Analysis Overview
SHA256
6d8f9429c033fca70e8e0700ba0d1d9d88df2ed8e10488abab08de303068aff7
Threat Level: Known bad
The file JaffaCakes118_6d8f9429c033fca70e8e0700ba0d1d9d88df2ed8e10488abab08de303068aff7 was found to be: Known bad.
Malicious Activity Summary
DCRat payload
DcRat
Process spawned unexpected child process
Dcrat family
DCRat payload
Command and Scripting Interpreter: PowerShell
Executes dropped EXE
Checks computer location settings
Loads dropped DLL
Legitimate hosting services abused for malware hosting/C2
Drops file in Windows directory
Drops file in Program Files directory
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Scheduled Task/Job: Scheduled Task
Modifies registry class
Uses Task Scheduler COM API
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-12-30 02:42
Signatures
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Dcrat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-12-30 02:42
Reported
2024-12-30 02:44
Platform
win7-20240903-en
Max time kernel
148s
Max time network
145s
Command Line
Signatures
DcRat
Dcrat family
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\providercommon\DllCommonsvc.exe | N/A |
| N/A | N/A | C:\Program Files\Common Files\Services\smss.exe | N/A |
| N/A | N/A | C:\Program Files\Common Files\Services\smss.exe | N/A |
| N/A | N/A | C:\Program Files\Common Files\Services\smss.exe | N/A |
| N/A | N/A | C:\Program Files\Common Files\Services\smss.exe | N/A |
| N/A | N/A | C:\Program Files\Common Files\Services\smss.exe | N/A |
| N/A | N/A | C:\Program Files\Common Files\Services\smss.exe | N/A |
| N/A | N/A | C:\Program Files\Common Files\Services\smss.exe | N/A |
| N/A | N/A | C:\Program Files\Common Files\Services\smss.exe | N/A |
| N/A | N/A | C:\Program Files\Common Files\Services\smss.exe | N/A |
| N/A | N/A | C:\Program Files\Common Files\Services\smss.exe | N/A |
| N/A | N/A | C:\Program Files\Common Files\Services\smss.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Windows NT\Accessories\de-DE\spoolsv.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Windows NT\Accessories\de-DE\f3b6ecef712a24 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Common Files\Services\smss.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Common Files\Services\69ddcba757bf72 | C:\providercommon\DllCommonsvc.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-help-gamesp.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_391951119116a53b\dwm.exe | C:\providercommon\DllCommonsvc.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6d8f9429c033fca70e8e0700ba0d1d9d88df2ed8e10488abab08de303068aff7.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6d8f9429c033fca70e8e0700ba0d1d9d88df2ed8e10488abab08de303068aff7.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6d8f9429c033fca70e8e0700ba0d1d9d88df2ed8e10488abab08de303068aff7.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\providercommon\1zu9dW.bat" "
C:\providercommon\DllCommonsvc.exe
"C:\providercommon\DllCommonsvc.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\providercommon\conhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\providercommon\smss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\lsass.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\lsass.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\lsass.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\providercommon\conhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows NT\Accessories\de-DE\spoolsv.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\de-DE\spoolsv.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows NT\Accessories\de-DE\spoolsv.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Program Files\Common Files\Services\smss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Common Files\Services\smss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Program Files\Common Files\Services\smss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsm.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\providercommon\csrss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\conhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\smss.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\lsass.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\conhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\Accessories\de-DE\spoolsv.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\Services\smss.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsm.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'
