJbOISiMM9DuTO.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.0.Result.exe.466afd.1.raw.unpack, fCvAaGJbOISiMM9DuTO.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 1.0.Result.exe.466afd.1.raw.unpack, fCvAaGJbOISiMM9DuTO.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.3.Result.exe.b10a30.1.raw.unpack, ClientSocket.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 1.3.Result.exe.b10a30.1.raw.unpack, ClientSocket.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: XClient.exe.1.dr, ClientSocket.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: XClient.exe.1.dr, ClientSocket.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.0.Result.exe.7c9678.2.raw.unpack, ClientSocket.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 1.0.Result.exe.7c9678.2.raw.unpack, ClientSocket.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: classification engine Classification label: mal100.troj.evad.winEXE@48/39@1/2
Source: C:\Users\user\Desktop\ywXeiXEvP2.exe Code function: 0_2_00007FF7C0183BF8 GetLastError,FormatMessageW,LocalFree, 0_2_00007FF7C0183BF8
Source: C:\Users\user\Desktop\ywXeiXEvP2.exe Code function: 0_2_00007FF7C019C260 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree, 0_2_00007FF7C019C260
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe File created: C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe File created: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe Mutant created: \Sessions\1\BaseNamedObjects\ke4QYmw58n6HyeTA
Source: C:\ProgramData\Microsoft\Windows\Templates\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe Mutant created: NULL
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\e78b700b17b507eb7e67e7d398bae13027208301
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7444:120:WilError_03
Source: C:\Users\user\Desktop\ywXeiXEvP2.exe File created: C:\Users\user\AppData\Local\Temp\RarSFX0 Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\hUqNkgIMv7nY24UYezK0etl.bat" "
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\file.vbs"
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe Command line argument: sfxname 2_2_008ED5D4
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe Command line argument: sfxstime 2_2_008ED5D4
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe Command line argument: STARTDLG 2_2_008ED5D4
Source: ywXeiXEvP2.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\ywXeiXEvP2.exe File read: C:\Windows\win.ini Jump to behavior
Source: C:\Users\user\Desktop\ywXeiXEvP2.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: ywXeiXEvP2.exe ReversingLabs: Detection: 73%
Source: C:\Users\user\Desktop\ywXeiXEvP2.exe File read: C:\Users\user\Desktop\ywXeiXEvP2.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\ywXeiXEvP2.exe "C:\Users\user\Desktop\ywXeiXEvP2.exe"
Source: C:\Users\user\Desktop\ywXeiXEvP2.exe Process created: C:\Users\user\AppData\Local\Temp\RarSFX0\Result.exe "C:\Users\user\AppData\Local\Temp\RarSFX0\Result.exe"
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Result.exe Process created: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe "C:\Users\user\AppData\Local\Temp\DCRatBuild.exe"
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Result.exe Process created: C:\Users\user\AppData\Local\Temp\XClient.exe "C:\Users\user\AppData\Local\Temp\XClient.exe"
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\UGsUclNNu9UBh.vbe"
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\file.vbs"
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\hUqNkgIMv7nY24UYezK0etl.bat" "
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe "C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe"
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "FMxFFfLOKpqCLtTFEmbkPKJrDwHF" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe'" /f
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "FMxFFfLOKpqCLtTFEmbkPKJrDwH" /sc ONLOGON /tr "'C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe'" /rl HIGHEST /f
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "FMxFFfLOKpqCLtTFEmbkPKJrDwHF" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe'" /rl HIGHEST /f
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\microsoft\Temp\EUC7A5.tmp\RuntimeBroker.exe'" /f
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\microsoft\Temp\EUC7A5.tmp\RuntimeBroker.exe'" /rl HIGHEST /f
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\microsoft\Temp\EUC7A5.tmp\RuntimeBroker.exe'" /rl HIGHEST /f
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "FMxFFfLOKpqCLtTFEmbkPKJrDwHF" /sc MINUTE /mo 6 /tr "'C:\Recovery\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe'" /f
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "FMxFFfLOKpqCLtTFEmbkPKJrDwH" /sc ONLOGON /tr "'C:\Recovery\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe'" /rl HIGHEST /f
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "FMxFFfLOKpqCLtTFEmbkPKJrDwHF" /sc MINUTE /mo 8 /tr "'C:\Recovery\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe'" /rl HIGHEST /f
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "FMxFFfLOKpqCLtTFEmbkPKJrDwHF" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Multimedia Platform\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe'" /f
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "FMxFFfLOKpqCLtTFEmbkPKJrDwH" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe'" /rl HIGHEST /f
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "FMxFFfLOKpqCLtTFEmbkPKJrDwHF" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Multimedia Platform\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe'" /rl HIGHEST /f
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 7 /tr "'C:\Users\user\SendTo\sihost.exe'" /f
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\user\SendTo\sihost.exe'" /rl HIGHEST /f
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 8 /tr "'C:\Users\user\SendTo\sihost.exe'" /rl HIGHEST /f
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\jdownloader\config\conhost.exe'" /f
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\jdownloader\config\conhost.exe'" /rl HIGHEST /f
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\jdownloader\config\conhost.exe'" /rl HIGHEST /f
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "FMxFFfLOKpqCLtTFEmbkPKJrDwHF" /sc MINUTE /mo 6 /tr "'C:\Recovery\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe'" /f
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "FMxFFfLOKpqCLtTFEmbkPKJrDwH" /sc ONLOGON /tr "'C:\Recovery\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe'" /rl HIGHEST /f
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "FMxFFfLOKpqCLtTFEmbkPKJrDwHF" /sc MINUTE /mo 14 /tr "'C:\Recovery\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe'" /rl HIGHEST /f
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "FMxFFfLOKpqCLtTFEmbkPKJrDwHF" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Templates\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe'" /f
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "FMxFFfLOKpqCLtTFEmbkPKJrDwH" /sc ONLOGON /tr "'C:\Users\All Users\Templates\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe'" /rl HIGHEST /f
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "FMxFFfLOKpqCLtTFEmbkPKJrDwHF" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Templates\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe'" /rl HIGHEST /f
Source: unknown Process created: C:\Program Files (x86)\jDownloader\config\conhost.exe "C:\Program Files (x86)\jdownloader\config\conhost.exe"
