Analysis Overview
SHA256
536aa3c8c0df98bd6a34fa919a92e838ff6823d1ef631af26b46da4b3685f081
Threat Level: Known bad
The file JaffaCakes118_536aa3c8c0df98bd6a34fa919a92e838ff6823d1ef631af26b46da4b3685f081 was found to be: Known bad.
Malicious Activity Summary
DcRat
Process spawned unexpected child process
Dcrat family
DCRat payload
DCRat payload
Command and Scripting Interpreter: PowerShell
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Legitimate hosting services abused for malware hosting/C2
Drops file in Windows directory
Drops file in Program Files directory
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Scheduled Task/Job: Scheduled Task
Suspicious use of WriteProcessMemory
Modifies registry class
Uses Task Scheduler COM API
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-12-30 02:42
Signatures
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Dcrat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-12-30 02:42
Reported
2024-12-30 02:44
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
DcRat
Dcrat family
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\providercommon\DllCommonsvc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Default\Templates\dllhost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Default\Templates\dllhost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Default\Templates\dllhost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Default\Templates\dllhost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Default\Templates\dllhost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Default\Templates\dllhost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Default\Templates\dllhost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Default\Templates\dllhost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Default\Templates\dllhost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Default\Templates\dllhost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Default\Templates\dllhost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_536aa3c8c0df98bd6a34fa919a92e838ff6823d1ef631af26b46da4b3685f081.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Default\Templates\dllhost.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\providercommon\DllCommonsvc.exe | N/A |
| N/A | N/A | C:\Users\Default\Templates\dllhost.exe | N/A |
| N/A | N/A | C:\Users\Default\Templates\dllhost.exe | N/A |
| N/A | N/A | C:\Users\Default\Templates\dllhost.exe | N/A |
| N/A | N/A | C:\Users\Default\Templates\dllhost.exe | N/A |
| N/A | N/A | C:\Users\Default\Templates\dllhost.exe | N/A |
| N/A | N/A | C:\Users\Default\Templates\dllhost.exe | N/A |
| N/A | N/A | C:\Users\Default\Templates\dllhost.exe | N/A |
| N/A | N/A | C:\Users\Default\Templates\dllhost.exe | N/A |
| N/A | N/A | C:\Users\Default\Templates\dllhost.exe | N/A |
| N/A | N/A | C:\Users\Default\Templates\dllhost.exe | N/A |
| N/A | N/A | C:\Users\Default\Templates\dllhost.exe | N/A |
| N/A | N/A | C:\Users\Default\Templates\dllhost.exe | N/A |
| N/A | N/A | C:\Users\Default\Templates\dllhost.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Windows Mail\winlogon.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Windows Mail\cc11b995f2a76d | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Windows NT\TableTextService\en-US\DllCommonsvc.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Windows NT\TableTextService\en-US\a76d7bf15d8370 | C:\providercommon\DllCommonsvc.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\servicing\fr-FR\sihost.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\Migration\WTR\explorer.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\Migration\WTR\7a0fd90576e088 | C:\providercommon\DllCommonsvc.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_536aa3c8c0df98bd6a34fa919a92e838ff6823d1ef631af26b46da4b3685f081.