C:\Program Files\Common Files\Services\smss.exe
"C:\Program Files\Common Files\Services\smss.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Z87Ce65nyU.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\Common Files\Services\smss.exe
"C:\Program Files\Common Files\Services\smss.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wKGJ2NUoAL.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\Common Files\Services\smss.exe
"C:\Program Files\Common Files\Services\smss.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\J2mXRZwkCj.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\Common Files\Services\smss.exe
"C:\Program Files\Common Files\Services\smss.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JGN3MoCgVZ.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\Common Files\Services\smss.exe
"C:\Program Files\Common Files\Services\smss.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WSSqGJyhfL.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\Common Files\Services\smss.exe
"C:\Program Files\Common Files\Services\smss.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZmgdUlucqh.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\Common Files\Services\smss.exe
"C:\Program Files\Common Files\Services\smss.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wUI7DLfHyj.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\Common Files\Services\smss.exe
"C:\Program Files\Common Files\Services\smss.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XkJigN4PJf.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\Common Files\Services\smss.exe
"C:\Program Files\Common Files\Services\smss.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zlkj4ltLQI.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\Common Files\Services\smss.exe
"C:\Program Files\Common Files\Services\smss.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sWmtPUST1G.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\Common Files\Services\smss.exe
"C:\Program Files\Common Files\Services\smss.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
Files
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe
| MD5 | 8088241160261560a02c84025d107592 |
| SHA1 | 083121f7027557570994c9fc211df61730455bb5 |
| SHA256 | 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1 |
| SHA512 | 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478 |
C:\providercommon\1zu9dW.bat
| MD5 | 6783c3ee07c7d151ceac57f1f9c8bed7 |
| SHA1 | 17468f98f95bf504cc1f83c49e49a78526b3ea03 |
| SHA256 | 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322 |
| SHA512 | c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8 |
\providercommon\DllCommonsvc.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/2576-13-0x0000000000C90000-0x0000000000DA0000-memory.dmp
memory/2576-14-0x0000000000240000-0x0000000000252000-memory.dmp
memory/2576-15-0x0000000000570000-0x000000000057C000-memory.dmp
memory/2576-16-0x00000000002D0000-0x00000000002DC000-memory.dmp
memory/2576-17-0x0000000000580000-0x000000000058C000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | ef567b4e090c05d7116d46cdde4bdefc |
| SHA1 | eb4558d7abf2c71c4ef213a3c6233c2c9d33c68e |
| SHA256 | f9b0260d06ad10543401697733275b52bf8684f20043a6eff3f1cbe2da43afc1 |
| SHA512 | 3abb489e565e3998c454c0c588a397e08bbd75cedad773614548ca9fff4ebf9bcd37081dc9077e7a27c53fc606de6407dcb7ff46aeb2930e14f792ba2ac9eb03 |
memory/2020-45-0x0000000000220000-0x0000000000330000-memory.dmp
memory/1728-46-0x000000001B7B0000-0x000000001BA92000-memory.dmp
memory/1728-47-0x0000000002290000-0x0000000002298000-memory.dmp
memory/2020-84-0x00000000001C0000-0x00000000001D2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Tar374B.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\Local\Temp\Cab3748.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\Z87Ce65nyU.bat
| MD5 | 023a6a873beb1365181a9bd8a25f5b92 |
| SHA1 | 91fe108943f51b3888c57a0a35c490621d509ac2 |
| SHA256 | b0393449f63b933b6c89900b4672a999f28d495c12496b3a2d655e4ce968b1e9 |
| SHA512 | 6d3703349f2513ffa1bcad28a2962239a24ae1fc82407dfd289d1cbd1c1e6aae997e1c8c667dc9683fe717d2493b8c80127879994494151ee2118178d001037a |
memory/780-143-0x0000000000CA0000-0x0000000000DB0000-memory.dmp
memory/780-144-0x00000000002C0000-0x00000000002D2000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ea2cd3cca5fd73fb1bf9ca49f07d981d |
| SHA1 | f362030ebbcf4a29e9fd2df5d6fcf0a270a8566e |
