Analysis Overview
SHA256
fe246d8df6111f1cce1f2ca30dd746b98ccbb2647f226bc654792f7594f62cb0
Threat Level: Known bad
The file JaffaCakes118_fe246d8df6111f1cce1f2ca30dd746b98ccbb2647f226bc654792f7594f62cb0 was found to be: Known bad.
Malicious Activity Summary
Dcrat family
DCRat payload
Process spawned unexpected child process
DcRat
DCRat payload
Command and Scripting Interpreter: PowerShell
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Legitimate hosting services abused for malware hosting/C2
Drops file in Program Files directory
Drops file in Windows directory
Unsigned PE
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Scheduled Task/Job: Scheduled Task
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-12-30 01:38
Signatures
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Dcrat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-12-30 01:37
Reported
2024-12-30 01:40
Platform
win7-20240708-en
Max time kernel
148s
Max time network
149s
Command Line
Signatures
DcRat
Dcrat family
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\providercommon\DllCommonsvc.exe | N/A |
| N/A | N/A | C:\providercommon\Idle.exe | N/A |
| N/A | N/A | C:\providercommon\Idle.exe | N/A |
| N/A | N/A | C:\providercommon\Idle.exe | N/A |
| N/A | N/A | C:\providercommon\Idle.exe | N/A |
| N/A | N/A | C:\providercommon\Idle.exe | N/A |
| N/A | N/A | C:\providercommon\Idle.exe | N/A |
| N/A | N/A | C:\providercommon\Idle.exe | N/A |
| N/A | N/A | C:\providercommon\Idle.exe | N/A |
| N/A | N/A | C:\providercommon\Idle.exe | N/A |
| N/A | N/A | C:\providercommon\Idle.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Windows Mail\es-ES\taskhost.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Mail\es-ES\taskhost.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Windows Mail\es-ES\b75386f1303e64 | C:\providercommon\DllCommonsvc.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_fe246d8df6111f1cce1f2ca30dd746b98ccbb2647f226bc654792f7594f62cb0.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\providercommon\DllCommonsvc.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\providercommon\Idle.exe | N/A |
| N/A | N/A | C:\providercommon\Idle.exe | N/A |
| N/A | N/A | C:\providercommon\Idle.exe | N/A |
| N/A | N/A | C:\providercommon\Idle.exe | N/A |
| N/A | N/A | C:\providercommon\Idle.exe | N/A |
| N/A | N/A | C:\providercommon\Idle.exe | N/A |
| N/A | N/A | C:\providercommon\Idle.exe | N/A |
| N/A | N/A | C:\providercommon\Idle.exe | N/A |
| N/A | N/A | C:\providercommon\Idle.exe | N/A |
| N/A | N/A | C:\providercommon\Idle.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_fe246d8df6111f1cce1f2ca30dd746b98ccbb2647f226bc654792f7594f62cb0.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_fe246d8df6111f1cce1f2ca30dd746b98ccbb2647f226bc654792f7594f62cb0.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\providercommon\1zu9dW.bat" "
C:\providercommon\DllCommonsvc.exe
"C:\providercommon\DllCommonsvc.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Mail\es-ES\taskhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\es-ES\taskhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Mail\es-ES\taskhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\dllhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\providercommon\sppsvc.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\providercommon\Idle.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\cmd.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\es-ES\taskhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\dllhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sppsvc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\Idle.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\cmd.exe'
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9eylyvpAgI.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\Idle.exe
"C:\providercommon\Idle.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4yKdveU0JJ.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\Idle.exe
"C:\providercommon\Idle.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kXH0MsH7jV.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\Idle.exe