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings | C:\Users\Default\Templates\dllhost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings | C:\Users\Default\Templates\dllhost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings | C:\Users\Default\Templates\dllhost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings | C:\Users\Default\Templates\dllhost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings | C:\Users\Default\Templates\dllhost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings | C:\Users\Default\Templates\dllhost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings | C:\Users\Default\Templates\dllhost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings | C:\Users\Default\Templates\dllhost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings | C:\Users\Default\Templates\dllhost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings | C:\Users\Default\Templates\dllhost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings | C:\Users\Default\Templates\dllhost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings | C:\providercommon\DllCommonsvc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings | C:\Users\Default\Templates\dllhost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_536aa3c8c0df98bd6a34fa919a92e838ff6823d1ef631af26b46da4b3685f081.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_536aa3c8c0df98bd6a34fa919a92e838ff6823d1ef631af26b46da4b3685f081.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_536aa3c8c0df98bd6a34fa919a92e838ff6823d1ef631af26b46da4b3685f081.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
C:\providercommon\DllCommonsvc.exe
"C:\providercommon\DllCommonsvc.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\providercommon\RuntimeBroker.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\providercommon\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\providercommon\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Users\Public\AccountPictures\dwm.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Public\AccountPictures\dwm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Users\Public\AccountPictures\dwm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Mail\winlogon.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Mail\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Templates\dllhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default\Templates\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Templates\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows NT\TableTextService\en-US\DllCommonsvc.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\en-US\DllCommonsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows NT\TableTextService\en-US\DllCommonsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 13 /tr "'C:\providercommon\OfficeClickToRun.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\providercommon\OfficeClickToRun.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\providercommon\OfficeClickToRun.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Windows\Migration\WTR\explorer.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Windows\Migration\WTR\explorer.exe'" /rl HIGHEST /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\RuntimeBroker.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\AccountPictures\dwm.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\winlogon.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Templates\dllhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\TableTextService\en-US\DllCommonsvc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\OfficeClickToRun.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Migration\WTR\explorer.exe'
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rRelPrOQ0o.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default\Templates\dllhost.exe
"C:\Users\Default\Templates\dllhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tcplHXgq9Q.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default\Templates\dllhost.exe
"C:\Users\Default\Templates\dllhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cwtcXGf4Cf.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default\Templates\dllhost.exe
"C:\Users\Default\Templates\dllhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3fa1oyizme.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default\Templates\dllhost.exe
"C:\Users\Default\Templates\dllhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\R8cJcUuQgj.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default\Templates\dllhost.exe
"C:\Users\Default\Templates\dllhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\V9nTU0UPEK.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default\Templates\dllhost.exe
"C:\Users\Default\Templates\dllhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\asjVMp8zxr.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default\Templates\dllhost.exe
"C:\Users\Default\Templates\dllhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ezHXLeVHih.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default\Templates\dllhost.exe
"C:\Users\Default\Templates\dllhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kvUluF99a5.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default\Templates\dllhost.exe
"C:\Users\Default\Templates\dllhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\P6ENo64DAh.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default\Templates\dllhost.exe
"C:\Users\Default\Templates\dllhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IJ9EkrtYDM.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default\Templates\dllhost.exe
"C:\Users\Default\Templates\dllhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3Lxx1rvPQX.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default\Templates\dllhost.exe
"C:\Users\Default\Templates\dllhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\U4eMIZxK0W.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default\Templates\dllhost.exe
"C:\Users\Default\Templates\dllhost.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.109.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 181.129.81.91.in-addr.arpa | udp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 134.130.81.91.in-addr.arpa | udp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | udp |
Files
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe
| MD5 | 8088241160261560a02c84025d107592 |
| SHA1 | 083121f7027557570994c9fc211df61730455bb5 |
| SHA256 | 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1 |
| SHA512 | 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478 |
C:\providercommon\1zu9dW.bat
| MD5 | 6783c3ee07c7d151ceac57f1f9c8bed7 |
| SHA1 | 17468f98f95bf504cc1f83c49e49a78526b3ea03 |
| SHA256 | 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322 |
| SHA512 | c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8 |
C:\providercommon\DllCommonsvc.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/3200-12-0x00007FF9A1A63000-0x00007FF9A1A65000-memory.dmp
memory/3200-13-0x0000000000F30000-0x0000000001040000-memory.dmp
memory/3200-14-0x0000000003160000-0x0000000003172000-memory.dmp
memory/3200-15-0x000000001BC60000-0x000000001BC6C000-memory.dmp
memory/3200-16-0x0000000003170000-0x000000000317C000-memory.dmp
memory/3200-17-0x000000001BC70000-0x000000001BC7C000-memory.dmp
memory/3988-41-0x000002671BD70000-0x000002671BD92000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_c33eqhmx.zbn.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Admin\AppData\Local\Temp\rRelPrOQ0o.bat
| MD5 | 3bbe3393b65a530ffb08752ed82cf4e6 |
| SHA1 | 94cb010e3893eee041d5da43e5fc4e70eeeb33d3 |
| SHA256 | bcfd1f4abe78c803fc1b804f549c74d996f8462a09700fb7237bf446f98b8ee8 |
| SHA512 | fc3a6a0cac7cb6e6948c10fd0f541d131549d7091dba525a36998e1bf1c42f6e8b022a4aa4ae0f98e8a671f348e2c264d042f029a9ec42ea7c978e57b38431b3 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 6d3e9c29fe44e90aae6ed30ccf799ca8 |
| SHA1 | c7974ef72264bbdf13a2793ccf1aed11bc565dce |
| SHA256 | 2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d |
| SHA512 | 60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 2e907f77659a6601fcc408274894da2e |
| SHA1 | 9f5b72abef1cd7145bf37547cdb1b9254b4efe9d |
| SHA256 | 385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233 |
| SHA512 | 34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | cadef9abd087803c630df65264a6c81c |
| SHA1 | babbf3636c347c8727c35f3eef2ee643dbcc4bd2 |
| SHA256 | cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438 |
| SHA512 | 7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | bd5940f08d0be56e65e5f2aaf47c538e |
| SHA1 | d7e31b87866e5e383ab5499da64aba50f03e8443 |
| SHA256 | 2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6 |
| SHA512 | c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406 |
C:\Users\Admin\AppData\Local\Temp\tcplHXgq9Q.bat
| MD5 | 4b9cebdc4032bc13c3ad8fa6650a7d7b |
