Analysis Overview
SHA256
e24100430741ee06ae8852720bdc95c02c2f0bb4a0a56760cc430cce57c00b97
Threat Level: Known bad
The file JaffaCakes118_e24100430741ee06ae8852720bdc95c02c2f0bb4a0a56760cc430cce57c00b97 was found to be: Known bad.
Malicious Activity Summary
DcRat
Dcrat family
DCRat payload
Process spawned unexpected child process
DCRat payload
Command and Scripting Interpreter: PowerShell
Executes dropped EXE
Checks computer location settings
Loads dropped DLL
Legitimate hosting services abused for malware hosting/C2
Drops file in Program Files directory
Drops file in Windows directory
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Unsigned PE
Modifies registry class
Suspicious use of WriteProcessMemory
Scheduled Task/Job: Scheduled Task
Uses Task Scheduler COM API
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-12-30 01:49
Signatures
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Dcrat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-12-30 01:49
Reported
2024-12-30 01:51
Platform
win7-20240903-en
Max time kernel
141s
Max time network
139s
Command Line
Signatures
DcRat
Dcrat family
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\providercommon\DllCommonsvc.exe | N/A |
| N/A | N/A | C:\Users\Admin\Start Menu\csrss.exe | N/A |
| N/A | N/A | C:\Users\Admin\Start Menu\csrss.exe | N/A |
| N/A | N/A | C:\Users\Admin\Start Menu\csrss.exe | N/A |
| N/A | N/A | C:\Users\Admin\Start Menu\csrss.exe | N/A |
| N/A | N/A | C:\Users\Admin\Start Menu\csrss.exe | N/A |
| N/A | N/A | C:\Users\Admin\Start Menu\csrss.exe | N/A |
| N/A | N/A | C:\Users\Admin\Start Menu\csrss.exe | N/A |
| N/A | N/A | C:\Users\Admin\Start Menu\csrss.exe | N/A |
| N/A | N/A | C:\Users\Admin\Start Menu\csrss.exe | N/A |
| N/A | N/A | C:\Users\Admin\Start Menu\csrss.exe | N/A |
| N/A | N/A | C:\Users\Admin\Start Menu\csrss.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Google\Update\Install\{5EB8F02B-573C-439E-BE36-635B3B6563D9}\smss.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Google\Update\Install\{5EB8F02B-573C-439E-BE36-635B3B6563D9}\69ddcba757bf72 | C:\providercommon\DllCommonsvc.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\ServiceProfiles\winlogon.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File opened for modification | C:\Windows\ServiceProfiles\winlogon.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\ServiceProfiles\cc11b995f2a76d | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\diagnostics\scheduled\Maintenance\taskhost.exe | C:\providercommon\DllCommonsvc.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e24100430741ee06ae8852720bdc95c02c2f0bb4a0a56760cc430cce57c00b97.exe | N/A |
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e24100430741ee06ae8852720bdc95c02c2f0bb4a0a56760cc430cce57c00b97.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e24100430741ee06ae8852720bdc95c02c2f0bb4a0a56760cc430cce57c00b97.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\providercommon\1zu9dW.bat" "
C:\providercommon\DllCommonsvc.exe
"C:\providercommon\DllCommonsvc.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Windows\ServiceProfiles\winlogon.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\ServiceProfiles\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Windows\ServiceProfiles\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\conhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\wininit.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\wininit.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\wininit.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Start Menu\csrss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\Start Menu\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Start Menu\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\spoolsv.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\spoolsv.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\spoolsv.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\audiodg.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\Idle.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\explorer.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Google\Update\Install\{5EB8F02B-573C-439E-BE36-635B3B6563D9}\smss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\Install\{5EB8F02B-573C-439E-BE36-635B3B6563D9}\smss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Google\Update\Install\{5EB8F02B-573C-439E-BE36-635B3B6563D9}\smss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\providercommon\WmiPrvSE.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\conhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ServiceProfiles\winlogon.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\conhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\wininit.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Start Menu\csrss.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\spoolsv.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\audiodg.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\Idle.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\explorer.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\Update\Install\{5EB8F02B-573C-439E-BE36-635B3B6563D9}\smss.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\WmiPrvSE.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\conhost.exe'
C:\Users\Admin\Start Menu\csrss.exe
"C:\Users\Admin\Start Menu\csrss.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\l8nFZEr7oq.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Admin\Start Menu\csrss.exe
"C:\Users\Admin\Start Menu\csrss.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OI2OM6vZgr.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Admin\Start Menu\csrss.exe
"C:\Users\Admin\Start Menu\csrss.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Zcl4dB2r8y.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Admin\Start Menu\csrss.exe
"C:\Users\Admin\Start Menu\csrss.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cOf3pucYXi.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Admin\Start Menu\csrss.exe
"C:\Users\Admin\Start Menu\csrss.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vhtd8auDHa.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Admin\Start Menu\csrss.exe
"C:\Users\Admin\Start Menu\csrss.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WYuyh03jyF.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Admin\Start Menu\csrss.exe
"C:\Users\Admin\Start Menu\csrss.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Xnyek1SZun.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Admin\Start Menu\csrss.exe
"C:\Users\Admin\Start Menu\csrss.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IycQG8Pfyu.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Admin\Start Menu\csrss.exe
"C:\Users\Admin\Start Menu\csrss.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TBzEQtkdDl.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Admin\Start Menu\csrss.exe
"C:\Users\Admin\Start Menu\csrss.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\53OVnhiNRT.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Admin\Start Menu\csrss.exe
"C:\Users\Admin\Start Menu\csrss.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
Files
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe
| MD5 | 8088241160261560a02c84025d107592 |
| SHA1 | 083121f7027557570994c9fc211df61730455bb5 |
| SHA256 | 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1 |
| SHA512 | 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478 |
C:\providercommon\1zu9dW.bat
| MD5 | 6783c3ee07c7d151ceac57f1f9c8bed7 |
| SHA1 | 17468f98f95bf504cc1f83c49e49a78526b3ea03 |
| SHA256 | 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322 |
| SHA512 | c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8 |
\providercommon\DllCommonsvc.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/2876-13-0x0000000000380000-0x0000000000490000-memory.dmp
memory/2876-14-0x0000000000350000-0x0000000000362000-memory.dmp
memory/2876-15-0x0000000000370000-0x000000000037C000-memory.dmp
memory/2876-16-0x0000000000360000-0x000000000036C000-memory.dmp
memory/2876-17-0x0000000000490000-0x000000000049C000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | ce0097acbbf4767617e75fa92f28383a |
| SHA1 | 3a4121add5c47f89f7217a62cf6b9e403a0e62db |
| SHA256 | eccfca8f40eaed0027581b197493baffd5b6d50f3f838ea52919686b29fd6ace |
| SHA512 | fea6ce33002b4cce41b70ccb5c9a467c2fd29cbda7d6a007bc404384aebcb67a0f9fe2e3c26aa39a71b12834a32fd195cd36ec0f5b88bbc929a9ffb1ad57f0b6 |
memory/1348-67-0x0000000001FD0000-0x0000000001FD8000-memory.dmp
memory/1536-65-0x000000001B680000-0x000000001B962000-memory.dmp
memory/1940-46-0x00000000009D0000-0x0000000000AE0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CabCFEE.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\TarD020.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\Local\Temp\l8nFZEr7oq.bat
| MD5 | b52e6b0af75f9dfd08e3425820e324b3 |
| SHA1 | b819b70732b2d81a20cd2e4741dedf8e4d1700ab |
| SHA256 | 85e70f19e115e8431a5ac28d89e061d797ac7b95badb874994875d97557851a0 |
| SHA512 | bb889609632ea61117d30e90d00d8b2b2712ca69d9ecf7701684cf9b6c9517de4aad6e4c4298ab76a094a8979e730a24e9accf5268b64782add7a384847047be |
memory/2472-166-0x00000000010D0000-0x00000000011E0000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b18a246b1b55009c4d8d9d986b04bb9f |
| SHA1 | 2c0b0826d75713ac4c0d22ff5a152866e8e2d6dc |
| SHA256 | 705100e2ddf0b1aabfd2211f8bf31839d6d625bfebc363b1170a2b0113aa8bab |
| SHA512 | 5563ea49b2e5c46016f17bebd9ebcfd108147a946cdffa72bd2b4b9e41fb8edaaec679dcd343b15a3107de96507626f4237064f8f452735c10767d1da5aa53ff |
C:\Users\Admin\AppData\Local\Temp\OI2OM6vZgr.bat
| MD5 | 06d26af56e257f682b68257766abf101 |
| SHA1 | aa03a6ccbaefd4aa1c462590953f7059b475a642 |
| SHA256 | a8b5accb6a2f9df68289d87cdf7699e58ee7e6e97346ad58b2c6c6f0055a3009 |
| SHA512 | 2377cfd72c032a5fe00b0697a0620480c9a1afc1dfebfd4e90cda781800e7777f960e4598387bd118ce7d3bdc0aaba06ae458f40c715cbcc21b5269760e5d84f |
memory/1920-226-0x0000000000150000-0x0000000000260000-memory.dmp
memory/1920-227-0x00000000003D0000-0x00000000003E2000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3c32ed38c5074443065a3d2b54788b94 |
| SHA1 | 7af4ad97acf0f5222b0e030bea3e834e9ff12aa1 |
| SHA256 | e2368198a1919033201d4c87bd22f110361d8c6d63cd8bdd3e652be435e2ce53 |
| SHA512 | 5e3b529094684233bd00629726c6751ef5f55fdb7d8fe0e4b690ea01032417ac06390772db38effd055094b0960efca2f85c080baf92dda03a812a6df86f243a |
C:\Users\Admin\AppData\Local\Temp\Zcl4dB2r8y.bat
| MD5 | 9538bc0ae429c90c0a0137aa38ac8814 |
| SHA1 | 473f923cc7654350a5a2bce6de23cd5099037726 |
| SHA256 | def247b79b27fb2a288b785644d494af070e1477b5ae78f829c72b891519103d |
| SHA512 | bbca0fae7e10fdf8d98b1fecba64ec8b7a09934853a04f3d7f027e62de0f3024fc22349cb5b345dbb4fd4ba77856cdbb8312e1d2b9e0e04c6132ea34841bb98d |
memory/2920-287-0x0000000000DE0000-0x0000000000EF0000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | bf16de6b992e4d04c0575ea63e035234 |
| SHA1 | 26cd873177a27f085dc9d87a98c3c41f7fb7fe11 |
| SHA256 | 5415c9f8300fa4f4f29fb8fe025c8e7504e3502754c1de2bc54d2e5718151c46 |
| SHA512 | 9cbdabecea4d7d04cd2cb7367087594a5b746a6eb7f1feebc36f9d4ab149235fcf12661f455c5ddcb96da2ebd365ea6a74c3549650027eea1d8c7afa50039590 |
C:\Users\Admin\AppData\Local\Temp\cOf3pucYXi.bat
| MD5 | 07937a44eaee82de4f0735e604749051 |
| SHA1 | 68f8bdcf93d0694339607e694f3281301a6db243 |
| SHA256 | 30711f082b50ce57ecb273bf5b63e5bca5b6d9f55b4f0dafbef77995c1616bce |
| SHA512 | 3d8435ef87d840e3ddef838699adae0833abc9cbdbca80cad147c3b980a1bd4d78b0782b1e0dd2eb88ea1bcaad1c98ee5823286a36896d17e3f0d1d0bfa63410 |
memory/2980-347-0x0000000001270000-0x0000000001380000-memory.dmp
memory/2980-348-0x0000000000140000-0x0000000000152000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d15fc85b375dd140efbcf6337cd93f42 |
| SHA1 | 864fafc531dc9abaf5fef2242728b77c09f27d57 |
| SHA256 | e0a9acedb532c508ec7c62a1f229b411aef615c78e22f379ac65f002649d64b0 |
| SHA512 | b445d4b533e00145d8cc4cbac1074b7e9c2fd48e5238dd0cdf4673d9a132cc5f10fc782a6fb3a2e593c71d961b9306ad54f605154240c2cfe1c36b11f2842ae6 |
C:\Users\Admin\AppData\Local\Temp\vhtd8auDHa.bat
| MD5 | 31c644a878251fdf031f2da9e5f0bc39 |
| SHA1 | 30cee9d9c25a779af29bb1539457ccad2107d365 |
| SHA256 | b89b8627e332c3716b2d345b5b249881310f3024c2dccd84982889f9ae87b291 |
| SHA512 | 97863f7bc42cdab39048f30e80461d4af76dcfc5d9bd25b9a2041a4e16221cd99368c64bf01896d6c9472b8401d4688d9ac990885f7187f9bfb418a0e75a2996 |
memory/2016-408-0x0000000000250000-0x0000000000360000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 07c4606db2bcacc6b8dee1f58d1456d5 |
| SHA1 | ebb2084fb76fc9026d282338665ed1d63085173e |
| SHA256 | 94de8d6679ce4d79b86b0dddeda4623db23d00d8890262bc8efeb665fcd2d104 |
| SHA512 | aa769cb64be5fbee4e73f303fef8bedfd7fb3238c27028aedc141a6c0c780e150419ffff67e10b1c7a78155d15d9a935030ec00fb7ac891bca613b2d63dcc2d4 |
C:\Users\Admin\AppData\Local\Temp\WYuyh03jyF.bat
| MD5 | bcac7331b0569d613fee7d5309227122 |
| SHA1 | 82c1cd60822428bfaa7cecb6d9e792cb36f1bda1 |
| SHA256 | 8ef366c1d1601b57055c01927477afd625040ed8290bc6e102bc1e2e3a238754 |
| SHA512 | 499230837191ec1d97d645fb32f2b09dddc10a2663875bbbaf86084af766e4a01554e46bb2e602c2c0a32dc6a3f12bfddfc07596e200a360b4a1ac6e63017882 |
memory/744-468-0x00000000003F0000-0x0000000000500000-memory.dmp
memory/744-469-0x0000000000280000-0x0000000000292000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c5eaa97e81a7aa1a1de8e2b686ca1394 |
| SHA1 | 1930ec9f38bc0355c084f5532924e31cb745a465 |
| SHA256 | b9149a1fe7e652e6aa8cd299e13359532af6a003b39330654a7d318be89ac2e5 |
| SHA512 | 857f96d1b319e8b98d35f356f87c437bd4cafb9bd397828c563951be42e317ff385b89c2b913f6806444ab563b8e214f1ae4af2e40323870873b9af4bb0649e0 |
C:\Users\Admin\AppData\Local\Temp\Xnyek1SZun.bat
| MD5 | b80d9f68b6633dd08ad0b7b2f82b7ae4 |
| SHA1 | b3346cb5118c4a89dd195b0d9145e3b503a4d5b6 |
| SHA256 | 26d2ff1759f88cc18c2b0b6712d7e986c2cb5ba4c612c4f54dc576ba49bb68d2 |
| SHA512 | 0c2c582c6a39688c4bd74fbe26a5f55e9d81533d39a3d4eb939ae1b4bd63985ea2e9cda31458293904a726a79df787a572e2f2da41c139ed6764efb786b0942f |
memory/2588-529-0x0000000001240000-0x0000000001350000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c2e11174d0a0d9e918c648f9a7ae2878 |
| SHA1 | af42963341814bd2406d83d055b37da118fb9cb9 |
| SHA256 | ed51cb4d9d8fe0046bff59b2c50116bc29b6e3f731c3248d45d20876d12f7816 |
| SHA512 | 037f85553736b1353369f6b164dd6288f24759db117b135781d0f6a45a85d4e53762bbb18c1ce723d0656c3961c0dabd5f0ecc9f4b911984d7a0225344eb7d27 |
C:\Users\Admin\AppData\Local\Temp\IycQG8Pfyu.bat
| MD5 | b1303156888e827eacd8058fc806ab03 |
| SHA1 | c87a820abb177eb43d9af2477fa5013329a21dd4 |
| SHA256 | aa6250d2381a4fde9825cd0975b05f20e7c759f3d970c808898a8c69d51babba |
| SHA512 | 8efb30264141498396f34f83442f7c989105be44b2697a40b8197d4cfaebc7bcdfac90cb8b52e6058ca95c9592004fd335d1be74c46c7a80c408572dbacb4496 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b5c1475e475b6450341db82862c33baf |
| SHA1 | b6e7c39151361f945b3d06667397aa61b172a413 |
| SHA256 | 46ab323fac00dfc7372e2219f14af25d9c3fb7a6e8899cf44b687ade2acf9c4d |
| SHA512 | e45ad1cd8d97afc35a751f7977aa81472d35cd9f313c2fb695004e6de71554b58d2ee1d492b5bfeba51a7c24ad6980258b806888aeb3bb09859f99b16c71faf0 |
C:\Users\Admin\AppData\Local\Temp\TBzEQtkdDl.bat
| MD5 | bf203b6f57145d666a8490546b91942e |
| SHA1 | 4f08bad0acc72ca91dc92b1811890bb37ead9fb6 |
| SHA256 | eeea4881c85c4954bebaebb90fee547f27b792bdf400b75962841c83a0756794 |
| SHA512 | 6e3c0fd84742fcb3ebf3034038ebf22e02971b0030f52eaba45a75283acfd2c8d75b3e10f16ebe940d47c5be51431097ad19094b66f0ec268193c0e3607027b9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ec53179c332ef59c3182cdc95dde91b5 |
| SHA1 | 00a966c147923c6850b0263a958b729974b4eb47 |
| SHA256 | 448cfcb5240d3e8f335c51def97ae91af2562d5233c367f131df6d907bd16683 |
| SHA512 | 0c6e39e8b66ef45f8ad47e2581ee095e7147e68493a2fc6d1419df15b0b10478d089aeec661168cd63f8afe17ad872e13c70a57d72c338c0db786e02ea801b0f |
C:\Users\Admin\AppData\Local\Temp\53OVnhiNRT.bat
| MD5 | 2b89798464608f791a33840df0cde1b6 |
| SHA1 | b3316e20d6a2d64dc54f4d3fd4b3fb8f1613e8ce |
| SHA256 | a405c523468c1bfea9e98371767a6efdc15b491b29d448ad305641cff444c9ec |
| SHA512 | c47aeff15fa77eb1314807be1f72cef9796b00a99d212a1c0a41fba981fc1f38578e0a9739c39f5a592ddfa873ba87ff16644300710eb1fadd23f2b3e5c4a6d6 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-12-30 01:49
Reported
2024-12-30 01:51
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
DcRat
Dcrat family
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\providercommon\dllhost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\providercommon\dllhost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\providercommon\dllhost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\providercommon\dllhost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\providercommon\dllhost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\providercommon\dllhost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\providercommon\dllhost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\providercommon\dllhost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\providercommon\dllhost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\providercommon\dllhost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\providercommon\dllhost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\providercommon\dllhost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e24100430741ee06ae8852720bdc95c02c2f0bb4a0a56760cc430cce57c00b97.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\providercommon\DllCommonsvc.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\providercommon\DllCommonsvc.exe | N/A |
| N/A | N/A | C:\providercommon\dllhost.exe | N/A |
| N/A | N/A | C:\providercommon\dllhost.exe | N/A |
| N/A | N/A | C:\providercommon\dllhost.exe | N/A |
| N/A | N/A | C:\providercommon\dllhost.exe | N/A |
| N/A | N/A | C:\providercommon\dllhost.exe | N/A |
| N/A | N/A | C:\providercommon\dllhost.exe | N/A |
| N/A | N/A | C:\providercommon\dllhost.exe | N/A |
| N/A | N/A | C:\providercommon\dllhost.exe | N/A |
| N/A | N/A | C:\providercommon\dllhost.exe | N/A |
| N/A | N/A | C:\providercommon\dllhost.exe | N/A |
| N/A | N/A | C:\providercommon\dllhost.exe | N/A |
| N/A | N/A | C:\providercommon\dllhost.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\Registry.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\ee2ad38f3d4382 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Windows NT\sysmon.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Windows NT\121e5b5079f7c0 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Mozilla Maintenance Service\logs\DllCommonsvc.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Mozilla Maintenance Service\logs\a76d7bf15d8370 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Windows Portable Devices\winlogon.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Windows Portable Devices\cc11b995f2a76d | C:\providercommon\DllCommonsvc.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Boot\taskhostw.exe | C:\providercommon\DllCommonsvc.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e24100430741ee06ae8852720bdc95c02c2f0bb4a0a56760cc430cce57c00b97.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings | C:\providercommon\dllhost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings | C:\providercommon\dllhost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings | C:\providercommon\dllhost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings | C:\providercommon\dllhost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings | C:\providercommon\dllhost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings | C:\providercommon\dllhost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings | C:\providercommon\dllhost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings | C:\providercommon\dllhost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings | C:\providercommon\dllhost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings | C:\providercommon\dllhost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings | C:\providercommon\dllhost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e24100430741ee06ae8852720bdc95c02c2f0bb4a0a56760cc430cce57c00b97.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings | C:\providercommon\dllhost.exe | N/A |
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e24100430741ee06ae8852720bdc95c02c2f0bb4a0a56760cc430cce57c00b97.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e24100430741ee06ae8852720bdc95c02c2f0bb4a0a56760cc430cce57c00b97.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
C:\providercommon\DllCommonsvc.exe
"C:\providercommon\DllCommonsvc.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\sihost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\Admin\sihost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\sihost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\Registry.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\Registry.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 9 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\Registry.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows NT\sysmon.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\sysmon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows NT\sysmon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\providercommon\sppsvc.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\DllCommonsvc.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\DllCommonsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\DllCommonsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Portable Devices\winlogon.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Portable Devices\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\providercommon\RuntimeBroker.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\providercommon\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\providercommon\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\csrss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\providercommon\dllhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\providercommon\conhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\providercommon\sihost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\providercommon\sihost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\providercommon\sihost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\sihost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\Registry.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\sysmon.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sppsvc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\DllCommonsvc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dllhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\winlogon.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\RuntimeBroker.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\csrss.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dllhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\conhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\TextInputHost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sihost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\SearchApp.exe'
C:\providercommon\dllhost.exe
"C:\providercommon\dllhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iqKdioc4MG.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\dllhost.exe
"C:\providercommon\dllhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1bQudXBuXp.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\dllhost.exe
"C:\providercommon\dllhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yTtrehocny.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\dllhost.exe
"C:\providercommon\dllhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TDlQnvRVvY.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\dllhost.exe
"C:\providercommon\dllhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7Xe7C8pmPD.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\dllhost.exe
"C:\providercommon\dllhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tlxpltA24S.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\dllhost.exe
"C:\providercommon\dllhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\R8cJcUuQgj.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\dllhost.exe
"C:\providercommon\dllhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qpvm5o68kg.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\dllhost.exe
"C:\providercommon\dllhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0PvuKmrV6l.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\dllhost.exe
"C:\providercommon\dllhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ER58NgmlZn.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\dllhost.exe
"C:\providercommon\dllhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HEz7ZQMTyX.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\dllhost.exe
"C:\providercommon\dllhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yTtrehocny.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 104.116.69.13.in-addr.arpa | udp |
Files
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe
| MD5 | 8088241160261560a02c84025d107592 |
| SHA1 | 083121f7027557570994c9fc211df61730455bb5 |
| SHA256 | 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1 |
| SHA512 | 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478 |
C:\providercommon\1zu9dW.bat
| MD5 | 6783c3ee07c7d151ceac57f1f9c8bed7 |
| SHA1 | 17468f98f95bf504cc1f83c49e49a78526b3ea03 |
| SHA256 | 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322 |
| SHA512 | c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8 |
C:\providercommon\DllCommonsvc.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/4376-12-0x00007FFEC5E13000-0x00007FFEC5E15000-memory.dmp
memory/4376-13-0x0000000000DF0000-0x0000000000F00000-memory.dmp
memory/4376-14-0x0000000002F70000-0x0000000002F82000-memory.dmp
memory/4376-15-0x0000000003000000-0x000000000300C000-memory.dmp
memory/4376-16-0x0000000002F80000-0x0000000002F8C000-memory.dmp
memory/4376-17-0x0000000002FF0000-0x0000000002FFC000-memory.dmp
memory/3148-79-0x0000024C66EB0000-0x0000024C66ED2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nijybstm.jo2.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4432-95-0x0000000001700000-0x0000000001712000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | cadef9abd087803c630df65264a6c81c |
| SHA1 | babbf3636c347c8727c35f3eef2ee643dbcc4bd2 |
| SHA256 | cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438 |
| SHA512 | 7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 6d3e9c29fe44e90aae6ed30ccf799ca8 |
| SHA1 | c7974ef72264bbdf13a2793ccf1aed11bc565dce |
| SHA256 | 2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d |
| SHA512 | 60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 2e907f77659a6601fcc408274894da2e |
| SHA1 | 9f5b72abef1cd7145bf37547cdb1b9254b4efe9d |
| SHA256 | 385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233 |
| SHA512 | 34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | e243a38635ff9a06c87c2a61a2200656 |
| SHA1 | ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc |
| SHA256 | af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f |
| SHA512 | 4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 5f0ddc7f3691c81ee14d17b419ba220d |
| SHA1 | f0ef5fde8bab9d17c0b47137e014c91be888ee53 |
| SHA256 | a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5 |
| SHA512 | 2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 59d97011e091004eaffb9816aa0b9abd |
| SHA1 | 1602a56b01dd4b7c577ca27d3117e4bcc1aa657b |
| SHA256 | 18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d |
| SHA512 | d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 3a6bad9528f8e23fb5c77fbd81fa28e8 |
| SHA1 | f127317c3bc6407f536c0f0600dcbcf1aabfba36 |
| SHA256 | 986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05 |
| SHA512 | 846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 649a4b7d64d3fa6f28e6237b4debe3af |
| SHA1 | a58c2dc5cc807856ce9318c47fb83138ab561a43 |
| SHA256 | 34fd3272cafcaddfbe9291667d5b5d32f59e933179031477edcd8e5aa8582c11 |
| SHA512 | e427668fb5ac97de22764cf87bd570b11c8d8210e8f1d895266a13b16fdb31374f0bd0d4155bdde09c90b4b5e60b54cb17a064c67495963a2cd2a54860a32612 |
C:\Users\Admin\AppData\Local\Temp\iqKdioc4MG.bat
| MD5 | 3bccb221f77bc31e13f53ca1028d8bcc |
| SHA1 | 8987e549217ea88b6039e44ef53759f85d28d77c |
| SHA256 | 82f285f921f6ac235ed8436bfb2085b3840046b9d8acd8a3c41f0b2fbba66bfb |
| SHA512 | 4ab087b45581fe42c1e3fa2d8f9dcce430dc032693fe200c003a41e0c4c954c6e837366721738902b2758e2067c97a694749c39210f6b1a8e78c2dbba224a140 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dllhost.exe.log
| MD5 | baf55b95da4a601229647f25dad12878 |
| SHA1 | abc16954ebfd213733c4493fc1910164d825cac8 |
| SHA256 | ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924 |
| SHA512 | 24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545 |
memory/4644-233-0x0000000002CF0000-0x0000000002D02000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1bQudXBuXp.bat
| MD5 | 88f82a1898a60623f3d933e6bdfead0a |
| SHA1 | fd5a0b04a007044946d6d0b0337a71d1458324b3 |
| SHA256 | cba3df7667418dda1b5ed6b7828b926977766514ed4a209aeb5f5396e9fc2dd6 |
| SHA512 | f4d20a3ca873c8cccb3fa69275007076d4caf72f7d286da95acb8243588be2e7b994ba901445497230763534dc72a34b11bff41a4f23e23d203f357741faa282 |
C:\Users\Admin\AppData\Local\Temp\yTtrehocny.bat
| MD5 | 6cb18b0f123439d2196b15f98674c4c4 |
| SHA1 | 4d9662ad10d627269bee88d7b7172ceaf148b03a |
| SHA256 | 0ab0ff24262b08b65433ba0bd56c4bb263f739f932620c4b4667ce8e430865cf |
| SHA512 | 88e8b9f82c03951d9d2c2f4e3a0898e896a038b878d085ecde44eb5812d739f02c5de42f2253dba72b1bc2d79c796f88c014a71eee1db59b3c95f44323bca699 |
C:\Users\Admin\AppData\Local\Temp\TDlQnvRVvY.bat
| MD5 | e2fb27d517b6fd7f7a49603b66914e2c |
| SHA1 | 8948c561c3c7413854286032f9ef8fdcb0318b18 |
| SHA256 | 5630f23c607ffde9936a75e81b91a3106a818864b3c2d478679a0d0c7c459ee4 |
| SHA512 | 75f9b42f213e6a7f896cadfd788da932ac9ccca83415d1b96ab9510cec7ee642932e634434dfff17aa888706cd50e5d99df0ab28ee1aebb479ac1ae2f758a8c1 |
C:\Users\Admin\AppData\Local\Temp\7Xe7C8pmPD.bat
| MD5 | 227d0b2e10590238d00871b65f36d148 |
| SHA1 | a6e4a37c2a43c1659ba96bd82edf4e0cb96cff20 |
| SHA256 | a05d4668edadaecbdffa9a563882deff79dc0c5b183c0867368fd806bf39a1ea |
| SHA512 | 0d7a3b4a627504b29068250cbd1de166b8aeed1bfbdacd540213409555d13f0b76b074cca047ce86ec1caece986d6080bd56285d7b7394a42b2adc6ce2fced2f |
C:\Users\Admin\AppData\Local\Temp\tlxpltA24S.bat
| MD5 | 4b57c218a0479a4c250b601c28ef156b |
| SHA1 | c960fb069b54f1049bdb62a7ce1a937944bf3bb2 |
| SHA256 | 12ad9ee5664966ca61551e8985bd3431ef974d96a625c79741f87bbe0751cb28 |
| SHA512 | 1a92be358718b9ea5332eed5377063126f73235fe373283ec8b37a1273c0a8a94e453c740eccf4368ba9cd2609b0aa6684306810e7dff4557c4ae32ebe44c974 |
memory/4240-264-0x00000000025C0000-0x00000000025D2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\R8cJcUuQgj.bat
| MD5 | a5857843b7115a932e5a04e163fcac1f |
| SHA1 | 8ec4f622a45838d9754c2976efec83d1f5091f68 |
| SHA256 | d5af15ce99454d1ed9826c84de6628581577f38b28b20ff12ceacc54dc3d3acc |
| SHA512 | d4ed007f25b77777301b795a0bc859453389f5cc0d23e1c08185e73f2522b606e43587890ddba24f02bdc93c4861844d6baa37bf0f51002e287125afc3a4fedf |
C:\Users\Admin\AppData\Local\Temp\qpvm5o68kg.bat
| MD5 | f2b028788b1dbdd99b21e4ca1dea82bb |
| SHA1 | 07677434733c14b261dd2e95b627882616f62d34 |
| SHA256 | 9521a0e2e8e72c37286cfa8e8956270f88f454ccc124eb31d108d25de3f3c965 |
| SHA512 | d60458a0603037c97490580ca76f64f6ced15ea37a3c98bfdf30708e8b7173fbf9761dae8a385e3553c49b5fdd34b9769799f3f6b7b8000948f6e64ba2cd147a |
memory/1960-277-0x0000000002460000-0x0000000002472000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\0PvuKmrV6l.bat
| MD5 | cde009c98223ca14992400e3a83af4a6 |
| SHA1 | b5f337922134873a9c96b0356f55e1833c548d2a |
| SHA256 | 4620e6a48ebfe209d90a4b0a845e834fb8989ee182b856586e5a3673bf7d34d7 |
| SHA512 | efc4f26a42c55e04efd3865104dd1ccc4dac12495a52168706adb93c4d1c7b98fcbdbe9806a80a232230c8e15c4e341953f325aa4fcdaa468977906bbf5b7fa2 |
C:\Users\Admin\AppData\Local\Temp\ER58NgmlZn.bat
| MD5 | 448e791c9bc2fdf6697504ba2287944e |
| SHA1 | 198efa6861d0ac6eaf977ec96624a4cf26667d92 |
| SHA256 | 9166d57debfdb0956927ca4d354c57aeaa25efe47fbe671631d41aa6908cfa44 |
| SHA512 | dce9ba5ba4127598bcea364c8881fe5716eedc90f56206aa141a3bcead6f4beada7fbca69ef8b0baf06bf6bd904f94ecfd83d27a6f66c618fc469fb98260246f |
C:\Users\Admin\AppData\Local\Temp\HEz7ZQMTyX.bat
| MD5 | fc77842ecfeb18b7f087d84f850c9d09 |
| SHA1 | de1aa904324b4feb24fcdb3bae6875659495565f |
| SHA256 | 275dc50dfc44ac41ac9a744291da4174ea888fa36146f941bc3b85be0ca34dc7 |
| SHA512 | 6e43d9d960b1a954d63db17714fb437c9074a8a9c67c7b9772eb3b6aa1ac7342ce780a9bde0e79d390d38bfc9b4ae7faeffadd7b1abcedc17bc2de28e82147a8 |