Analysis Overview
SHA256
b158ab70d77cd6fbe79a2d34fcd71eb2845116886937eb211e73d4e72236cf38
Threat Level: Known bad
The file JaffaCakes118_b158ab70d77cd6fbe79a2d34fcd71eb2845116886937eb211e73d4e72236cf38 was found to be: Known bad.
Malicious Activity Summary
Dcrat family
DCRat payload
Process spawned unexpected child process
DcRat
DCRat payload
Command and Scripting Interpreter: PowerShell
Loads dropped DLL
Executes dropped EXE
Checks computer location settings
Legitimate hosting services abused for malware hosting/C2
Drops file in Program Files directory
Enumerates physical storage devices
Unsigned PE
System Location Discovery: System Language Discovery
Uses Task Scheduler COM API
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-12-30 02:36
Signatures
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Dcrat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-12-30 02:36
Reported
2024-12-30 02:38
Platform
win7-20241010-en
Max time kernel
146s
Max time network
151s
Command Line
Signatures
DcRat
Dcrat family
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\providercommon\DllCommonsvc.exe | N/A |
| N/A | N/A | C:\providercommon\lsm.exe | N/A |
| N/A | N/A | C:\providercommon\lsm.exe | N/A |
| N/A | N/A | C:\providercommon\lsm.exe | N/A |
| N/A | N/A | C:\providercommon\lsm.exe | N/A |
| N/A | N/A | C:\providercommon\lsm.exe | N/A |
| N/A | N/A | C:\providercommon\lsm.exe | N/A |
| N/A | N/A | C:\providercommon\lsm.exe | N/A |
| N/A | N/A | C:\providercommon\lsm.exe | N/A |
| N/A | N/A | C:\providercommon\lsm.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\DVD Maker\es-ES\WmiPrvSE.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\DVD Maker\es-ES\24dbde2999530e | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Windows Portable Devices\spoolsv.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Windows Portable Devices\f3b6ecef712a24 | C:\providercommon\DllCommonsvc.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b158ab70d77cd6fbe79a2d34fcd71eb2845116886937eb211e73d4e72236cf38.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\providercommon\DllCommonsvc.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\providercommon\lsm.exe | N/A |
| N/A | N/A | C:\providercommon\lsm.exe | N/A |
| N/A | N/A | C:\providercommon\lsm.exe | N/A |
| N/A | N/A | C:\providercommon\lsm.exe | N/A |
| N/A | N/A | C:\providercommon\lsm.exe | N/A |
| N/A | N/A | C:\providercommon\lsm.exe | N/A |
| N/A | N/A | C:\providercommon\lsm.exe | N/A |
| N/A | N/A | C:\providercommon\lsm.exe | N/A |
| N/A | N/A | C:\providercommon\lsm.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b158ab70d77cd6fbe79a2d34fcd71eb2845116886937eb211e73d4e72236cf38.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b158ab70d77cd6fbe79a2d34fcd71eb2845116886937eb211e73d4e72236cf38.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\providercommon\1zu9dW.bat" "
C:\providercommon\DllCommonsvc.exe
"C:\providercommon\DllCommonsvc.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\providercommon\lsm.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\providercommon\lsm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\providercommon\lsm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Program Files\DVD Maker\es-ES\WmiPrvSE.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\es-ES\WmiPrvSE.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Program Files\DVD Maker\es-ES\WmiPrvSE.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\explorer.