| SHA1 | 0b9cbc7102ae0978b3d1d01ce0be958da3a6a1e3 |
| SHA256 | 25eaa4f35b72988fdd190fd76ebc611bbb2d9f5221c2db195d0352a9621a3fc0 |
| SHA512 | 1b2d7829b4fdf89d9c7da023b6eaf990719f833555e627f8bac9821d22d189710657d7183232cb3f5989340e3647bbabe41e378a514d9078b7020f9506803747 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dllhost.exe.log
| MD5 | baf55b95da4a601229647f25dad12878 |
| SHA1 | abc16954ebfd213733c4493fc1910164d825cac8 |
| SHA256 | ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924 |
| SHA512 | 24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545 |
memory/3176-143-0x000000001C710000-0x000000001C87A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\cwtcXGf4Cf.bat
| MD5 | d4e9143f6c96cd2d64239af27d232ffb |
| SHA1 | f2078e876016242fe3f92783f636a966b87bef0e |
| SHA256 | 1ace10b58d8662fbccb6d957d0b07cdf30f3e791c3cc7e0af96727d124ed3a3c |
| SHA512 | 9f41749b6ca63fa22b91679f67d78a41ab920d0ceb79ac76fb396aa93816937ee4bb548b4406ab1bc91ef7d42368a763e18441750b2cfc88bf4f1745046a00d3 |
memory/2564-150-0x000000001C0E0000-0x000000001C24A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\3fa1oyizme.bat
| MD5 | 1a8e9574bfda525d93b3260e97407d70 |
| SHA1 | a58e58ccffeba8f88a9a8c6cac450e196cff6d5b |
| SHA256 | 5748fdf7dd231fc7895a496f8b3f365fa4f236c963a17d1691207fd3a27e54ae |
| SHA512 | cfc8d178004b2d24acc780dab4625095f6de5a106762d28375148d327899d82eeb10d1d2564138ec0a89a51018587ed3b3cf942d88c1eea021aa6fe5f9ac1c0a |
memory/4920-157-0x000000001C030000-0x000000001C19A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\R8cJcUuQgj.bat
| MD5 | 8efd4b10f29d1be8e669e1fd23ecd035 |
| SHA1 | 5b39743567696b5b8b544f1b120238829fc17053 |
| SHA256 | 2fb42a26e5c261b7f02bd87bfc59bf29ed9d8121f8a04353752cd12c7289b187 |
| SHA512 | 45716e24a528a2e7caca6e0684c3938d9c3f2215bf27b8d429c12d21fc0496c00be94329efa4f506a4e27d18bb58e5f70873173bb7d8189ea3ee3a39eb187c42 |
memory/4920-159-0x000000001C030000-0x000000001C19A000-memory.dmp
memory/3260-166-0x000000001BBA0000-0x000000001BD0A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\V9nTU0UPEK.bat
| MD5 | e991c685e775b82001387226134de6bc |
| SHA1 | 47b536854c07dbcb9a96d8da80d7aac587f71853 |
| SHA256 | 9360f433945e4576aee83f03cf7d400271143d7f27c82c13cb8e74a64820beb6 |
| SHA512 | 7ad4c729af8143bb594b057c862c030b3fb512a6067ed48dfc8b2e6e9e5ee73d488f2bc00a64175283d4f43bb9e27911b7b71597fee5b8ed836a0861303281b1 |
C:\Users\Admin\AppData\Local\Temp\asjVMp8zxr.bat
| MD5 | 34ddac05785415f8c7c45905677834b2 |
| SHA1 | 2ce5004df72ca067087415eec8f8c803553a7fd2 |
| SHA256 | 5834a12cfd51d53e38a6bf1f54e777e9a6e0617e7a4a2e45a78630611f1fb0cd |
| SHA512 | 41ef52f650475dca54bd85cfb7fd941f2f375d71f5911e5ec44cb7bb7f79acc08a9f3ad0add5ed139740466e3bc56656794d3e9c36a60d15eaf3d72cba463c54 |
memory/4912-173-0x000000001BCC0000-0x000000001BE2A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ezHXLeVHih.bat
| MD5 | 7c67246fa20c82aa6c9b023145f9ed78 |
| SHA1 | 427ae8753002c554c5a2a38b659af4c257c3a4f0 |
| SHA256 | 780ccc17e7c637dcd1eaca6d92df744b8ed13a7c8cc38b388ff40a6f07004c9e |
| SHA512 | 27b851daf19801461aebff57b56320119153dd60316e7e22d4573d17dd985195a0162d8846e168f2e9c474541379fc7a54053a00dffb99be4ee7af98f7d1e5a6 |
memory/4624-181-0x0000000002AD0000-0x0000000002AE2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\kvUluF99a5.bat
| MD5 | 505880badceb77dca85da47145aa0937 |
| SHA1 | 930666b30b229f4231558d78b8eec26912764a43 |
| SHA256 | a8a7e5d80ae34d6780ff2fad3bfe47198884bef91205008b92c8a528db7915a2 |
| SHA512 | 60fec1dcdf7073d861c2df08b1a3c5dbd76763d7bbe98ee31e439def358b7bef28d34334164c5518c13a43c35d656f60fbcb2d8cf8dbc6bab953fc140c18e3f3 |
memory/4612-188-0x0000000002AB0000-0x0000000002AC2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\P6ENo64DAh.bat
| MD5 | 6ca2ca1e2af61131b83db4e369b6945b |
| SHA1 | 7f5facb181c00beb980b5887c60f81ff29f11020 |
| SHA256 | 0cdcf9e78a7631c42b2fce0a7055c0aafd14a17d12efa283fcaa7c6c0330f729 |
| SHA512 | 6b0dd7bb124097694e612eb78a9db1b4e05cb20627aa93985be2e1180de0cd312721589dba7c91bb8920b8beaee492316deaf1159f9ac9fc7ac786f199283863 |
C:\Users\Admin\AppData\Local\Temp\IJ9EkrtYDM.bat
| MD5 | d033c2f43a0efb1c44cc366cf9f03b0d |
| SHA1 | 2020afe3c0a3a54111d3cef37b6d9bb0aaff2e22 |
| SHA256 | 15138275917d8880b3ec0c3c571c55b1199f2adcd5e586f01b52590b1a2a2a39 |