"C:\providercommon\Idle.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9gHfnS8a2p.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\Idle.exe
"C:\providercommon\Idle.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8NcI1AeIbp.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\Idle.exe
"C:\providercommon\Idle.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Jef2EZNQSo.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\Idle.exe
"C:\providercommon\Idle.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SU2rmp5bpW.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\Idle.exe
"C:\providercommon\Idle.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fjtq3MYUh4.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\Idle.exe
"C:\providercommon\Idle.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\r40S8pVzgD.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\Idle.exe
"C:\providercommon\Idle.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4Tm0GxqeGU.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\Idle.exe
"C:\providercommon\Idle.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wHaMzi6eYE.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
Files
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe
| MD5 | 8088241160261560a02c84025d107592 |
| SHA1 | 083121f7027557570994c9fc211df61730455bb5 |
| SHA256 | 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1 |
| SHA512 | 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478 |
C:\providercommon\1zu9dW.bat
| MD5 | 6783c3ee07c7d151ceac57f1f9c8bed7 |
| SHA1 | 17468f98f95bf504cc1f83c49e49a78526b3ea03 |
| SHA256 | 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322 |
| SHA512 | c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8 |
\providercommon\DllCommonsvc.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/2824-13-0x00000000010C0000-0x00000000011D0000-memory.dmp
memory/2824-14-0x0000000000150000-0x0000000000162000-memory.dmp
memory/2824-15-0x0000000000160000-0x000000000016C000-memory.dmp
memory/2824-16-0x0000000000270000-0x000000000027C000-memory.dmp
memory/2824-17-0x0000000000280000-0x000000000028C000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\R6FREHR1QKE9WBTRNU63.temp
| MD5 | 4f901e00319653473ed03549ea6c87f5 |
| SHA1 | 5e04987522fe373c72ab46010b4f5f2e28cc26fb |
| SHA256 | 528ff67ebd22e77ec4f35ecdb7b280cdbc70d327ff9ad4a9398589c8a43b9946 |
| SHA512 | 993b92562bd7ecd514f04b92ef58d2014933d26c2cd22e6acba1b895eb398ac3b82f1ad54af7b0971e1bf2dbd6f061e313586414550f12a792364455a33d4736 |
memory/840-56-0x000000001B700000-0x000000001B9E2000-memory.dmp
memory/840-57-0x0000000002290000-0x0000000002298000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\9eylyvpAgI.bat
| MD5 | 558cd5c5e8d6ee2bfe239aa504cce02d |
| SHA1 | 0a714aba26d8e513fbefbcf39e32d06549ad013b |
| SHA256 | 7d62a1daa7e1a052961051f0474295c8ff9b2fefc433a299ba2017d220dfb9ed |
| SHA512 | 170322b49dd946a1ffc100e9f5b8c301ca808be1413f96c92d5da08d877035d0c74f981a4b6004f63dc9e01d4edb9a6c103604dcc565d677cdd92b3862f49a51 |
memory/2428-66-0x0000000000020000-0x0000000000130000-memory.dmp
memory/2428-67-0x00000000004E0000-0x00000000004F2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab99D1.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\Tar99E4.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\Local\Temp\4yKdveU0JJ.bat
| MD5 | 0c42ca69564cfdc75b31f238215f7986 |
| SHA1 | 3e506603a2dbbbe057889ed25f25078ef59a9cbb |
| SHA256 | a6f75818b71198067cc96d8cab489fce20a682e8555102cad1bccfec02fb7217 |
| SHA512 | d6026e94638009ce7ffc1f6a26fd6eed13280e5e8f09994e0d9249a381a4d94afaa62d5164b20f19ef3ae3fca805bda3e56b2784a03848abfb50f89118dcf53d |
memory/2424-126-0x0000000000800000-0x0000000000910000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 070dc09cdb5e5f22fc1b403de6e9181b |
| SHA1 | 601f93fcd3eeb212a4dc4ef9896e8b922cd3a83f |
| SHA256 | 35c5b1f92056f1736cca031f21d0ff667f5f25f5f7f79a8005df2e2f18b06a9b |
| SHA512 | abbe068009129bfbd08c7932aef34a7635a01cb5f29afd8cea6014fe013c2cd34b08781a0f41759d10de4b23babfd7a457a40c6266c8f2cff2b93d65dbcb3ed1 |
C:\Users\Admin\AppData\Local\Temp\kXH0MsH7jV.bat
| MD5 | d36ec1331b129d34b5e5063f8633dfd7 |
| SHA1 | 546c5cb7643025d50a6ccb0c0dd03b130cf87c47 |
| SHA256 | cf6e7ed8ea53904533aeee25645a0fce3eefbdff23c0b968b227ecd68849fe4e |
| SHA512 | a48a4c767336ac26d28593740b4be1938bf18737dd937fdd35ad29cd37d2b3427ae2a90d1496141068c6b0dd6b928eb68d01574d9400ce08d72b4421d277495c |
memory/2900-186-0x0000000000900000-0x0000000000A10000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 422e23fa57222d2884c233846d70466b |
| SHA1 | 4ffc736f8ccc861c2d4a372361f435c524a7566b |
| SHA256 | 939e11e30a53d3df12ad0983aeafec5af657543df7737485ca858a2954e70373 |
| SHA512 | c8f757bf0fe0314224592347acb2207268c8bc3dbcb870892178b46535e7d7b7db75fca29d0bb19eb6bcb0b78ab756496ac4b1f58f11fdff45d91078a550bbd9 |
C:\Users\Admin\AppData\Local\Temp\9gHfnS8a2p.bat
| MD5 | 19e93d3ea8baf1e6bd2d2c48d5704232 |
| SHA1 | 1dfef7e83f8ba8ebea36fe64281bd52ebd17cb3b |
| SHA256 | fd91b10ac36bf040852a59109da3153bf3662c132491bbe04a5a7530e08fdee9 |
| SHA512 | 49fe6f4cf909e95296f233bbd40c4d4238a483f9f6750e7ad5ddffa1de4d7b53b02bc358fe87f6729de8e54af0c1280817a2a226bdd50811f21de06e3c6ccc5a |
memory/2820-246-0x00000000011D0000-0x00000000012E0000-memory.dmp
memory/2820-247-0x00000000002B0000-0x00000000002C2000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e4a92cb81c1d660f5107fdac17b96fe2 |
| SHA1 | e0574a97632119e14898b9bf3367dd4126ab87fa |
| SHA256 | 57c44519e03748985b3fdc3958991c97e73dc9bc9975740302c76c3e2889984f |
| SHA512 | 63cdbf57fe64f22230bf1e5b74ec30ca5ab138c8dc5b1f6cfff4307351317b3fc0ae618de2a8e174939ab8e1bff3cc90be603a00ece5a8df9251dcab46305524 |
C:\Users\Admin\AppData\Local\Temp\8NcI1AeIbp.bat
| MD5 | ff35cb428c231d99d4e3d32394b2f4a5 |
| SHA1 | 3beae0b59b5b152db0d184600bb5b7fe6ac958b7 |
| SHA256 | 7bd05c1658bbc38e13795e7e3c76aa45522e1eafa267676e6b0a5b92177655bd |
| SHA512 | a8434146c557d50dbaf50936d8dc02af67c359a89308fe030740d9f18aebd9d2c17281b6681c0b703ba2d6be4e3c1fe2aa8d3e2c26ff977fd594510f0c860315 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f930998372441074ff70830eff126575 |
| SHA1 | 2581f8452dfcebe83ec5d5bad81f9ff811cc32a1 |
| SHA256 | 0a32b1ab702e897ebb07fb5c34ef213cbfe8ad468807b2c1e044452cf09e6c93 |
| SHA512 | 6636d20b0037d8f5b92b1c6c68f50ad9a4bd3f39013be0795d73fdf639bf45a17c87c9613e854fb3db553caabfdbe57329fcb5b51da7595f0841425e8bb38c80 |
C:\Users\Admin\AppData\Local\Temp\Jef2EZNQSo.bat
| MD5 | 3fc1c8eac1a6825c9a0d4685d235f0d1 |
| SHA1 | 36fbdbbd3be80af91b198c369c0f6ddfac97da33 |
| SHA256 | df89b257fbf8032d31d77b327ae192bacc9cacb2dfe40f9b7f744bb95020452d |
| SHA512 | b61df64ee86140ec437c3c6667c33f5811beb741017a0f1546c659bc1995f22ec7547b2b8b7f57329dee6aeee2a1638cbb7cd9cd1284c4241d240408d617295a |
memory/772-366-0x00000000011E0000-0x00000000012F0000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 9b085030468ef1cf9c2da8c562547053 |
| SHA1 | 9879abfe36a72ef89fedec88fec7fcfebcea8eb3 |
| SHA256 | 9d0d5f3299acd1618e7b69787e7f2b204accd74d989982ccbb8154ed40079ae4 |
| SHA512 | 91463eaf3d22d2983919c8a1f2a2c8a7f0660260dd0b93ac601d9e97bc844f63a1317a9e4cc81da933b87b350c7c7149309dd89291864a3c9c08066bff0d9c27 |
C:\Users\Admin\AppData\Local\Temp\SU2rmp5bpW.bat
| MD5 | 95140cf577a91dead5e1244fa3b37970 |
| SHA1 | 8edd4ea03063a7f485a80c711cb14a80c9fb131a |
| SHA256 | 391d04437346870e8393e3701ad76923b735d514578451477418bd6f5857eedd |
| SHA512 | 942394f4779dd918bea714c3175e5c424d022a22dcab4eb0ca65cd28ee95f33bea54a14db766b4c77f8431fdd721dacff430ecfcb81700a21eb75b1e746b5e3f |
memory/340-426-0x00000000002C0000-0x00000000002D2000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6b2d97f59b50b655179a2fc8f6cc6948 |
| SHA1 | c61258975bfadbee07192461326b37ed5af839ae |
| SHA256 | 0d1b12e808dec5a1582efb2c50900326efba988f5f9e6cf9ec66612d0af3f9c2 |
| SHA512 | 13cd0b1d5bc149208fa80dd8cf33bacc801449e39cbaab3adc72c8d9baa3f950970fabf57016da658c7567812abf7123e5c188a7f45b1f8f5e6f404a8a8d7b06 |
C:\Users\Admin\AppData\Local\Temp\fjtq3MYUh4.bat
| MD5 | b86ff1e6425419d51f92d4e5caa00f11 |
| SHA1 | f6f4ef757c7bb6f9c46cc2fc78625f9c28976383 |
| SHA256 | 252ebe891bc0e95afd053db194ebd2e8a50e996039e1118733975c1cf32b90b3 |
| SHA512 | 8ffaa2df4b7db5fe81f66ec469837aa1d17fab50f0dd5db28f798870abf8df9cfbde2fd0e731755ad073114c258ec42a485acb19d6b1be99b0421c875b986f9c |
memory/3036-486-0x0000000001290000-0x00000000013A0000-memory.dmp