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Portable Devices\spoolsv.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\spoolsv.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Portable Devices\spoolsv.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\providercommon\lsm.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\providercommon\lsm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\providercommon\lsm.exe'" /rl HIGHEST /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsm.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\DVD Maker\es-ES\WmiPrvSE.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\explorer.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\spoolsv.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsm.exe'
C:\providercommon\lsm.exe
"C:\providercommon\lsm.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dekjrv1PTF.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\lsm.exe
"C:\providercommon\lsm.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\410ZzJtAuR.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\lsm.exe
"C:\providercommon\lsm.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9ncYvmuuF5.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\lsm.exe
"C:\providercommon\lsm.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yQDva2PSBr.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\lsm.exe
"C:\providercommon\lsm.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bf2k7CZMYL.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\lsm.exe
"C:\providercommon\lsm.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\daA37ewxym.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\lsm.exe
"C:\providercommon\lsm.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cLz7lFEPwa.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\lsm.exe
"C:\providercommon\lsm.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UPAAmIRCFx.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\lsm.exe
"C:\providercommon\lsm.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9dbjknkRRi.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
Files
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe
| MD5 | 8088241160261560a02c84025d107592 |
| SHA1 | 083121f7027557570994c9fc211df61730455bb5 |
| SHA256 | 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1 |
| SHA512 | 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478 |
C:\providercommon\1zu9dW.bat
| MD5 | 6783c3ee07c7d151ceac57f1f9c8bed7 |
| SHA1 | 17468f98f95bf504cc1f83c49e49a78526b3ea03 |
| SHA256 | 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322 |
| SHA512 | c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8 |
\providercommon\DllCommonsvc.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/2532-13-0x0000000000B40000-0x0000000000C50000-memory.dmp
memory/2532-14-0x0000000000150000-0x0000000000162000-memory.dmp
memory/2532-15-0x0000000000160000-0x000000000016C000-memory.dmp
memory/2532-16-0x0000000000460000-0x000000000046C000-memory.dmp
memory/2532-17-0x0000000000470000-0x000000000047C000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 5f8ddd7eef14b8347cbb62296450a9a1 |
| SHA1 | a87bd124822efe15642919ffa7eed3f9118309e2 |
| SHA256 | 34bcfd0dee332d2220b55c457afaa6bb0e68fbcb7b2e26a4124cb55fb58f3f39 |
| SHA512 | a2da0cd4599737ab531daf0d4549a1c6db8109c48930762d0eb5610449d871c69d127acb92da06ed711b35e053b1b19cc864e7268b65356a6a32fd6afea01262 |
memory/2008-64-0x00000000025E0000-0x00000000025E8000-memory.dmp