| SHA512 | 16ceca6f486145042aa3708cbf0b7d769bc60ee9cf0a12f2b14026231b8f6c47937ce2baa2a8df59cac9d35d49d22cd271e769b6d288d0996173a748f9e78ffe |
C:\Users\Admin\AppData\Local\Temp\3Lxx1rvPQX.bat
| MD5 | 23c326c2c0db53b8fb0c7b8fe18c7f9c |
| SHA1 | aeffbd0dd6ea568ad5319d9f547304af13a690a6 |
| SHA256 | 1d61d69c4ff728bbd56d4ee94b99402e6d755c05b159c9518e84d55c3985e910 |
| SHA512 | ee30d49b731883bc5343adfe99aace2849f3604c6aff027afd7589fc4f4d5b19fa50b570a7292622a4e0eed3428198c4399d4979933c46cf73897d19fb508dc4 |
C:\Users\Admin\AppData\Local\Temp\U4eMIZxK0W.bat
| MD5 | 233ad05784cafc215b68ad795b050617 |
| SHA1 | 9677fb0d3fca1f6202a43b09613646b569699795 |
| SHA256 | 043d21ca0cc1c257d0eb537b9bf0603f480fc16c0ecfa383ab2db993e59b4b60 |
| SHA512 | 69957232470121ade4a41cd4f84e8c5fb2a8befe8add71487ef443b06d3b6a5cdbd622755392b0a2c75ffb516b865b78a9e567dcdda5789eafd396195be5b041 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-12-30 02:42
Reported
2024-12-30 02:44
Platform
win7-20241010-en
Max time kernel
149s
Max time network
154s
Command Line
Signatures
DcRat
Dcrat family
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\providercommon\DllCommonsvc.exe | N/A |
| N/A | N/A | C:\Users\Public\Music\Sample Music\dllhost.exe | N/A |
| N/A | N/A | C:\Users\Public\Music\Sample Music\dllhost.exe | N/A |
| N/A | N/A | C:\Users\Public\Music\Sample Music\dllhost.exe | N/A |
| N/A | N/A | C:\Users\Public\Music\Sample Music\dllhost.exe | N/A |
| N/A | N/A | C:\Users\Public\Music\Sample Music\dllhost.exe | N/A |
| N/A | N/A | C:\Users\Public\Music\Sample Music\dllhost.exe | N/A |
| N/A | N/A | C:\Users\Public\Music\Sample Music\dllhost.exe | N/A |
| N/A | N/A | C:\Users\Public\Music\Sample Music\dllhost.exe | N/A |
| N/A | N/A | C:\Users\Public\Music\Sample Music\dllhost.exe | N/A |
| N/A | N/A | C:\Users\Public\Music\Sample Music\dllhost.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\DVD Maker\en-US\c5b4cb5e9653cc | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Windows Journal\sppsvc.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Windows Journal\0a1fd5f707cd16 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\MSBuild\Microsoft\lsm.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\MSBuild\Microsoft\101b941d020240 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Internet Explorer\fr-FR\lsass.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Internet Explorer\fr-FR\6203df4a6bafc7 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\DVD Maker\en-US\services.exe | C:\providercommon\DllCommonsvc.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\twain_32\spoolsv.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\twain_32\f3b6ecef712a24 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\security\lsass.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\security\6203df4a6bafc7 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-n..-security.resources_31bf3856ad364e35_6.1.7601.17514_de-de_036af9576c5505c8\dwm.exe | C:\providercommon\DllCommonsvc.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_536aa3c8c0df98bd6a34fa919a92e838ff6823d1ef631af26b46da4b3685f081.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_536aa3c8c0df98bd6a34fa919a92e838ff6823d1ef631af26b46da4b3685f081.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_536aa3c8c0df98bd6a34fa919a92e838ff6823d1ef631af26b46da4b3685f081.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\providercommon\1zu9dW.bat" "
C:\providercommon\DllCommonsvc.exe
"C:\providercommon\DllCommonsvc.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Idle.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Music\Sample Music\dllhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Public\Music\Sample Music\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Music\Sample Music\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files\Internet Explorer\fr-FR\lsass.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\fr-FR\lsass.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Program Files\Internet Explorer\fr-FR\lsass.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\providercommon\csrss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Program Files\DVD Maker\en-US\services.