memory/3036-487-0x0000000000150000-0x0000000000162000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 487dbf00d50f5549b0de27d3bda5e35f |
| SHA1 | 9dfdb488086c169d90feea0ff899b2b698481b4f |
| SHA256 | b25ee707a566bbdcdf1b6c6875de0853f11a06106c76a33ff1571deaa51f8659 |
| SHA512 | ee3070ee9d81e63dcbee9190f872df90301f1a076c52e49caf405726362a0f764b1ae1ad02e14ccad0e559e9e7661f4722aeaaa782bf8fa6387ab5084a7893fa |
C:\Users\Admin\AppData\Local\Temp\r40S8pVzgD.bat
| MD5 | 3d1f102d28971858dad9d2e769626948 |
| SHA1 | 54ba6daa932be52537809d0865dc5423d1f12853 |
| SHA256 | 9068774851550c0eb5e24e2f6c507af0289e6947ab1d5004517722d4e5b0a438 |
| SHA512 | 32b8172329910b0f439fc45abe73598ca1c50623245ce6527d5849208e59a8e038468cfaa3521f3cbc6d2005ed905b9c8691b71b93cafeb84fb58e6377f5e051 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 5758374b8368eba1d17c57927f0d5941 |
| SHA1 | f401b779e97a31f1f484ee3c4b155daafcec1e1e |
| SHA256 | 4d29aa4b2455b13415c94790e61127fd80e2ab9b5ef5bd99223eecd0d99d9081 |
| SHA512 | 5879a8bd61d7e73b100c70853337f65a02fde799770e6cb9f18009373c17019403dbe7a4aa4b679e37e04099684ac3a4507b1e6aad04b6ec410d655c3192d7c5 |
C:\Users\Admin\AppData\Local\Temp\4Tm0GxqeGU.bat
| MD5 | af6ef4390110f3a265a970401d4e2727 |
| SHA1 | b12d9061a32b985bdef0631c2a315278973c2f58 |
| SHA256 | ec555f616d5e918f078aefcceef5fac9d0e01d41dd4bd8062ce84a4c8e876ca0 |
| SHA512 | be11cc314cc08875eb64fc5a2d39a52c2fa6bc63741b3520368e2f8bb80c902f8b8d1f7def48fbd1bb7d1bb466d294c0e6d1934dd1132489809193c82f8bc461 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 943a156298207003bc0d7c26962b1fb1 |
| SHA1 | aa46d6714985124ecbb62f0884bc1af944bc56b6 |
| SHA256 | 5b796c8c2206c31b18418aff98be2c952069c3cc3352e09045c6940890e0e11b |
| SHA512 | 14c918a5d2cca8b4f440d305ac1b4cd343d63751bb06b083861637debf7f1b65e50fea702785499c5225f005ebc127a45ebaf823d218a3efd96bd18c91b1a34d |
C:\Users\Admin\AppData\Local\Temp\wHaMzi6eYE.bat
| MD5 | ab93dc1ee65a48d69e40fcf49f829ca7 |
| SHA1 | abeb030c51cafd5cacea528f96606e27cbd7de88 |
| SHA256 | 437903c26ed173ef283d44beccdc535eff5c7964487f7e712e6b9bb14b577586 |
| SHA512 | 92112b1945e64dc8d1a38ba1e0089e7b949773fd37a8e1f2b8089755c89827e0cb8225712af1e03d7a5e8935a7372d807091d0632269cf559f6786ace01ecb5e |
Analysis: behavioral2
Detonation Overview
Submitted
2024-12-30 01:37
Reported
2024-12-30 01:40
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
146s
Command Line
Signatures
DcRat
Dcrat family
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\providercommon\DllCommonsvc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Default User\OfficeClickToRun.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Default User\OfficeClickToRun.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Default User\OfficeClickToRun.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Default User\OfficeClickToRun.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Default User\OfficeClickToRun.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Default User\OfficeClickToRun.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Default User\OfficeClickToRun.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Default User\OfficeClickToRun.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Default User\OfficeClickToRun.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_fe246d8df6111f1cce1f2ca30dd746b98ccbb2647f226bc654792f7594f62cb0.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Default User\OfficeClickToRun.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Default User\OfficeClickToRun.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Default User\OfficeClickToRun.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Default User\OfficeClickToRun.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\providercommon\DllCommonsvc.exe | N/A |
| N/A | N/A | C:\Users\Default User\OfficeClickToRun.exe | N/A |
| N/A | N/A | C:\Users\Default User\OfficeClickToRun.exe | N/A |
| N/A | N/A | C:\Users\Default User\OfficeClickToRun.exe | N/A |
| N/A | N/A | C:\Users\Default User\OfficeClickToRun.exe | N/A |
| N/A | N/A | C:\Users\Default User\OfficeClickToRun.exe | N/A |
| N/A | N/A | C:\Users\Default User\OfficeClickToRun.exe | N/A |
| N/A | N/A | C:\Users\Default User\OfficeClickToRun.exe | N/A |