memory/1636-63-0x000000001B330000-0x000000001B612000-memory.dmp
memory/560-65-0x0000000000C30000-0x0000000000D40000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab2148.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\Tar2226.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\Local\Temp\dekjrv1PTF.bat
| MD5 | 8e9b7517238a31e3e7cda11b63d6d428 |
| SHA1 | 9858ff7f3bb325dbcd925a43416f704ff19c04ae |
| SHA256 | 5f8c911dda30ea569e830e6b3100d28be401dc1682e255b8eaed4805c9927bff |
| SHA512 | 33248dd8fde364bdbbf0cd76549419877b831f70d98374ca5a9f8822685b2068e8a2efed16c32e17091d2ed264c24fafee491c0fb59e63f34deb4825c76494b1 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b8d66c31ba12ae062080bf8f2012a16f |
| SHA1 | 617d54c9faa7d17ba83ca7f0adf83e4d461586f6 |
| SHA256 | 7d59852b41c4715f3887e396407652a9a1de4250d0bb754cbba71015825f87d3 |
| SHA512 | 79f15b48c938ed351734de9f76848d17763046dbe038eb6485b9a3f300d889ab307aded66a53b458564b17c39bcaf1d9937a21afa3f146839d74300595bd640b |
C:\Users\Admin\AppData\Local\Temp\410ZzJtAuR.bat
| MD5 | d212005ddf019d9b05048ff47d126df9 |
| SHA1 | 94be5f9bd495b8b481e02a5ec19c5672b2a06f97 |
| SHA256 | 56fad86664d544d4707cc6eccd838e5cbf88281e59b2c6b23acb0c2abd90be36 |
| SHA512 | e919875257a02e137e8b32edf23da9a73bb283185b6e615a0ce0a36be7acbc4f501230e3d167c05412b1c7861be88cea12399761869e8b0cfe5f65510ddab9cd |
memory/2328-183-0x0000000000F80000-0x0000000001090000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 610c5fc0e0d2975909293f47c415a44b |
| SHA1 | e896a49482af78097edc2892729edb496b57a77b |
| SHA256 | 44dd1b37b7cfa1946e63e012d000db5d24dfd037f45ffb7ed20a226b662b5ab2 |
| SHA512 | 6d4cd354312d0e8b7ab3fd2020981f0ff8906e050fd1d00e8c55415d8af5ffeccd8ef8c66d452919d36d1096f3c03ae9b37fdd1a09f97b9000e63fd22a797ba2 |
C:\Users\Admin\AppData\Local\Temp\9ncYvmuuF5.bat
| MD5 | d7ba321fb5061f8d7d9e9258e5646fae |
| SHA1 | c09d5a16e98169869498bd5a00cfc413a6528992 |
| SHA256 | 4949e7101d98db0b49c3813e254a4423688c46d7d12ae5a11289249427ed1841 |
| SHA512 | 00fae0c2c07eb7b5e39a9b1b8dfb9bdca8a15981ddf104593d9ca647daf4655cba3f241689e7fdc919abdbd66d4a41135b67e7ce282c9401110ee40c1d36025a |
memory/676-243-0x0000000000140000-0x0000000000250000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 242e13b78564a0740458950b2bc3a599 |
| SHA1 | ba7d368c5a4efce769da4c5a9a994d18b9e5b549 |
| SHA256 | 5efdd686430bd72c9d214e2f187f491a441ab688d2416ca6d94cf355bff22d41 |
| SHA512 | 915685974512b5fd7a8f32d135c0f029c23b02f9a1012a7712fa79a0afce8a614f0405df107295ac3ca196b57dbdddca9153069ba50dd142eaca91980d518e16 |
C:\Users\Admin\AppData\Local\Temp\yQDva2PSBr.bat
| MD5 | 4fdea8c82f6ce406ffb4b2d419d9e461 |
| SHA1 | 6a6b05e3c4fc68145b8fae05fca6193f5b9d46c3 |
| SHA256 | 634c1273613d307da7b02f235bb33b91dec2b55625a5d973bbac6273b801c709 |
| SHA512 | 9925a12d5a5de256cbae0836515240f7fee3973a345d75ea3cc15beb00c295a9a780cbcbeb53fb2281cf6d95279e83a2a637e01716b2a83d90488e8549dbda96 |
memory/2760-303-0x00000000010C0000-0x00000000011D0000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f7ca871830d74c945034c85fb62bbf59 |
| SHA1 | 44749e0d5ea615d993f55b03055aa2c48fa2bcdb |
| SHA256 | 3052187ab098df24991fdc3ef3e0c71a540070d86daae98c5763709f6fe4cca4 |
| SHA512 | 713deb1dd80e5facb8cb1428e61aaccab44b5f87f858944fa6fc0e66a799ac70bb528d1b187b677747629af09533fb9294cb47263944568edaefcf8825521f92 |
C:\Users\Admin\AppData\Local\Temp\bf2k7CZMYL.bat
| MD5 | 351d28a3986f0c0ecd62e2217bae02b8 |
| SHA1 | 308e2cb650e43d2613f4cdd866c0458344ba8f28 |