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\en-US\services.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files\DVD Maker\en-US\services.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Journal\sppsvc.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\sppsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Journal\sppsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\lsm.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\lsm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\lsm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Windows\twain_32\spoolsv.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\twain_32\spoolsv.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Windows\twain_32\spoolsv.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Windows\security\lsass.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\security\lsass.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Windows\security\lsass.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\smss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\smss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\smss.exe'" /rl HIGHEST /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Idle.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Music\Sample Music\dllhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\fr-FR\lsass.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\DVD Maker\en-US\services.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Journal\sppsvc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\csrss.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\lsm.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\twain_32\spoolsv.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\security\lsass.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\smss.exe'
C:\Users\Public\Music\Sample Music\dllhost.exe
"C:\Users\Public\Music\Sample Music\dllhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IrGY9odMle.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Public\Music\Sample Music\dllhost.exe
"C:\Users\Public\Music\Sample Music\dllhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nGW3UwTeX7.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Public\Music\Sample Music\dllhost.exe
"C:\Users\Public\Music\Sample Music\dllhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GN7B3lpeta.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Public\Music\Sample Music\dllhost.exe
"C:\Users\Public\Music\Sample Music\dllhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dCyIaH4v8D.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Public\Music\Sample Music\dllhost.exe
"C:\Users\Public\Music\Sample Music\dllhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sSDDfDN1Wn.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Public\Music\Sample Music\dllhost.exe
"C:\Users\Public\Music\Sample Music\dllhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tebxeZNirC.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Public\Music\Sample Music\dllhost.exe
"C:\Users\Public\Music\Sample Music\dllhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4oJokgKWVw.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Public\Music\Sample Music\dllhost.exe
"C:\Users\Public\Music\Sample Music\dllhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vlZZCFJNsh.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Public\Music\Sample Music\dllhost.exe
"C:\Users\Public\Music\Sample Music\dllhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xEoBbgPmrR.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Public\Music\Sample Music\dllhost.exe
"C:\Users\Public\Music\Sample Music\dllhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\U04fYIssV3.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
Files
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe
| MD5 | 8088241160261560a02c84025d107592 |
| SHA1 | 083121f7027557570994c9fc211df61730455bb5 |
| SHA256 | 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1 |
| SHA512 | 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478 |
C:\providercommon\1zu9dW.bat
| MD5 | 6783c3ee07c7d151ceac57f1f9c8bed7 |
| SHA1 | 17468f98f95bf504cc1f83c49e49a78526b3ea03 |
| SHA256 | 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322 |
| SHA512 | c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8 |
\providercommon\DllCommonsvc.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/2996-13-0x0000000000A80000-0x0000000000B90000-memory.dmp
memory/2996-14-0x0000000000450000-0x0000000000462000-memory.dmp
memory/2996-15-0x0000000000460000-0x000000000046C000-memory.dmp
memory/2996-16-0x0000000000470000-0x000000000047C000-memory.dmp
memory/2996-17-0x0000000000480000-0x000000000048C000-memory.dmp
memory/1028-46-0x0000000000CF0000-0x0000000000E00000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 7c2ab678381076a17db2104e5173df10 |
| SHA1 | e7a867c9cde4c6c190da96edca7a760b2038186b |
| SHA256 | 5a3a242d7a0d6171e93609b3287fb86407feee2f76ca75f072a6b61b8f5e3391 |
| SHA512 | 6b904ba3414521c912662450aa78616deef157bd2975573c5b67297808c8e5ac863fddc8eb71b7976be2fa15f1b507170a7ab1d8cc9d9c8b039fe3736e66c6b3 |
memory/1536-67-0x00000000024E0000-0x00000000024E8000-memory.dmp
memory/1536-66-0x000000001B300000-0x000000001B5E2000-memory.dmp
memory/1028-108-0x00000000001C0000-0x00000000001D2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CabFD45.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\TarFD96.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\Local\Temp\IrGY9odMle.bat
| MD5 | dd987216225b491df1d4597766311dd0 |
| SHA1 | c3a3323c17a0f083a8877a3647c0600f8af7d383 |
| SHA256 | 25208d735394b37551f9922f97f5f9c99ab471b2cbf1c3494664936895162022 |
| SHA512 | 183506edba7bcee3b570a44726ec49a8a47b93685dc24735228be3ccdb57e14182ca8cc32e699da55891760d94c3370b76ce7f1e013c77179f927ea75076c788 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ea6965799abb34000a34d4b9523b2783 |
| SHA1 | 67e5b9e6018995560db822762586416a89441646 |
| SHA256 | 6a5ce694cb3d7439d35b362f76aff812f440dbc18b40794a4158173e4d5b098d |
| SHA512 | de0a9dd8b57bea945ac0cb7787795d0a1c5702fc4d6c1bfd3a4ef158b880e1e90f099da3c451e9b2a69863ac55fa80bd1da86e6a5b85b6c77f9c00aa9162932f |
C:\Users\Admin\AppData\Local\Temp\nGW3UwTeX7.bat
| MD5 | 03c4dce97ee0aad4437b892aee96089a |
| SHA1 | c26f1b45dbe5b287a937b5f4435f561254338d2c |
| SHA256 | b365e953d0361ac4eb73d559b996041888c17b9fc80ec4573ee9830efce85dd1 |
| SHA512 | 1b3e539d4d855b60378cb21bd89c504e8994197b416f0e33c184bd9d6417346e89e24658f9a0577873dba33906d1a34ac5ca4945de5f989f8c70a7fb9fe907e3 |
memory/1812-226-0x0000000001180000-0x0000000001290000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 409f2a75b491264bc8c473ebd77b8e1c |
| SHA1 | eca24db8d9b9bc9990bd2930de66f76f999af7b9 |
| SHA256 | 6f9d69ccae69c749f49cfd42a2a4d8eee5fd71d5e4137180e3f2b9b0b929cfbb |
| SHA512 | b6259a04abeb01bca4db48bde6887b6800d4f30958e2f0cc64c54b52090b3d2e0589f26b78bfd44bd1d8dffe24c0993f806f64d5de58ed7b704903b892e4784f |
C:\Users\Admin\AppData\Local\Temp\GN7B3lpeta.bat
| MD5 | 7214131fbfb822dfbda7cc8d41d6aed9 |
| SHA1 | 6938c7f2fd4990575c01c6478c67297810ad3a27 |
| SHA256 | 04302c6d96ed02a0b5226f755cd289934fa28f9b76e2dcb8692854d68bb8495c |
| SHA512 | 4096c430539d1805613142cf1c2acf74bf77d4fc5f22b086eb1fa7c4b53129823c58880eaaf98ce958c921beaec42baa1bee833fb926ba836225c74c08ce3f91 |
memory/2208-286-0x0000000001300000-0x0000000001410000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c046937c4fe96639e636600c1e1b1c17 |
| SHA1 | 1d98b2a83531e65fab5e12ab77425f6898e585db |
| SHA256 | 12c8e21889c2f71014a51ee678a95343f7964772008107d98831f137c40766b1 |
| SHA512 | 776a9b982d3c786c19d105d326a4d861b4126e1a94b010424c6b2e8e72316d87a25a0ba0c7f8c6883dd4bc3bc22837c4392257ccb518caddf9b056032d5621f5 |
C:\Users\Admin\AppData\Local\Temp\dCyIaH4v8D.bat
| MD5 | 37d7fa14381d166d11b7f7dde4a1375c |
| SHA1 | 1bcdb5477efa59346f1cb9a1b15e2034fc5289af |
| SHA256 | 8fdfb722836443cf51e04f64f58bc0cc61e5fa7ab0d518659e22a5b21d95f509 |
| SHA512 | c8a152d9968a1f4bd438da46ff359fa85b4866fa787f2e1e1f9f4a382ba5180562d4d25fe8568d802eb417de16e967300c2fcec35ba4fd0d0cb3e798971c12a5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4222ac2c9bf826a00b01c781362db7a3 |
| SHA1 | 2fef6e2fb21c9f3567fe9c6598a8e30a245cfcb2 |
| SHA256 | ffd491fedd80a38322aafdf22d90038f07059f83849818ff7f8454a50498d1bb |
| SHA512 | 157d4ff10a9541983f9e4e288283a6359c05c0a46c7cb70b6a76cae0265d1865fc74b9f67f02d6ace2f9956a5de9a26ca2c6bd744b0c9b85d5afdd86f650e141 |
C:\Users\Admin\AppData\Local\Temp\sSDDfDN1Wn.bat
| MD5 | ae8197b756f308f00544c13f3c96ed09 |
| SHA1 | 3ef4968b2b8b9980dcc743f6067452e74acc09ed |
| SHA256 | dfdbc41f4096c52ab7a8e175387b3b8ba6342257f8bcd52aa6184c7f09d579ab |
| SHA512 | dc3290043075d7907f94a7c43960902d286da96814b94ef3f15c875996e801231a5abea7d0f63edbc34406139d6f085de294c3310a04de927caf7cbc9ad3aa6e |
memory/1652-405-0x0000000000430000-0x0000000000442000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8bacb66c1649b72ecbe33353d82f04bd |
| SHA1 | 59ee32b494e62834ed6d1df57f62ef2493178625 |
| SHA256 | 0e85954e8c156f481a3f5c911ad377c749ef7149c35b9fd21e89d07de35ac412 |
| SHA512 | adaf39269d3f4d7e004c59d4d69fac873355d17665ca086e78bf5f06d59c1b5bd530b0736cc4936644f1d7f46a84ba3712583dc63ab5cbfae190511db49ca612 |
C:\Users\Admin\AppData\Local\Temp\tebxeZNirC.bat
| MD5 | 44b225b4a3c68fe25e51c32aea26ab46 |
| SHA1 | bc2ab4ed69d4e68f02145630908ceebfb3f30748 |
| SHA256 | 9d122379db0c379bd796ec9f09cc844a6057b48ad2a08126af7d97c6c0d7ede8 |
| SHA512 | d59eccdea22314c1cc1abd40afbab302a752f46f673b51350b8ca74291e191a62eef144ed863bbcd0ea56889c2ab6a7621b056bbc5e3e25829174e40644dcf26 |
memory/3040-465-0x0000000000290000-0x00000000003A0000-memory.dmp
memory/3040-466-0x0000000000280000-0x0000000000292000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b9af6fa8aeaacf7f63c3593cd875fb53 |
| SHA1 | f61261a258e98e7c2f758df9b55d415c994e029b |
| SHA256 | bbb0e74bd5db789a032c4d79329d31dd0bb65bc4504aad043a05d4b1a46bcba7 |
| SHA512 | 214ad42ad808d34c93e15a82b829cfd42039a1634f8d1b0a869eadf9fad5461b49295c3550ccfbcdcfac9ff1a04b07bc4006e3c2dd89ea4fb1984d82893d66c2 |
C:\Users\Admin\AppData\Local\Temp\4oJokgKWVw.bat
| MD5 | 5cc99c9e9247123666b6a0d7cc440cff |
| SHA1 | 230b5d0fe5cd93eb75f3791468650321d038b297 |
| SHA256 | 3f6098e0fcfd233ddcd803c26ff62e1d011a889592b4b543d39ea4287baaad9e |
| SHA512 | bf2d365f49b7d08c714af3023402b0d494becd4401116b169edc3529d912b980ab8787334f824892cd51c519b60ae72e92d5514b5d500f5b5555c45133dcf690 |
memory/1972-526-0x0000000000FF0000-0x0000000001100000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7e3baf005cc368205a1b2a0ad25045b0 |
| SHA1 | 7e4f2f54e023a3e826cc0300ecb9de5c4c01d962 |
| SHA256 | 40cfd44f277e221844e19baaa598bc2556f9cf4ec4b693d91bcd3b4d9514f481 |
| SHA512 | 4ed67559c9bee5783ceeafc201ac45c0ae429518c6183a1550e82177c2b38b772cd9e2bedcb5673e05a4d55d477c1f553af21562bad64e8aefc1bb6c9d6e9202 |
C:\Users\Admin\AppData\Local\Temp\vlZZCFJNsh.bat
| MD5 | 0468a135dfbd56f8f22e2dcebf5ab285 |
| SHA1 | 93849bf87b8efc891a4c4a9474420965db4952a1 |
| SHA256 | 16cb2b02bd11b55f0bb66b9d1cfd937958d32f31f532afb7d4cf50200b12a014 |
| SHA512 | 6bd6de2eb4bb592c18a56ca5b2c0d1ba487677b5995d4ddc7d4a72aaf5e4abcaf2c65b6866a61a05a5b87f028ea9cf346e89e6e1b8304b26183b2597bc2ef84a |
memory/1044-586-0x00000000002B0000-0x00000000003C0000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | bf12c7530f21bf8c6627b0f53ebfd167 |
| SHA1 | 1ec7ae104ef894da0810fe3da4912d130db52154 |
| SHA256 | 29b9364c3f1dcf25a6b2405e7ac8e33342cd58a994272b8880e7c8f866cb6f27 |
| SHA512 | 88d9e0ea56bcc23928ae51094cf64a3df5fb43e8cc4fc3cc88c1118d9d88498af805f11b01c967cd85d7fc928f9f7add60a27c1d214e315e63250db33db449c0 |
C:\Users\Admin\AppData\Local\Temp\xEoBbgPmrR.bat
| MD5 | e67f2897e683f7fc25b1ad9a100dcc36 |
| SHA1 | b53c9884a2663ce5e680618e0a6b144b3d2c8f01 |
| SHA256 | 84510aacab1b40ffacef8439559e4d4c0ae1d5dc7d85685c78b2e185d3fde1eb |
| SHA512 | cd6ee5c70ffe6ee271df0be2b03e8a918636682b87be852cdea447a1066aeddefea0934e42d9a9071da9218e210719579c07de73ee791e92975adc26457daf99 |
memory/2056-646-0x0000000000B70000-0x0000000000C80000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c24c354d8d95ffdfd43848fe5d41cd3e |
| SHA1 | d178c3830f713035ea631eb491bf7c8fde48fedb |
| SHA256 | 2a6d0373a6d4c8cf18afd7baa483503c2fe7caea639ad2b92d166d7f39be7fa5 |
| SHA512 | 1cddf78674cbd385a98c146d6385518e64d9351eb66bf21e90a01efe17c292013e70d8b8a3aa00146f975eb651f9ef51a93e95941a022510c8170d74bc7df112 |
C:\Users\Admin\AppData\Local\Temp\U04fYIssV3.bat
| MD5 | 716235c1a05d5e1d3947d25ffa8b2697 |
| SHA1 | 0e45a7da46c4cf97839b3e23d13d6383406058af |
| SHA256 | 4f30c51adae6f88509f553bf94aff1b0248da96b2f6009f7b35d91ce8460b073 |
| SHA512 | 47938cf17987e5ab944f494155187294dbc149aadff333b16b109026ab88ba0d461c138bd5e73cb6b7a57d72b0522063edaf8fe9684c6f57797f50ff86377df9 |