| N/A | N/A | C:\Users\Default User\OfficeClickToRun.exe | N/A |
| N/A | N/A | C:\Users\Default User\OfficeClickToRun.exe | N/A |
| N/A | N/A | C:\Users\Default User\OfficeClickToRun.exe | N/A |
| N/A | N/A | C:\Users\Default User\OfficeClickToRun.exe | N/A |
| N/A | N/A | C:\Users\Default User\OfficeClickToRun.exe | N/A |
| N/A | N/A | C:\Users\Default User\OfficeClickToRun.exe | N/A |
| N/A | N/A | C:\Users\Default User\OfficeClickToRun.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Windows Photo Viewer\fr-FR\unsecapp.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Windows Photo Viewer\fr-FR\29c1c3cc0f7685 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\ModifiableWindowsApps\sihost.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\skins\fonts\spoolsv.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\skins\fonts\f3b6ecef712a24 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\MSBuild\Idle.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\MSBuild\6ccacd8608530f | C:\providercommon\DllCommonsvc.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\CSC\RuntimeBroker.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\IME\it-IT\csrss.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\IME\it-IT\886983d96e3d3e | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\it-IT\upfc.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\it-IT\ea1d8f6d871115 | C:\providercommon\DllCommonsvc.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_fe246d8df6111f1cce1f2ca30dd746b98ccbb2647f226bc654792f7594f62cb0.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings | C:\Users\Default User\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings | C:\Users\Default User\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings | C:\Users\Default User\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings | C:\Users\Default User\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings | C:\Users\Default User\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings | C:\Users\Default User\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings | C:\Users\Default User\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings | C:\Users\Default User\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings | C:\Users\Default User\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_fe246d8df6111f1cce1f2ca30dd746b98ccbb2647f226bc654792f7594f62cb0.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings | C:\Users\Default User\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings | C:\Users\Default User\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings | C:\Users\Default User\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings | C:\Users\Default User\OfficeClickToRun.exe | N/A |
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_fe246d8df6111f1cce1f2ca30dd746b98ccbb2647f226bc654792f7594f62cb0.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_fe246d8df6111f1cce1f2ca30dd746b98ccbb2647f226bc654792f7594f62cb0.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
C:\providercommon\DllCommonsvc.exe
"C:\providercommon\DllCommonsvc.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\providercommon\lsass.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\Idle.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Windows\IME\it-IT\csrss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\IME\it-IT\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Windows\IME\it-IT\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\unsecapp.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\unsecapp.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\unsecapp.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\OfficeClickToRun.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Users\Default User\OfficeClickToRun.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\OfficeClickToRun.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\providercommon\RuntimeBroker.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\providercommon\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\providercommon\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\providercommon\cmd.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\providercommon\cmd.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\providercommon\cmd.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files\VideoLAN\VLC\skins\fonts\spoolsv.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\skins\fonts\spoolsv.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files\VideoLAN\VLC\skins\fonts\spoolsv.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\MSBuild\Idle.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Idle.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\MSBuild\Idle.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\DllCommonsvc.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\DllCommonsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\DllCommonsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 12 /tr "'C:\Windows\it-IT\upfc.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Windows\it-IT\upfc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 5 /tr "'C:\Windows\it-IT\upfc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Saved Games\TextInputHost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Users\Default\Saved Games\TextInputHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Saved Games\TextInputHost.exe'" /rl HIGHEST /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsass.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\Idle.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\IME\it-IT\csrss.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\fr-FR\unsecapp.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\OfficeClickToRun.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dwm.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\RuntimeBroker.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\cmd.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\skins\fonts\spoolsv.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dllhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Idle.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\DllCommonsvc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\it-IT\upfc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Saved Games\TextInputHost.exe'
C:\Users\Default User\OfficeClickToRun.exe
"C:\Users\Default User\OfficeClickToRun.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xHU7fKnwSZ.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default User\OfficeClickToRun.exe
"C:\Users\Default User\OfficeClickToRun.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uMS4yFj28m.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default User\OfficeClickToRun.exe
"C:\Users\Default User\OfficeClickToRun.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NpgWdIWSbT.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default User\OfficeClickToRun.exe
"C:\Users\Default User\OfficeClickToRun.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0P1AeAAEDQ.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default User\OfficeClickToRun.exe
"C:\Users\Default User\OfficeClickToRun.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5G5G1KH0qy.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default User\OfficeClickToRun.exe
"C:\Users\Default User\OfficeClickToRun.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rZY5mW9Lj2.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default User\OfficeClickToRun.exe
"C:\Users\Default User\OfficeClickToRun.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KteTxDTZHh.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default User\OfficeClickToRun.exe
"C:\Users\Default User\OfficeClickToRun.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Oupdpj3XpI.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default User\OfficeClickToRun.exe
"C:\Users\Default User\OfficeClickToRun.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VoHf0I0Wzs.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default User\OfficeClickToRun.exe
"C:\Users\Default User\OfficeClickToRun.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yMeEqlK1gO.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default User\OfficeClickToRun.exe
"C:\Users\Default User\OfficeClickToRun.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gZmmY05In2.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default User\OfficeClickToRun.exe
"C:\Users\Default User\OfficeClickToRun.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Yvohz7Nokj.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default User\OfficeClickToRun.exe
"C:\Users\Default User\OfficeClickToRun.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yTz6y56Ktd.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default User\OfficeClickToRun.exe
"C:\Users\Default User\OfficeClickToRun.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
Files
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe
| MD5 | 8088241160261560a02c84025d107592 |
| SHA1 | 083121f7027557570994c9fc211df61730455bb5 |
| SHA256 | 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1 |
| SHA512 | 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478 |
C:\providercommon\1zu9dW.bat
| MD5 | 6783c3ee07c7d151ceac57f1f9c8bed7 |
| SHA1 | 17468f98f95bf504cc1f83c49e49a78526b3ea03 |
| SHA256 | 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322 |
| SHA512 | c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8 |
C:\providercommon\DllCommonsvc.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/1244-12-0x00007FFE15A23000-0x00007FFE15A25000-memory.dmp
memory/1244-13-0x0000000000A50000-0x0000000000B60000-memory.dmp
memory/1244-14-0x0000000002C70000-0x0000000002C82000-memory.dmp
memory/1244-15-0x0000000002C90000-0x0000000002C9C000-memory.dmp
memory/1244-16-0x0000000002C80000-0x0000000002C8C000-memory.dmp
memory/1244-17-0x0000000002CA0000-0x0000000002CAC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5iegtlco.w44.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1804-72-0x000001A25A640000-0x000001A25A662000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 2e907f77659a6601fcc408274894da2e |
| SHA1 | 9f5b72abef1cd7145bf37547cdb1b9254b4efe9d |
| SHA256 | 385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233 |
| SHA512 | 34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | bd5940f08d0be56e65e5f2aaf47c538e |
| SHA1 | d7e31b87866e5e383ab5499da64aba50f03e8443 |
| SHA256 | 2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6 |
| SHA512 | c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 62623d22bd9e037191765d5083ce16a3 |
| SHA1 | 4a07da6872672f715a4780513d95ed8ddeefd259 |
| SHA256 | 95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010 |
| SHA512 | 9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | cadef9abd087803c630df65264a6c81c |
| SHA1 | babbf3636c347c8727c35f3eef2ee643dbcc4bd2 |
| SHA256 | cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438 |
| SHA512 | 7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 5f0ddc7f3691c81ee14d17b419ba220d |
| SHA1 | f0ef5fde8bab9d17c0b47137e014c91be888ee53 |
| SHA256 | a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5 |
| SHA512 | 2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3 |
C:\Users\Admin\AppData\Local\Temp\xHU7fKnwSZ.bat
| MD5 | dad65ad65298da598627495c6bfa633a |
| SHA1 | f0451195e31b5bfa823df6d27b16621c9c9b149a |
| SHA256 | 46761cfed914a08cd093e68f31c169c79e5c9957c15f77b4978c671c2310c7c9 |
| SHA512 | 7008a4085b986e11b4247f4751576e272d8250543ad5776475c10ebd65a6ac3630c6ac7474174dab0a13555795e4915994fe18651cfbe2fa0de90f8a42839504 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\OfficeClickToRun.exe.log
| MD5 | baf55b95da4a601229647f25dad12878 |
| SHA1 | abc16954ebfd213733c4493fc1910164d825cac8 |
| SHA256 | ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924 |
| SHA512 | 24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545 |
memory/3564-233-0x0000000002CB0000-0x0000000002CC2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\uMS4yFj28m.bat
| MD5 | af2a37b1f9df2690fda88beac9eec694 |
| SHA1 | aca5c56c7955d6a4ecd6d966d6d0a1bf7e3a3685 |
| SHA256 | 1e72eed3d659ab17ef1aa56c5b382da8f8e6bd36d8ef960c67755a2dc6dcd78c |
| SHA512 | c0134e976c238950a67ddfaaa46d6f1df7f1b6a8b3960bfd6fe72782405ec9c0002f7d1a61016fa137996e845dc3d388c2aeb09a4e5dd133ec1279ea94308935 |
C:\Users\Admin\AppData\Local\Temp\NpgWdIWSbT.bat
| MD5 | 0e5647a15d6c9d6d380b6c01418e7dc1 |