| SHA256 | f3efddc52667920f107ebb17b2d2bca9841d10a6c036a54cde9f8b72a877cef2 |
| SHA512 | abbeb93fcf741ac14d298ec19ff20efbeedc7a47800459daa56a5d703cf2fa4f626812fc71fb32b91f4dae062b9ea6c68abebe59a3f75e2fb01af985e9b673ff |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | be6d3f17e7a18d87b46873d5ff93f199 |
| SHA1 | 0295a235a29d6484a70cce188aec09bb0fa0d5b7 |
| SHA256 | ef9a6a93ac0461e0f3ad14ca88e811ac8729a9b79726281a5582227f7a105689 |
| SHA512 | 20e3aa99a17a677ebb5ac5b713f82612813e000e03dc1df6f99d8eed6e8363e08a812b18ffa03124fc6b12683bffec0192cb7926b4db431590ad15e297a126c6 |
C:\Users\Admin\AppData\Local\Temp\daA37ewxym.bat
| MD5 | 6ca500488e449c4bfd353a421e312e9e |
| SHA1 | 2a32e08373976f7ddb51224f2c4ab3a88d8218e3 |
| SHA256 | 88145e0a111ddf6852be73113352ec5d6f18cd1cbec16695eeeaba6f82da1545 |
| SHA512 | 74c2b904ecac428bff89df90ef82b1769925106b53f0a25b0092fbc62cf1c465139335e62bb758dad94f913456c1dcbf71a4fdae034a340d141f5e8c79035da8 |
memory/2976-422-0x00000000000C0000-0x00000000001D0000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 5cf4a435ce591cacfd4afd607cad38f8 |
| SHA1 | ce98788664976d9cc44c44cfbad0f2841666e1b7 |
| SHA256 | 2da689833f656400dafe8ec6511866d29291ad59e9b56d69040fb16f6446b176 |
| SHA512 | 39c6336bf0a9ace05c7ea92cd51a0aec5a4fd623ec026761c29e3521f782aab1fa90f04da3a55564cf69205e212274fb74b98b27baefb5d638ae79f88e0b3687 |
C:\Users\Admin\AppData\Local\Temp\cLz7lFEPwa.bat
| MD5 | c94380df6de43218d9f196de429e027a |
| SHA1 | 8c9e9f7dadc0beb1ec492ec622f99944c9bd53d1 |
| SHA256 | 7e6cde92844d368457e519e76186a89a0554042dd1cc93d25b17b8376bd7b7a0 |
| SHA512 | 6f281e5b7267ef0fd2ab4ac54629050bfd293591a62e2a16c5bfc4871da2973252fae334ffc42937e41cc7d14b6a13b503a06b77bf73d16e8555e8b146e2f2b9 |
memory/584-482-0x0000000000910000-0x0000000000A20000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ceaf69542787717b7667942b715cebc4 |
| SHA1 | 175a11e35b6b23fca0faa9e309a4e058b027ee1d |
| SHA256 | 5ac19dddf5f78049fef9e86df62d43efe6d377289ed308d6a54001ae105b9e5b |
| SHA512 | fdcf23001be26e5683a7f34d46d5a04ddb4057d8af98b5f898459d6e4f2a5db60547708db441f5b048ed8383f089c1e6c845e314f51bf80318894a1b3de61b80 |
C:\Users\Admin\AppData\Local\Temp\UPAAmIRCFx.bat
| MD5 | a9d5892fee439cffe7add2d6226039f1 |
| SHA1 | 48e514211449d144ed9cd6ebd1ec174ec5b44f08 |
| SHA256 | d67d070a5b0624824b532e7c3f2d4e491bdb74f3112baa3603facad631060ab3 |
| SHA512 | 01415340545b61f300f2f4263eafa57f85b8850a4d8560ec6925d8c7adcd48a3cef99e0aec297dcc66c0d0d95642246ab69ed04bf19ee52d1b9e5cc6a85eaa54 |
memory/2672-542-0x0000000000E60000-0x0000000000F70000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 95f510cf725ffd4ec453ad90eb2d582a |
| SHA1 | 0ffa8fa1d143c1dd5607f866758c4bf065def83d |
| SHA256 | 6f309b5a4558a1ce944aa30631d1fb28dbf4821238c6be2a18158e7332eb4b81 |
| SHA512 | 0e53f25d5f90c93c324776b83435c470f078782247f189ad3d7aef5156e3f76f5fb9895b51c0d849b8bff7d0f8ab301458002e79a9515f86599b7cb64b9c0607 |
C:\Users\Admin\AppData\Local\Temp\9dbjknkRRi.bat
| MD5 | 8ad532d8c24cc53775c8b17f7ee27d40 |
| SHA1 | f62642aad3595767941677ea23cf7a785fecc274 |
| SHA256 | 3bcc4f998ab82e1df3c70e4a6908d2487b848c74e0a0c30c7f7e9647f4b14368 |
| SHA512 | 3309843e8a9fa409f491b5bd206523dcc7d5c40edb87bf1eb9419c85f1b85c9932092c57a2950e6f8b9321201d4ec823ab0a114a0dd267076737c7600273d74c |
Analysis: behavioral2
Detonation Overview
Submitted
2024-12-30 02:36
Reported
2024-12-30 02:38
Platform
win10v2004-20241007-en
Max time kernel
144s
Max time network
146s
Command Line
Signatures
DcRat
Dcrat family