Source: unknown Process created: C:\Program Files (x86)\jDownloader\config\conhost.exe "C:\Program Files (x86)\jdownloader\config\conhost.exe"
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "FMxFFfLOKpqCLtTFEmbkPKJrDwHF" /sc MINUTE /mo 10 /tr "'C:\Windows\IdentityCRL\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe'" /f
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "FMxFFfLOKpqCLtTFEmbkPKJrDwH" /sc ONLOGON /tr "'C:\Windows\IdentityCRL\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe'" /rl HIGHEST /f
Source: unknown Process created: C:\ProgramData\Microsoft\Windows\Templates\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe "C:\Users\All Users\Templates\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe"
Source: C:\Users\user\Desktop\ywXeiXEvP2.exe Process created: C:\Users\user\AppData\Local\Temp\RarSFX0\Result.exe "C:\Users\user\AppData\Local\Temp\RarSFX0\Result.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Result.exe Process created: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe "C:\Users\user\AppData\Local\Temp\DCRatBuild.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Result.exe Process created: C:\Users\user\AppData\Local\Temp\XClient.exe "C:\Users\user\AppData\Local\Temp\XClient.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\UGsUclNNu9UBh.vbe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\file.vbs" Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\hUqNkgIMv7nY24UYezK0etl.bat" " Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe "C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "FMxFFfLOKpqCLtTFEmbkPKJrDwHF" /sc MINUTE /mo 8 /tr "'C:\Recovery\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\ywXeiXEvP2.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\ywXeiXEvP2.exe Section loaded: dxgidebug.dll Jump to behavior
Source: C:\Users\user\Desktop\ywXeiXEvP2.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Users\user\Desktop\ywXeiXEvP2.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\ywXeiXEvP2.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\ywXeiXEvP2.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\ywXeiXEvP2.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\Desktop\ywXeiXEvP2.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\ywXeiXEvP2.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Users\user\Desktop\ywXeiXEvP2.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Users\user\Desktop\ywXeiXEvP2.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\Desktop\ywXeiXEvP2.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\ywXeiXEvP2.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\ywXeiXEvP2.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\ywXeiXEvP2.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\ywXeiXEvP2.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\ywXeiXEvP2.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\ywXeiXEvP2.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\ywXeiXEvP2.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\ywXeiXEvP2.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\ywXeiXEvP2.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\ywXeiXEvP2.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\ywXeiXEvP2.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\ywXeiXEvP2.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\ywXeiXEvP2.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\ywXeiXEvP2.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\ywXeiXEvP2.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\ywXeiXEvP2.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\ywXeiXEvP2.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\ywXeiXEvP2.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\ywXeiXEvP2.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\ywXeiXEvP2.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\ywXeiXEvP2.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\ywXeiXEvP2.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\ywXeiXEvP2.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\ywXeiXEvP2.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\ywXeiXEvP2.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\ywXeiXEvP2.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\ywXeiXEvP2.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\ywXeiXEvP2.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Users\user\Desktop\ywXeiXEvP2.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\ywXeiXEvP2.exe Section loaded: windows.fileexplorer.common.dll Jump to behavior
Source: C:\Users\user\Desktop\ywXeiXEvP2.exe Section loaded: ntshrui.dll Jump to behavior
Source: C:\Users\user\Desktop\ywXeiXEvP2.exe Section loaded: cscapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Result.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Result.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Result.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Result.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Result.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Result.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Result.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Result.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Result.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Result.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Result.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Result.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Result.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Result.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Result.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Result.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Result.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Result.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Result.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Result.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Result.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Result.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Result.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe Section loaded: <pi-ms-win-core-synch-l1-2-0.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe Section loaded: <pi-ms-win-core-synch-l1-2-0.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe Section loaded: <pi-ms-win-core-localization-l1-2-1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe Section loaded: dxgidebug.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe Section loaded: iconcodecservice.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe Section loaded: linkinfo.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe Section loaded: ntshrui.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe Section loaded: cscapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe Section loaded: avicap32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe Section loaded: msvfw32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: vbscript.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: scrobj.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: dlnashext.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: wpdshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: vbscript.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: scrobj.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: cmdext.dll
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe