Analysis Overview
SHA256
cd2d9319ab9fd432fb58d195688ced06a6512d62dc6bf351b18b28653b9e883d
Threat Level: Known bad
The file JaffaCakes118_cd2d9319ab9fd432fb58d195688ced06a6512d62dc6bf351b18b28653b9e883d was found to be: Known bad.
Malicious Activity Summary
Dcrat family
Process spawned unexpected child process
DcRat
DCRat payload
DCRat payload
Command and Scripting Interpreter: PowerShell
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Legitimate hosting services abused for malware hosting/C2
Drops file in Program Files directory
Drops file in Windows directory
Unsigned PE
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Modifies registry class
Uses Task Scheduler COM API
Scheduled Task/Job: Scheduled Task
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-12-30 02:34
Signatures
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Dcrat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-12-30 02:34
Reported
2024-12-30 02:37
Platform
win7-20240903-en
Max time kernel
147s
Max time network
147s
Command Line
Signatures
DcRat
Dcrat family
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\taskhost.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\b75386f1303e64 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Java\jre7\bin\dtplugin\csrss.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Java\jre7\bin\dtplugin\886983d96e3d3e | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\taskhost.exe | C:\providercommon\DllCommonsvc.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cd2d9319ab9fd432fb58d195688ced06a6512d62dc6bf351b18b28653b9e883d.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cd2d9319ab9fd432fb58d195688ced06a6512d62dc6bf351b18b28653b9e883d.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cd2d9319ab9fd432fb58d195688ced06a6512d62dc6bf351b18b28653b9e883d.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\providercommon\1zu9dW.bat" "
C:\providercommon\DllCommonsvc.exe
"C:\providercommon\DllCommonsvc.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\taskhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\taskhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\taskhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsm.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Java\jre7\bin\dtplugin\csrss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Java\jre7\bin\dtplugin\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Java\jre7\bin\dtplugin\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Searches\wininit.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Admin\Searches\wininit.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Searches\wininit.exe'" /rl HIGHEST /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\taskhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\csrss.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsm.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\jre7\bin\dtplugin\csrss.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Searches\wininit.exe'
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mk2kVjaeOt.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe
"C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7JTBpj7DN0.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe
"C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\O1BWw2qr2X.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe
"C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\M53DwaTFc6.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe
"C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\T7KIMELUbd.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe
"C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pCY6B1XXru.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe
"C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KRs2fZV4we.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe
"C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2XkxZsmkwh.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe
"C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\u02VouYs0z.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe
"C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5cWoBfSAzl.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe
"C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
Files
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe
| MD5 | 8088241160261560a02c84025d107592 |
| SHA1 | 083121f7027557570994c9fc211df61730455bb5 |
| SHA256 | 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1 |
| SHA512 | 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478 |
C:\providercommon\1zu9dW.bat
| MD5 | 6783c3ee07c7d151ceac57f1f9c8bed7 |
| SHA1 | 17468f98f95bf504cc1f83c49e49a78526b3ea03 |
| SHA256 | 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322 |
| SHA512 | c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8 |
C:\providercommon\DllCommonsvc.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/2800-13-0x0000000000CB0000-0x0000000000DC0000-memory.dmp
memory/2800-14-0x00000000003D0000-0x00000000003E2000-memory.dmp
memory/2800-15-0x00000000003E0000-0x00000000003EC000-memory.dmp
memory/2800-16-0x00000000003F0000-0x00000000003FC000-memory.dmp
memory/2800-17-0x0000000000400000-0x000000000040C000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | e132a90c7d55d5173584db463861a107 |
| SHA1 | 1b77e6bb01de427a1ad9a22bc3713ebfb01b8411 |
| SHA256 | bab55c1c6db8a17aeaa57375f6082d5920e1abd3e10c1e10f3f250f72fe39a77 |
| SHA512 | 63b03e085cff0430173a4016f58d0f4ece67eeb98efe47dff47ca9a25da5dcb92969ec58e766fa4ed0f7b8052e60f0e746d4ef4c257f6075ed5ec8209f11a2c4 |
memory/444-59-0x0000000002960000-0x0000000002968000-memory.dmp
memory/444-48-0x000000001B5E0000-0x000000001B8C2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\mk2kVjaeOt.bat
| MD5 | 0135a13ff3412f523c5f1519000724c1 |
| SHA1 | d7250bad90456cfbcc621626f7f6006939dcce6e |
| SHA256 | 4a1cd2e04a9d77cce275e582453a030f837429a9c6511704e5233972ce9286a0 |
| SHA512 | 7f36ac6c589049763aa4bfd4b35051ada7483c541d5b6cd665fe46ea89c298f7f4414ab9baf11f15f7ddfea3e1acbaabb79a661e1033f440636aed027e0de879 |
memory/1636-73-0x0000000001240000-0x0000000001350000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab6931.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\Tar6943.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\Local\Temp\7JTBpj7DN0.bat
| MD5 | b227278d2c784ef66812194bdae27060 |
| SHA1 | 77626892c833d1c405383bb0c26069c94d9c2d4b |
| SHA256 | 8f81e0d19bb8b56a5eba246d1b1986423b6a14de5934bad157c7e4c0e7611b69 |
| SHA512 | affcdb082ade6694716452b285c9ab212908cf58856095a9e57952446e647028ee3e27c697e7c33eeedcbc218564d662aeb6053a6e9d6604cee0ee6bd7987c4c |
memory/2644-132-0x00000000002E0000-0x00000000003F0000-memory.dmp
memory/2644-133-0x00000000002D0000-0x00000000002E2000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | bed890c6c4e35a73280f33881185957b |
| SHA1 | d2f65b84b06a3bea6794dcba3437eda8577c5975 |
| SHA256 | a668b2d88ba664bd3ccf999240932519e086f4af5b2794eb75b31a744d990f7f |
| SHA512 | 887e7ce7c4d53da71778cfd93bb7573bf073acb7f06f95fe32c2b88d4cc90981c19898487b576a2d897fe43cefaa9fb3f3200ffdbc31e5457984d570cfc0f022 |
C:\Users\Admin\AppData\Local\Temp\O1BWw2qr2X.bat
| MD5 | cab67c46558bbcce57de299cf1c7acea |
| SHA1 | d676cde87e43fa2ddc0d4c4406522088dab8ab6f |
| SHA256 | 5422ce8e519978d32f84b0c3c4da4d054eeffd1abf243e26ac9bf3b51c013162 |
| SHA512 | 52b08d0a10d829a1383d00a5948eeac7a3213930d2b31ec2d3794deac83e726f0d563e2ac79f22bee02bb2a2b1706ff6089070811f8969b95320f10bb0d5f643 |
memory/840-193-0x0000000000390000-0x00000000004A0000-memory.dmp
memory/840-194-0x0000000000240000-0x0000000000252000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 34df0038217bdf646deb0ce9ea453db5 |
| SHA1 | bc5b104ff5d4f977216b023396a9a006e1f3bef3 |
| SHA256 | 3a97eca3e8c8bcb8019d88446dfb2b08db31a8e3f5981ea5fbfa558260b65c01 |
| SHA512 | 42e1e390346ecb0c5885ba170aa42e69475e32f5b1ca4b7aeba6d355b8df06e2db8883ef4e881abd80e75c5bc17ef33e5519ddffc5ab47b349b0d9859aa45087 |
C:\Users\Admin\AppData\Local\Temp\M53DwaTFc6.bat
| MD5 | 93f29e51dcc7ab7bb9af81a66c1f5a24 |
| SHA1 | e1fe676f2c7e90ea697afd78cb6e97cefaf67629 |
| SHA256 | 0eaf4f2dfa95e932cfd70f5a7b93c7f974cb1f082362f32bbef396fe9307fa8c |
| SHA512 | ce44ecd20eeee5d8543151a0b9f66160d18f34dce737077f74b5b85aca05a697aa776edec76118d640581ba63110198a5bd8289db836c8998a96b5c82c8d2602 |
memory/2504-254-0x0000000000B70000-0x0000000000C80000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ee7e5f47dccc0cf802d591875a8e3fca |
| SHA1 | 33db294309103ad77db1aa08660561ed0c123471 |
| SHA256 | 98783cd6afee9df351065eb1074ab0e812005e182e39d2226d5f8e03abb390de |
| SHA512 | e207bbc236bfe124dfce2694d4114310300140b144f3c5ad67358bbecdafffccb8c6e4f0943bf0652256759100f7ac82d56b36e88d30abf12f7133a81ff0742c |
C:\Users\Admin\AppData\Local\Temp\T7KIMELUbd.bat
| MD5 | 1123b8d045be2a9af5f6ddf987763122 |
| SHA1 | 5b791add83aed70a7291d0b3485d6b0c6dff8d38 |
| SHA256 | 042d826b0a494c048ad188a1ab507ed3342f38322e7a1e7473239a769f5bd96b |
| SHA512 | 13985c5e41160e38dfd66f1bf33a723e27018a104e913a97b8a936bf5a5e0505ab56f830ede64e06ccd697dc0eceb354eae83d594ea9a6f8599c123435e9b798 |
memory/1820-314-0x00000000003B0000-0x00000000004C0000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a43a3231e2ca383c3f6e93d8a3f56f29 |
| SHA1 | cb570ea24bd4256f6f89280a4850ac12d56ee624 |
| SHA256 | 41bca044dc9ca74ed3c97f94a047db52ddc72fb7a4f4c695ca7af07c1b7efa86 |
| SHA512 | 456df1ed22a26edcfe8b7332d412a32a60069bf611ae03527639c2fca3f2bf5483d7fb5f62ea1160bec34bd53fc897f665d7d542923e0dfbb95033971f9672a1 |
C:\Users\Admin\AppData\Local\Temp\pCY6B1XXru.bat
| MD5 | 3fa33bbd6e34b3d88a8442e66183e69a |
| SHA1 | 44f8ecb9eac3bb8e3bc2606d30351b47b72c37d1 |
| SHA256 | aa54ae5425a788b51022b3cb3f4cbe7ed9f5997ac6cce72f912b9eb579ab81d0 |
| SHA512 | 8b9b0e2cdba12c79ed2717536da108fb5610f3d8a1eb5e8b3fc9995440f42559baba9ca6fcae310e0540ac7cab3e72a12a0152aabaee3aa633215091193dd1c0 |
memory/1480-374-0x0000000002140000-0x0000000002152000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 871768afc96e92e8c2c275cfc061879b |
| SHA1 | a66aba164f921bd65963ce38dd7d31e7b79a59b3 |
| SHA256 | 6be2f1cb2e2b08bdee68679d36697dfc8479877894d3be9c3d85ecc0b5a8950f |
| SHA512 | d5574d8e48a128163ffaf8a52f0013be96ee3e366ad1a73657ff28e0f65828e716c09fcef27356bad5be31a95d983c8b02bcbbff72354afd5a02ef78e7776404 |
C:\Users\Admin\AppData\Local\Temp\KRs2fZV4we.bat
| MD5 | 27ebe7418a1335a3007562e8de867f03 |
| SHA1 | db1a8efbac49d3cf414f8626633da245ba67be9f |
| SHA256 | a4baec56f417bc4392332d3324f29760d46754558a2e4216bea9abade735e0f1 |
| SHA512 | 2c712ff897663e4bcdf9d640455a4985369a67f5de44d3dcb74fb155b40f1a7d1e4151137cfd44d84517c9bf97111b1c7097aaeb93fc13f09b59b7eacb1141f5 |
memory/2084-434-0x0000000000830000-0x0000000000940000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7057eb007fe43619bf78b882d63c5e45 |
| SHA1 | 00eafc9e0a4dc72f998efcafaf7885b2d7e2084e |
| SHA256 | d7644a9916aac172a0b3760489a47ad312ad89675757baaa719db39b7e9392d1 |
| SHA512 | 42438a1863bf87a68951125e30ec1522f93bf7be2298953675e2f627269c264e47e7ab6eed65cfc23caa2080c4a92845ef3096bd6c6098ab110ad62b143a7e5f |
C:\Users\Admin\AppData\Local\Temp\2XkxZsmkwh.bat
| MD5 | 49f93416fd61db82bae95e3edd26ee29 |
| SHA1 | 2b84214903169d6dec5ad3abcc2e1c1a2cfad9a7 |
| SHA256 | e1d2d904d0a776f15c674dc74b1e75d4d2ae2568aa5327279bfa70b8508701e8 |
| SHA512 | b9669efb456e68180cf0d213d250cd3a1af1b2139f1711919572a211cd56b6c6bd18b90dc8e93329d117701c6d9b9196d9062eb5f26eab07c251a72c438ff086 |
memory/1972-494-0x0000000000F00000-0x0000000001010000-memory.dmp
memory/1972-495-0x0000000000280000-0x0000000000292000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | debdfa8520e68214407698539a94f8c8 |
| SHA1 | 790785865e2c3c85094ddb3ea0ad22d2731689af |
| SHA256 | bf2dbb7efc86a7e14287931bd62b73de2efc5ace82860395d4b39a389b706a92 |
| SHA512 | 51d0093aa98a088229704939349c6480d21eae9d7c94b55d978d3883c2be2a77d0e1573e353ae040a6e0b3fe250430b9e245de09c4d1d5b5c7f929105e2bc8f4 |
C:\Users\Admin\AppData\Local\Temp\u02VouYs0z.bat
| MD5 | 5e36bc1ed3244e2c6005d1341dc1f58e |
| SHA1 | eb4b1739b8e4b27cb32c5754043b3d0bb1fc9ea2 |
| SHA256 | 4adab41c7e3180cb32b4f831b80ba7f4985da4e78eb1681bd824c4fbb875c91a |
| SHA512 | 0552df6d6b2a08a1fe9a4c91549b3c265aa1f9215537fd12343317456e1a6d31557555ca43e32b50c56e328323f09fd72d12c3c105f2440f257c3d0fad898208 |
memory/2844-555-0x00000000002D0000-0x00000000002E2000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 0120a90097b3533a46c44c70f71245a8 |
| SHA1 | 3c27e2a633cafffa145cd9689a9b4f6654f5c8b4 |
| SHA256 | d8ec205b514ae056f30c55f8cd804e65f04cec5c7e7ca8eeefac5a04e6f89029 |
| SHA512 | a365d4ffdd75ceee97752ece62ff7326b0d4f3d563d400884192b1179272bad1c07b2063731901b62e90470a7b2dbfae82bb850d5734e38c1e8b96275171ecb7 |
C:\Users\Admin\AppData\Local\Temp\5cWoBfSAzl.bat
| MD5 | fee9eb71b1adee0012c9bc8641f82f31 |
| SHA1 | a59d464bd4524d1cf1f387c53eaae96a2897e62a |
| SHA256 | b05cb437521cdbdb40218d38b3b7b2eb1414716ea4159ed47ee5a5407965ff88 |
| SHA512 | d28952851c8ba8d3bcd51ff49208684c6fca0c3113bbad4a13e811be04a9e572d42252d059f11648fcccf93290aea98b239877f60b3101f24928b771acd0e264 |
memory/2156-615-0x00000000001D0000-0x00000000002E0000-memory.dmp
memory/2156-616-0x00000000001C0000-0x00000000001D2000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-12-30 02:34
Reported
2024-12-30 02:37
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
149s
Command Line
Signatures
DcRat
Dcrat family
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cd2d9319ab9fd432fb58d195688ced06a6512d62dc6bf351b18b28653b9e883d.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Recovery\WindowsRE\winlogon.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Recovery\WindowsRE\winlogon.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Recovery\WindowsRE\winlogon.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Recovery\WindowsRE\winlogon.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Recovery\WindowsRE\winlogon.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Recovery\WindowsRE\winlogon.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\providercommon\DllCommonsvc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Recovery\WindowsRE\winlogon.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Recovery\WindowsRE\winlogon.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Recovery\WindowsRE\winlogon.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Recovery\WindowsRE\winlogon.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Recovery\WindowsRE\winlogon.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Recovery\WindowsRE\winlogon.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\providercommon\DllCommonsvc.exe | N/A |
| N/A | N/A | C:\Recovery\WindowsRE\winlogon.exe | N/A |
| N/A | N/A | C:\Recovery\WindowsRE\winlogon.exe | N/A |
| N/A | N/A | C:\Recovery\WindowsRE\winlogon.exe | N/A |
| N/A | N/A | C:\Recovery\WindowsRE\winlogon.exe | N/A |
| N/A | N/A | C:\Recovery\WindowsRE\winlogon.exe | N/A |
| N/A | N/A | C:\Recovery\WindowsRE\winlogon.exe | N/A |
| N/A | N/A | C:\Recovery\WindowsRE\winlogon.exe | N/A |
| N/A | N/A | C:\Recovery\WindowsRE\winlogon.exe | N/A |
| N/A | N/A | C:\Recovery\WindowsRE\winlogon.exe | N/A |
| N/A | N/A | C:\Recovery\WindowsRE\winlogon.exe | N/A |
| N/A | N/A | C:\Recovery\WindowsRE\winlogon.exe | N/A |
| N/A | N/A | C:\Recovery\WindowsRE\winlogon.exe | N/A |
| N/A | N/A | C:\Recovery\WindowsRE\winlogon.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Microsoft Office\unsecapp.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Microsoft Office\29c1c3cc0f7685 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Windows Security\BrowserCore\en-US\7a0fd90576e088 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\MSBuild\Microsoft\explorer.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\MSBuild\Microsoft\7a0fd90576e088 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Windows NT\TableTextService\en-US\OfficeClickToRun.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Windows NT\TableTextService\en-US\e6c9b481da804f | C:\providercommon\DllCommonsvc.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\IdentityCRL\production\conhost.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\IdentityCRL\production\088424020bedd6 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.ConfigCI.Commands\fontdrvhost.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.ConfigCI.Commands\5b884080fd4f94 | C:\providercommon\DllCommonsvc.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cd2d9319ab9fd432fb58d195688ced06a6512d62dc6bf351b18b28653b9e883d.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings | C:\Recovery\WindowsRE\winlogon.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cd2d9319ab9fd432fb58d195688ced06a6512d62dc6bf351b18b28653b9e883d.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings | C:\Recovery\WindowsRE\winlogon.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings | C:\Recovery\WindowsRE\winlogon.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings | C:\Recovery\WindowsRE\winlogon.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings | C:\Recovery\WindowsRE\winlogon.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings | C:\Recovery\WindowsRE\winlogon.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings | C:\Recovery\WindowsRE\winlogon.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings | C:\Recovery\WindowsRE\winlogon.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings | C:\Recovery\WindowsRE\winlogon.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings | C:\Recovery\WindowsRE\winlogon.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings | C:\Recovery\WindowsRE\winlogon.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings | C:\Recovery\WindowsRE\winlogon.exe | N/A |
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cd2d9319ab9fd432fb58d195688ced06a6512d62dc6bf351b18b28653b9e883d.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cd2d9319ab9fd432fb58d195688ced06a6512d62dc6bf351b18b28653b9e883d.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
C:\providercommon\DllCommonsvc.exe
"C:\providercommon\DllCommonsvc.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows NT\TableTextService\en-US\OfficeClickToRun.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\en-US\OfficeClickToRun.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows NT\TableTextService\en-US\OfficeClickToRun.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Office\unsecapp.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\unsecapp.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Office\unsecapp.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Windows\IdentityCRL\production\conhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\IdentityCRL\production\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Windows\IdentityCRL\production\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.ConfigCI.Commands\fontdrvhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.ConfigCI.Commands\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.ConfigCI.Commands\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\providercommon\fontdrvhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\providercommon\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\providercommon\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\WindowsHolographicDevices\TextInputHost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Users\All Users\WindowsHolographicDevices\TextInputHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\WindowsHolographicDevices\TextInputHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Program Files\MSBuild\Microsoft\explorer.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Program Files\MSBuild\Microsoft\explorer.exe'" /rl HIGHEST /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\winlogon.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\winlogon.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\winlogon.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\TableTextService\en-US\OfficeClickToRun.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\unsecapp.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\IdentityCRL\production\conhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.ConfigCI.Commands\fontdrvhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\fontdrvhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\WindowsHolographicDevices\TextInputHost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\explorer.exe'
C:\Recovery\WindowsRE\winlogon.exe
"C:\Recovery\WindowsRE\winlogon.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZAtO29mfgG.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Recovery\WindowsRE\winlogon.exe
"C:\Recovery\WindowsRE\winlogon.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\m1XclINWiF.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Recovery\WindowsRE\winlogon.exe
"C:\Recovery\WindowsRE\winlogon.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2Odt5WJZ2f.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Recovery\WindowsRE\winlogon.exe
"C:\Recovery\WindowsRE\winlogon.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cxnNEsMM51.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Recovery\WindowsRE\winlogon.exe
"C:\Recovery\WindowsRE\winlogon.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\msQYHxuKnC.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Recovery\WindowsRE\winlogon.exe
"C:\Recovery\WindowsRE\winlogon.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LIqDUaLb8G.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Recovery\WindowsRE\winlogon.exe
"C:\Recovery\WindowsRE\winlogon.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\j5VZ5DKdOS.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Recovery\WindowsRE\winlogon.exe
"C:\Recovery\WindowsRE\winlogon.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xm2kK1SIVO.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Recovery\WindowsRE\winlogon.exe
"C:\Recovery\WindowsRE\winlogon.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HHf3c4kdaf.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Recovery\WindowsRE\winlogon.exe
"C:\Recovery\WindowsRE\winlogon.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ANE2RWndQ4.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Recovery\WindowsRE\winlogon.exe
"C:\Recovery\WindowsRE\winlogon.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9dhy3B39XM.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Recovery\WindowsRE\winlogon.exe
"C:\Recovery\WindowsRE\winlogon.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yXZnhMCmO6.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Recovery\WindowsRE\winlogon.exe
"C:\Recovery\WindowsRE\winlogon.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.110.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.49.80.91.in-addr.arpa | udp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 86.49.80.91.in-addr.arpa | udp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
Files
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe
| MD5 | 8088241160261560a02c84025d107592 |
| SHA1 | 083121f7027557570994c9fc211df61730455bb5 |
| SHA256 | 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1 |
| SHA512 | 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478 |
C:\providercommon\1zu9dW.bat
| MD5 | 6783c3ee07c7d151ceac57f1f9c8bed7 |
| SHA1 | 17468f98f95bf504cc1f83c49e49a78526b3ea03 |
| SHA256 | 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322 |
| SHA512 | c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8 |
C:\providercommon\DllCommonsvc.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/4536-12-0x00007FFB411C3000-0x00007FFB411C5000-memory.dmp
memory/4536-13-0x0000000000FE0000-0x00000000010F0000-memory.dmp
memory/4536-14-0x0000000003300000-0x0000000003312000-memory.dmp
memory/4536-15-0x0000000003320000-0x000000000332C000-memory.dmp
memory/4536-16-0x0000000003310000-0x000000000331C000-memory.dmp
memory/4536-17-0x0000000003330000-0x000000000333C000-memory.dmp
memory/1044-51-0x00000220EBE40000-0x00000220EBE62000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_34v30pbx.yri.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 6c47b3f4e68eebd47e9332eebfd2dd4e |
| SHA1 | 67f0b143336d7db7b281ed3de5e877fa87261834 |
| SHA256 | 8c48b1f2338e5b24094821f41121d2221f1cb3200338f46df49f64d1c4bc3e0c |
| SHA512 | 0acf302a9fc971ef9df65ed42c47ea17828e54dff685f4434f360556fd27cdc26a75069f00dcdc14ba174893c6fd7a2cfd8c6c07be3ce35dafee0a006914eaca |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | cadef9abd087803c630df65264a6c81c |
| SHA1 | babbf3636c347c8727c35f3eef2ee643dbcc4bd2 |
| SHA256 | cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438 |
| SHA512 | 7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085 |
memory/3640-177-0x000001C0BC710000-0x000001C0BC92C000-memory.dmp
memory/1012-176-0x000001CC18440000-0x000001CC1865C000-memory.dmp
memory/4864-175-0x00000257627C0000-0x00000257629DC000-memory.dmp
memory/1044-166-0x00000220EBE70000-0x00000220EC08C000-memory.dmp
memory/3304-165-0x00000193F8690000-0x00000193F88AC000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | bd5940f08d0be56e65e5f2aaf47c538e |
| SHA1 | d7e31b87866e5e383ab5499da64aba50f03e8443 |
| SHA256 | 2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6 |
| SHA512 | c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406 |
memory/1344-178-0x000001F843000000-0x000001F84321C000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 2979eabc783eaca50de7be23dd4eafcf |
| SHA1 | d709ce5f3a06b7958a67e20870bfd95b83cad2ea |
| SHA256 | 006cca90e78fbb571532a83082ac6712721a34ea4b21f490058ffb3f521f4903 |
| SHA512 | 92bc433990572d9427d0c93eef9bd1cc23fa00ed60dd0c9c983d87d3421e02ce3f156c6f88fe916ef6782dbf185cbce083bc0094f8c527f302be6a37d1c53aba |
memory/4224-189-0x0000017DD6750000-0x0000017DD696C000-memory.dmp
memory/4640-195-0x000002C77DD70000-0x000002C77DF8C000-memory.dmp
memory/3544-192-0x00000262FF520000-0x00000262FF73C000-memory.dmp
memory/4340-188-0x0000025AD5EB0000-0x0000025AD60CC000-memory.dmp
memory/4492-185-0x000001FA245E0000-0x000001FA247FC000-memory.dmp
memory/3060-196-0x0000014923240000-0x000001492345C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ZAtO29mfgG.bat
| MD5 | b8fd323f57aa4bb00d0c95355b936ee6 |
| SHA1 | 5ea39cb4f072c3f1db347fb39ba42e458c6abf72 |
| SHA256 | 35201efabf434fa59e7e4452669f9d5c716a34619d43b182ea3a16eb03b65d0f |
| SHA512 | 912260e89884f40ba81bf7527a53c4e0da7c1699cd10917c3b3140eacb670cd495a81c40b0832f6a14dfcce9126473c87582b2698bbfe14b5a1ad8c5975f42a8 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\winlogon.exe.log
| MD5 | baf55b95da4a601229647f25dad12878 |
| SHA1 | abc16954ebfd213733c4493fc1910164d825cac8 |
| SHA256 | ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924 |
| SHA512 | 24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545 |
C:\Users\Admin\AppData\Local\Temp\m1XclINWiF.bat
| MD5 | c62a2e51617eda0052040072246c991f |
| SHA1 | 268ad3d07c283352183040531555d5ac2848a0f4 |
| SHA256 | bd9ef9e8f85e78a7e8ed28666305c9b9276c78328e2d29e21baf13b1c121ba93 |
| SHA512 | bfc70e3309f6f7d909c495eb727fcad43920ee45a75ffde41210806abd842408052cc556b2c9127622594e8ee78384861bc8d0dcf685107323bb219d85db5d02 |
C:\Users\Admin\AppData\Local\Temp\2Odt5WJZ2f.bat
| MD5 | a09f15fc8cb8a185a298349f86a9b466 |
| SHA1 | 789f234694c0e78e608091c2aa4a325c3822ae4a |
| SHA256 | 3ac913cf7e236c2d2fc97dd0288df42dbbf14d95df5d63c1c045cb13454b03c7 |
| SHA512 | 316859b56ce5468b14418700c73da9200c87def4685c6a3545701b493191fe4e2c5e603790eb0349175770fd0978274d661bb8c4d403d4595c461ff5320ae171 |
C:\Users\Admin\AppData\Local\Temp\cxnNEsMM51.bat
| MD5 | 6d6f67bd7c53ad2078b9fd5c80aaba2a |
| SHA1 | 84afdcb389ed90e1b163bc078946d66871130568 |
| SHA256 | 1b20b15999d056ca3daa5c50161d1db3b15a299f21f89ec96a23ab1b6c48aeb9 |
| SHA512 | 681315360638df973fc2ab707b457957fd43363de8f20a30fbca58812baa4523113c17b9c404b85253fa3a6a06f430d8c5d4a785d1bbcc3d926c21d0f64dfe5f |
C:\Users\Admin\AppData\Local\Temp\msQYHxuKnC.bat
| MD5 | 75c53d7b164fa00574ee0bf2a388bfa6 |
| SHA1 | 6781f62bacd1f171c6c4fb5d160f2926839d61c5 |
| SHA256 | e75b8b343b79604ccc54653bf47ec7deba5683fb70716266253ed5e58669a9c9 |
| SHA512 | 0e18d24b2e9673912edd37e4773ce4d1788d646754df69889845a91e3b6069c8a316b2a0240195c422ad6154e219ce4d5f56985bcddec7b8a9b9b2240a274bf1 |
C:\Users\Admin\AppData\Local\Temp\LIqDUaLb8G.bat
| MD5 | 26d5a6956061122aa9c73eb14dd183c1 |
| SHA1 | a7354e53a482cda0f1cadc79b165d0793ef5b581 |
| SHA256 | dabbeadfebfb7c33b9b97885ab3cb9664cc231fcc7e6c7bb309cbe3b1a63e117 |
| SHA512 | 365d84317957d8b712ae9a89d220a1c37ca7c71ceba48f2da43ff2d6fd6ea35b5dfce279f41c44a6263d43d3387ade5fe067fe1adb277c961af9287575c6f910 |
C:\Users\Admin\AppData\Local\Temp\j5VZ5DKdOS.bat
| MD5 | 134376746b54b2b46b9bf64cf9664c13 |
| SHA1 | eafe12291dba4a617b806277e17dd7d536885eec |
| SHA256 | 248293fc5b6c393ccf66b84d22292307111200af48e8a41a56757127c24e5548 |
| SHA512 | 092bcc4ccbbaacbbee482ce640eb8b24f3ed7cd98e5af9a5a754da28c28931461b620c1e41d3ed66b5c9e0f80ddb2ae663d2359c2394113bdb35ef9923b86587 |
C:\Users\Admin\AppData\Local\Temp\xm2kK1SIVO.bat
| MD5 | d705f53cbae66f2c4a03f73976393109 |
| SHA1 | c8f0128f5bdb2a3e77d34814018251cd02a7dbc2 |
| SHA256 | f1acb001161d0491e9b1ff9cac4438ff424ab9e83b55f6f07917afdf54a49ed5 |
| SHA512 | 3068ea8145b71d17b57211da988e2075acc1ec1afbbfdc39e843bfac7a30be0cb987c3f893769d10fa173b26074c0b8fca275ff50b9666474e17c0a9da7aa141 |
C:\Users\Admin\AppData\Local\Temp\HHf3c4kdaf.bat
| MD5 | 61d21ab0dbb0145f6a6dc6202389ac1d |
| SHA1 | a901a5e0dbfbdb1a6fe65575c5ce4c2a7bc131a7 |
| SHA256 | 805f8be7dbca7d2c4fcd265b338839a90a806c709def447ce491581268311cce |
| SHA512 | 621aba23eadb41dc369376151f0ac93e6c2c403725192a8ee788f316e4c7f311227f5b00dd82a7c9f9893b9b04b72f7da80f3f8e24c190618386de9d230c8275 |
C:\Users\Admin\AppData\Local\Temp\ANE2RWndQ4.bat
| MD5 | e182e7271bb08f306a2986cefb528881 |
| SHA1 | 71502092562fde1d89f03add09bbebd49e859d3c |
| SHA256 | 77ae6b851ac4a714ad10803ef5c7a10022123e12604ecd0db42eb281fef9cae9 |
| SHA512 | e453314f1f5275157274bae40b8627ad483cc2f14b7b76620bcb2009f814af9781b1739c47d24a9a2d8f8a8b925d2f41d78b50976195ee59f0bc34bd0555a9bb |
memory/3576-259-0x00000000013A0000-0x00000000013B2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\9dhy3B39XM.bat
| MD5 | 5e97ae1ce1e4764cbf6ab4ec8583685d |
| SHA1 | 238b66e0522f7001510b8336324afedc8444a911 |
| SHA256 | f49485a8048fdd43a6a3de51208ae84ff04104de206ac35154ebeb50fa8a840f |
| SHA512 | 8f2e425c33fe2be619762163d0dad7866d4273f402bbdcd7b98c61c30a3e0688864bcb25903dfa09e5c1109424ac5b332f50310441d951dfe11363c1725a5825 |
C:\Users\Admin\AppData\Local\Temp\yXZnhMCmO6.bat
| MD5 | 448962e0b08f404f85dba3339ac0dea6 |
| SHA1 | 33a779872561a846df5842b3b6ef024303e6e5bc |
| SHA256 | b417b332c0ff48fe89640a5f3a96dd19cb4d0db196f8f743fff68f94a39a2816 |
| SHA512 | 7b14e1effb4ba6896b91cdd9f1d62667907ab523ddbe7f2357db405fd97341815cff0638b85fae230d41831c7173612072b80b8f6cbf00ed1e221feb51fcbaa4 |
memory/4408-272-0x0000000002B20000-0x0000000002B32000-memory.dmp