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\providercommon\RuntimeBroker.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\providercommon\RuntimeBroker.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\providercommon\RuntimeBroker.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\providercommon\RuntimeBroker.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b158ab70d77cd6fbe79a2d34fcd71eb2845116886937eb211e73d4e72236cf38.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\providercommon\RuntimeBroker.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\providercommon\RuntimeBroker.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\providercommon\RuntimeBroker.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\providercommon\RuntimeBroker.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\providercommon\RuntimeBroker.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\providercommon\RuntimeBroker.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\providercommon\DllCommonsvc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\providercommon\RuntimeBroker.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\providercommon\RuntimeBroker.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\providercommon\DllCommonsvc.exe | N/A |
| N/A | N/A | C:\providercommon\RuntimeBroker.exe | N/A |
| N/A | N/A | C:\providercommon\RuntimeBroker.exe | N/A |
| N/A | N/A | C:\providercommon\RuntimeBroker.exe | N/A |
| N/A | N/A | C:\providercommon\RuntimeBroker.exe | N/A |
| N/A | N/A | C:\providercommon\RuntimeBroker.exe | N/A |
| N/A | N/A | C:\providercommon\RuntimeBroker.exe | N/A |
| N/A | N/A | C:\providercommon\RuntimeBroker.exe | N/A |
| N/A | N/A | C:\providercommon\RuntimeBroker.exe | N/A |
| N/A | N/A | C:\providercommon\RuntimeBroker.exe | N/A |
| N/A | N/A | C:\providercommon\RuntimeBroker.exe | N/A |
| N/A | N/A | C:\providercommon\RuntimeBroker.exe | N/A |
| N/A | N/A | C:\providercommon\RuntimeBroker.exe | N/A |
| N/A | N/A | C:\providercommon\RuntimeBroker.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Uninstall Information\StartMenuExperienceHost.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Uninstall Information\55b276f4edf653 | C:\providercommon\DllCommonsvc.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b158ab70d77cd6fbe79a2d34fcd71eb2845116886937eb211e73d4e72236cf38.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings | C:\providercommon\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings | C:\providercommon\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings | C:\providercommon\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings | C:\providercommon\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings | C:\providercommon\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings | C:\providercommon\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b158ab70d77cd6fbe79a2d34fcd71eb2845116886937eb211e73d4e72236cf38.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings | C:\providercommon\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings | C:\providercommon\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings | C:\providercommon\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings | C:\providercommon\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings | C:\providercommon\DllCommonsvc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings | C:\providercommon\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings | C:\providercommon\RuntimeBroker.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b158ab70d77cd6fbe79a2d34fcd71eb2845116886937eb211e73d4e72236cf38.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b158ab70d77cd6fbe79a2d34fcd71eb2845116886937eb211e73d4e72236cf38.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