| SHA1 | 43ec7e8d368cdbba2a1e5b9ecbf976f12456b274 |
| SHA256 | 97c8eeeeb3e6b5272adea811444697d69bbfca992f8ca99a7d5cf85e74f7bc0a |
| SHA512 | 713a8ca2432e68cd0095a78f5d29eef756b340ab9a4f2849fb12070ce2425d28035c2df2a6044b7a6a06a85418d9edf125fd0c69bcc7f13cad08602f1eca4e6c |
C:\Users\Admin\AppData\Local\Temp\0P1AeAAEDQ.bat
| MD5 | 9fe0c118d37f6f2b8aa31f13a320af40 |
| SHA1 | 5e243fd2c9bed88513e4efd4dcc13538bf69d71f |
| SHA256 | b84e0978af07b78aa96e3f4480467ea996a66e1626bfd56c27e3316042ee7efb |
| SHA512 | c780437262697099ea51a31230d7c297349b07a577f56a3fa0eea855f39c47da57f9528aa5adb4ee6f725a4981166f5409aa92f59b46fec8cf64625a0eadd239 |
C:\Users\Admin\AppData\Local\Temp\5G5G1KH0qy.bat
| MD5 | 1dd3675127c4c07355c722d705b31a9a |
| SHA1 | f2f97b6e2b8b285344b2b18b22e97c91e67e2e78 |
| SHA256 | ad289e2625027469b9c4c05b88667a7424ac51f46a740edbcf7019b32230ffce |
| SHA512 | 65c4f5de88bb7b988f22e10eae7ba8d6b8493c9082991e4922a1723c63f4dcfdcd2a768395db9f29fa6bc04ce8a4a3e03a37759ab22f30be474d53242fa134d5 |
C:\Users\Admin\AppData\Local\Temp\rZY5mW9Lj2.bat
| MD5 | 918a2b385c00b164abc7570eb8cb1f64 |
| SHA1 | 88a22cef338fd986b482c7db187e513200ba5947 |
| SHA256 | 47ff73d641b1fe6d49eae2f4fdb0ccf7d7ba2c61641bb5b7e1af59839bd1dee7 |
| SHA512 | d2468c16c60223496afb9b0812c5eb83122a56a9eeb9845ac327e334a23180910011ee253c84ab465c9c8a7a2218693a7ce6fa06fc72816f1ec1cc4833b4d3ee |
memory/2632-264-0x000000001B380000-0x000000001B392000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\KteTxDTZHh.bat
| MD5 | 93ed0dbe347c33c0bf0306389afdbae4 |
| SHA1 | 6f2c141b40291908efabc45252cf5d7f93decf85 |
| SHA256 | cf45b84e7abe0cba54527945369887019b593afe3c6c92a9b8f5ac9002f9775b |
| SHA512 | 88ca92457ff97011f4ec844ee86df46dac8efdf19368c110de478da0ff3dd452ce3b418ca98401ae67caabba0efb9a540fc07f957932e3c4a83601897fcfe2f3 |
memory/4608-271-0x0000000001130000-0x0000000001142000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Oupdpj3XpI.bat
| MD5 | c7e84126a2a1150993d18190543bdf64 |
| SHA1 | 788deab4800cb1b47f82d7dc94bdc40522f2172f |
| SHA256 | e47c6813dd0eafd5ef56a4f48ee205d01c7f83a1f46c2c904ef8bb10af414d53 |
| SHA512 | 9f1f3bd81bc95d57bbe58901bb19f0b461d0275b7650aa007e541304c63456dbac7ddb97bd45f7a5ae5cd7bff152420c07c24ff42953c46b177e44f4e14e8a4d |
C:\Users\Admin\AppData\Local\Temp\VoHf0I0Wzs.bat
| MD5 | cbbf014dfa7a10ec86a5f617f0828510 |
| SHA1 | 9204d578a985d49080512874091d150e297d2fc4 |
| SHA256 | 31e07c1a8720aa579b35ee86a81c82559d96a37bdf7f23f1f9f951fa9b5ab609 |
| SHA512 | c9df6f71250cab90689c69dceb840cd5b9e504006aa217854b839879f9e55ec304b80fe3e55c11b1f692b05367f47664d0b3e99f30d7d622e9d4e1c47526a366 |
C:\Users\Admin\AppData\Local\Temp\yMeEqlK1gO.bat
| MD5 | e32e88347e05dd0519094fb464327f4a |
| SHA1 | 32fd4e5867f56ad3813abec043375c4ae12a3492 |
| SHA256 | a21606ddef85f51242200783f0d7db6f7d6b41d9dcf0ea53be7bc540fc465d02 |
| SHA512 | f055c676fcc93b586ac13a69e9752db4d60ddb8c8b4e68cdebbd10195b832733e47a355493a5d93cbbd8d5e20e8b6300e79f5d4ae098abdaa75f63add2ccb21e |
memory/1940-290-0x0000000000C80000-0x0000000000C92000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\gZmmY05In2.bat
| MD5 | 98141cb129594e06c33e08cd6ef6671a |
| SHA1 | fc3fa9ed1bb481f845a4c4841662d8551dd0db13 |
| SHA256 | 099c70aa25a13c8e02ecbce0e28acab9dfd94b7efad9e21713bd532c96df8f86 |
| SHA512 | 2622d1a68c7c69889265306edce3fc8ca789f8098e4e47849b8e217136f38510152f7692df42d45566c6a49fe2a99d9bf928ca977bbb705d0e53c02aa5bba1a5 |
C:\Users\Admin\AppData\Local\Temp\Yvohz7Nokj.bat
| MD5 | 025c21ef33cd61a52503b173196bb7a8 |
| SHA1 | 668be6176a32779863ed6bdbec4c797be36443df |
| SHA256 | 1eded88ee832648d6c61332cecfe29823a586e1953693bedb54b39c322bcd5f5 |
| SHA512 | e95e646a39c4f7affe538e033d639e3e3fb9ca861701cb168b9aa9c620cf609a0bae815fba9df722ed51486f949708a6dff7fddbda3c8b916d611e847b263934 |
memory/4988-303-0x0000000000FE0000-0x0000000000FF2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\yTz6y56Ktd.bat
| MD5 | a4707ca3fe7a351dad643e270d6a2ca1 |
| SHA1 | 33ebdb522c9ce1e60c7c018bafa663e7d51a7951 |
| SHA256 | 3450121906a472b13aee8e92e612d8594de2e9d3a00493be0afee0575cb868f8 |
| SHA512 | fcc7e466fa072eee7db4b25599083c2b6bc9a0d27902552248b3419fc3ee9c0f6e7188caa6f38a9a6566bf4a1b357089c7f0d3653e0f1eac938528c7f830b124 |