C:\providercommon\DllCommonsvc.exe
"C:\providercommon\DllCommonsvc.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Oracle\Java\RuntimeBroker.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\All Users\Oracle\Java\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Oracle\Java\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\providercommon\RuntimeBroker.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\providercommon\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\providercommon\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 10 /tr "'C:\Program Files\Uninstall Information\StartMenuExperienceHost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\StartMenuExperienceHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 10 /tr "'C:\Program Files\Uninstall Information\StartMenuExperienceHost.exe'" /rl HIGHEST /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Oracle\Java\RuntimeBroker.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\RuntimeBroker.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\StartMenuExperienceHost.exe'
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\N2f6qnRTJD.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\RuntimeBroker.exe
"C:\providercommon\RuntimeBroker.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lmMgPtgxf2.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\RuntimeBroker.exe
"C:\providercommon\RuntimeBroker.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xc1v93Hoh1.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\RuntimeBroker.exe
"C:\providercommon\RuntimeBroker.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3fa1oyizme.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\RuntimeBroker.exe
"C:\providercommon\RuntimeBroker.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tcplHXgq9Q.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\RuntimeBroker.exe
"C:\providercommon\RuntimeBroker.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3fa1oyizme.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\RuntimeBroker.exe
"C:\providercommon\RuntimeBroker.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9Z120WfzwF.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\RuntimeBroker.exe
"C:\providercommon\RuntimeBroker.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\j2qd1ZwTnL.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\RuntimeBroker.exe
"C:\providercommon\RuntimeBroker.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OMiKQlKjHz.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\RuntimeBroker.exe
"C:\providercommon\RuntimeBroker.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wYroxckjTC.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\RuntimeBroker.exe
"C:\providercommon\RuntimeBroker.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HEz7ZQMTyX.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\RuntimeBroker.exe
"C:\providercommon\RuntimeBroker.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\b3FUfZROOv.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\RuntimeBroker.exe
"C:\providercommon\RuntimeBroker.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cu7QADyCUt.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\RuntimeBroker.exe
"C:\providercommon\RuntimeBroker.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.49.80.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
Files
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe
| MD5 | 8088241160261560a02c84025d107592 |
| SHA1 | 083121f7027557570994c9fc211df61730455bb5 |
| SHA256 | 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1 |
| SHA512 | 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478 |
C:\providercommon\1zu9dW.bat
| MD5 | 6783c3ee07c7d151ceac57f1f9c8bed7 |
| SHA1 | 17468f98f95bf504cc1f83c49e49a78526b3ea03 |
| SHA256 | 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322 |
| SHA512 | c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8 |
C:\providercommon\DllCommonsvc.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/1084-12-0x00007FF9546C3000-0x00007FF9546C5000-memory.dmp
memory/1084-13-0x0000000000480000-0x0000000000590000-memory.dmp
memory/1084-14-0x0000000002830000-0x0000000002842000-memory.dmp
memory/1084-15-0x000000001B160000-0x000000001B16C000-memory.dmp
memory/1084-16-0x000000001B170000-0x000000001B17C000-memory.dmp
memory/1084-17-0x000000001B180000-0x000000001B18C000-memory.dmp
memory/3588-27-0x0000025F025C0000-0x0000025F025E2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lqcitxcv.zgf.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Admin\AppData\Local\Temp\N2f6qnRTJD.bat
| MD5 | efcb3059e9f873a82149efe2240d75ac |
| SHA1 | a2d2b1b3f6c4257dd6836c60d2b9ec71828bc3d7 |
| SHA256 | 4450aad2c59d1828f6c0c31baba3f22437c6d57aae746725f106fe7e88db53fb |
| SHA512 | b84a11bc7dbba4129db6d7ae1bbdd4864ba56e5a2b48bd0babd98a6b1015251564ccd9e8dc56865ed9bd302db502b2fa42f623333352720894f9bfd16e555159 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 77d622bb1a5b250869a3238b9bc1402b |
| SHA1 | d47f4003c2554b9dfc4c16f22460b331886b191b |
| SHA256 | f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb |
| SHA512 | d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 6d3e9c29fe44e90aae6ed30ccf799ca8 |
| SHA1 | c7974ef72264bbdf13a2793ccf1aed11bc565dce |
| SHA256 | 2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d |
| SHA512 | 60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d28a889fd956d5cb3accfbaf1143eb6f |
| SHA1 | 157ba54b365341f8ff06707d996b3635da8446f7 |
| SHA256 | 21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45 |
| SHA512 | 0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c |
memory/2272-79-0x000000001AFF0000-0x000000001B002000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\lmMgPtgxf2.bat
| MD5 | ebe15c41139a4bc9296e24789a91bec8 |
| SHA1 | 0b64b0f68a047a78767e902760c1a65192862c99 |
| SHA256 | 9dbd8afaef57ee99e04d57665a5e468c7be2ec5aaee54b194d3667db342a7d10 |
| SHA512 | c881bd48dbe84484ead9ae24665fc414e46cf0305dc68c38159d73ab5812df154b9352c0b12c25673d68086342050cb14c4ed4dec006f30f90611b6f490a5c16 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RuntimeBroker.exe.log
| MD5 | baf55b95da4a601229647f25dad12878 |
| SHA1 | abc16954ebfd213733c4493fc1910164d825cac8 |
| SHA256 | ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924 |
| SHA512 | 24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545 |
memory/3696-88-0x000000001CA10000-0x000000001CA22000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xc1v93Hoh1.bat
| MD5 | 54aedeb2ab2b519dd5c51b09c291383a |
| SHA1 | 150696cfab86b91f12b708f44e6082367ecc7d79 |
| SHA256 | 168f6ab4bf1932155d0ce0d3739bf0cce9b6c2446e5e360fabbb9bc6ae09c1e3 |
| SHA512 | 2fef228815f115a7516862fb0bd9fae6d12993f0161b517ff1c26b0b5c5c611231d73d06abcd7414f85f9f7832715cff3603e042dc3a8b2aade3f82af7cedd1c |
C:\Users\Admin\AppData\Local\Temp\3fa1oyizme.bat
| MD5 | c772193c201083225c491eb7aac075c6 |
| SHA1 | b2e7b640aa60967864128c83be9e4028d3fc57d6 |
| SHA256 | 122f60cf51e3aba92f85cebb0ec03ea2f1e2c80513c59c1ef98a89e037d9333a |
| SHA512 | 855f6dfb077f80d8c6f821e71c1dd1a9ea2d6f26fc2d5e073993612d6439de421f4a378aeeacdd14a7f9a92c51b6ccafc2eae85e1482810b63aab10034e66105 |
C:\Users\Admin\AppData\Local\Temp\tcplHXgq9Q.bat
| MD5 | dff0b87cd5104be54a5b160ebbcbe5a8 |
| SHA1 | 515ebf8d551593aa3095fcd2bba4ca569fc4cafc |
| SHA256 | c4e316374afd47e6225effb30df3fd213e0611317e56ddf42e3f647134a2ebe6 |
| SHA512 | ca07e9500daed1fe07d729ef9dcc61a0bfee79cadd2b3988c32696a57482de3eafa47b8d5fe5e8e4aa212dcb2d38df15dcbffebfea7433b66bca12d4ad4e22de |
C:\Users\Admin\AppData\Local\Temp\9Z120WfzwF.bat
| MD5 | 943c5970309bcef7a88b61ecfdff4993 |
| SHA1 | 251ddbce493058055cf10553ab303456bd179542 |
| SHA256 | 0ce97680b32b360204e8a660e34f2fd0d07b4df80333da6f60044305ef110ffa |
| SHA512 | 14b463e24ba5789076bac9dd8463efa190f3e0645c984853b65a271938a758a577239240f1a9701d530828e9e727270961e7c1ba1e20f2347c02dd15d528ee62 |
C:\Users\Admin\AppData\Local\Temp\j2qd1ZwTnL.bat
| MD5 | 3d7bfc4ad2f1070df5a2fbf3d8e871e9 |
| SHA1 | 96bb7ea534f5ac161d86009a4aba7350ae35577a |
| SHA256 | 1266efd3f1d50dc1a83e9311d13c3d8160981b0007ead28b585ac066a8acd893 |
| SHA512 | 8617bc733313aee891cf29590ea939ef98b64eb8b4b622fefb0f2dad8f506f60fe1634ae76cbba3833d1cf4ac79df331336d382886c6c3bdfe05888fd5fb01d1 |
C:\Users\Admin\AppData\Local\Temp\OMiKQlKjHz.bat
| MD5 | 48711b63f9257c5dc99c82e4c4441c41 |
| SHA1 | c5c7c48c4d45111339f68f41a59d53256532af57 |
| SHA256 | 42a701653497a9deca6cbeb0d35e9bdfff335e34ed28d6535c8e4f24bf962112 |
| SHA512 | 94970cf51b3f167aa3a2668491aa91e033510c0bcb14fb88e9f7c2e09a1caef8a8fb9e99a28a2a9ebe3603c64df5c2a896b60981df08c61163aa5f643e34479b |
memory/316-131-0x000000001C3F0000-0x000000001C402000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\wYroxckjTC.bat
| MD5 | 273bde46d58a5b47d50c75b6e8089c60 |
| SHA1 | 617a226e1bd21485fc8de847f2114a95a531a95b |
| SHA256 | be8ccd95980bdca41c13e41d2bceeaa3e9e78d7b7623b1394c5cf1e9c47a4e22 |
| SHA512 | 5a596d7adff1551425df8a3b453a177f5371638c6486bbf5476fe267f8c85df10211bc36808d42ca694b6204c0444a1eb9d9105c9c95b0749a0459621d9f482a |
C:\Users\Admin\AppData\Local\Temp\HEz7ZQMTyX.bat
| MD5 | 23df55a058582e1755030cb7cf35e631 |
| SHA1 | 035c4799953f8653855fb587c1ef0b7805c00ea5 |
| SHA256 | 31bf2d0b5cc3bbaf23780fafaf356d12c883236209df1d38f9363507b512e212 |
| SHA512 | 0fe3730119a99e02c2b8092c3fcbbb4ec20fc23588f7d6fcd45a55bbfbf511ea309c19c0c3167a11706de032896b26bc749a029dc9e8b5281c9744e34b6530b4 |
C:\Users\Admin\AppData\Local\Temp\b3FUfZROOv.bat
| MD5 | bdc2d32393f2fdd2a9cd4faf3ffeb980 |
| SHA1 | ac6da2920d6b6e02ade123082e93c7ad0db572c6 |
| SHA256 | 43da1b30776456f42deea0ecd61357def80f11cf71ad1714942212a162bd1d7d |
| SHA512 | ffc63d21fe6a340b85ab38a6e14b04a1391ac008b2a02439460686a029ac02a02f06269d9ed11d89cd3013b6424f3e90edc2979f97f8c76db147bde53c96542c |
C:\Users\Admin\AppData\Local\Temp\cu7QADyCUt.bat
| MD5 | 6073a9bce4caa0bf012e1b4b90984a59 |
| SHA1 | d71a00a1cfb18838c00100e592075919590baa4f |
| SHA256 | 9205d361f0731fbef70acc9d0a3b46f715d507b44dff8158c5aacf800d7fd6ec |
| SHA512 | f67c23eb970423a462a8df5718da90ee3a68b9d193b933bda589063a56ae6103f89c8c1abe8b438b72c4c4fbb3f4abfa5ca79663ec94d74ddd917f42c535080f |