| SHA256 | 4e31b1fc65e36ab5c78d74e84eb836533b4d942ed94170bd602647094369034b |
| SHA512 | 01e159e4f928e7d75f4acf57ce65a5e888bc8aa772f94dd5ec4fed726d6867c245f540a37829e2f9ef29cd3f54f0aa30a411a36eae091408c7241eafd980e405 |
C:\Users\Admin\AppData\Local\Temp\wKGJ2NUoAL.bat
| MD5 | 4c4d242c1362bf3608c370f226195afa |
| SHA1 | 975890a9df8ecf9908dc465daadc9bc24e583649 |
| SHA256 | 9d192eb35b106faabf564a88d8b3853b243daf7609ff5fce82a1f29f3727686c |
| SHA512 | 96d8d3f4ed07f065dfaf95399e9fb0897fcbf1d5f653a5e51ed3f3054c2a3b7d07196dc94d4b8869d979f99689709e600135533988a4ced8c8ef6ad34ec916ab |
memory/3024-204-0x0000000000340000-0x0000000000450000-memory.dmp
memory/3024-205-0x0000000000150000-0x0000000000162000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a2336accbec6808b0d937c5fe1ff2506 |
| SHA1 | 38e343de081b2672b7d7feff55c8ad58441e5a96 |
| SHA256 | 61c387df824d61d23c8db46b3ecefdc0673ebc3b97f678d4e591611656790eae |
| SHA512 | 5e96354a5027a94eec30a573a2c4cfa87e5a1dcd7efb030c8aa2628514d614c1ad1ebb0d5b9ee4dc52cf310e8e30ac307f25d7e0d224b3d674a4f0d2251bcfbf |
C:\Users\Admin\AppData\Local\Temp\J2mXRZwkCj.bat
| MD5 | a30978ec2e459fb04ab22e7604cc40a0 |
| SHA1 | eeca7310e6c6c2c2f805b8e66e81ae278d93c8b8 |
| SHA256 | d8408cb6b03c034acb413d948dae6d55159aa4ffefebdda0dd1effb1815b1c68 |
| SHA512 | edc577ee1cdb8a3bd50f931a7cf871e40ae4f6d724f6f9945162473f6d463564d56b74e9cc8ee6b66a0a1a740ca91f788c8bff845d910d038b3d87fb125f9ee3 |
memory/760-265-0x0000000000180000-0x0000000000290000-memory.dmp
memory/760-266-0x0000000000350000-0x0000000000362000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 69082d2d9d35970e45250e636f7d39ee |
| SHA1 | 23a05799c45eba27072fd46cd929e30c01871aa9 |
| SHA256 | 92215b0ce31f71a34b94dd98ba7335eec64af241f3e558092170fed25da2ef9f |
| SHA512 | b03417c42852f76c7743ab9f3cefaef7ab4893ac91e1bbd1c87995d81d12edc371abcf67f3d8da44425115c835bdeb744b81bbe0c8fc6af2b3bf2db6760197d3 |
C:\Users\Admin\AppData\Local\Temp\JGN3MoCgVZ.bat
| MD5 | 95531640ce85b16c1d892f54097ce39d |
| SHA1 | 1cecf33841913df148840cbd1c94ceae680b39f8 |
| SHA256 | 9b02da6ac5992a08b68c04d8857d4818cebd2b8e5757cab54f356a5da3529f2a |
| SHA512 | abc5777d722ac729f025f97a6c959fcfdb151bdbc2c5697ac9a37bfc7eb3fd4b77f945ec3716291c290f3348d6d2a2bd179db11b8e0b342ae14a486df414efcb |
memory/2936-326-0x0000000000A70000-0x0000000000B80000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 102f552309b246d7db33bcb57ce522b0 |
| SHA1 | 32676b8e4db6ca2feb0114b1b209b8b0934f9d78 |
| SHA256 | 333165f69131c8d8e858f73f66effba00098f8fa30f63246908a7ac5ca07dfbb |
| SHA512 | 11f841a42ac181123f1e0b504b3d794d0408efc6bfb39f6d24c6f91a1efb0e1f204452152a1d2c2911fcfe18015a5b67b03c5e65edcb8a68f283695f618cef6e |
C:\Users\Admin\AppData\Local\Temp\WSSqGJyhfL.bat
| MD5 | abc5f41868dd6592e9461667835eae0c |
| SHA1 | 809d87187b1769c019422382b0b873e96e0fab80 |
| SHA256 | acc2049d74d4781b44ad55047c4fd8e0aa01f02bd4593fd826de54bbaf3d9857 |
| SHA512 | 0384ea396a960a2acda0788f8525acc3b60279a8125e81e04bb3c2ba43be590de219cc5cbe1d78d9138892f7284fc3b831936a899ba81f470b82969fecd6594d |
memory/2860-386-0x0000000000D10000-0x0000000000E20000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a2a30622d75a81d5d03fde107cbf70b6 |
| SHA1 | 0e3aac0c75caabb54ae9340975431a4bfd5bee1f |
| SHA256 | 1c0741edfa92e4dc2f0e9438425a6956efe51425498d75eecc159bc732c49599 |
| SHA512 | e3933e2c5dd1aafbae3958058f394ded860c895c10f3282bf7f27a562cf0a170a555303d343199f21ef49d4728f3f1884a1d6dadb19906e1830ee91ca7779983 |
C:\Users\Admin\AppData\Local\Temp\ZmgdUlucqh.bat
| MD5 | 8681b8c1c027d378033d5f7921cc0cc4 |
| SHA1 | 42eb49e3d7d675871cf1d6ae8df96edd588fa95e |
| SHA256 | 3827c9f99b1e89a80d43eaaa5a2be5782ed3009d169b2efc4c1642badbad930d |
| SHA512 | 1ed497e828f465271d18f25aaddcf340047e76db3519e13b06e239e0018ea37bd6a5eced134f139f1bd7597d405d17fd1fc29961d04b4b12dca9e4306cb95bc9 |
memory/2004-446-0x00000000002D0000-0x00000000003E0000-memory.dmp
memory/2004-447-0x0000000000150000-0x0000000000162000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1758b39a03a055d8b7506098c61b69a6 |
| SHA1 | add0b55ffe6f4c508ea284cfd80eb1c7156dd69f |
| SHA256 | bd3548d594760dbe2fd3487dd6710b524bb8e641e73eb3d56726cf0e51800f54 |
| SHA512 | 46f9fe864353a0ff9b54f8a79693cae52bae0c44f93e94a6948530a0c126941f10a78055fb132ec104e814a9a181cd6515882b0668de1b0275d26681dff00e7f |
C:\Users\Admin\AppData\Local\Temp\wUI7DLfHyj.bat
| MD5 | f7d130d2a22418c8fa98b6fb02a31a25 |
| SHA1 | 139d8fc82afaf581e45672cf8e2c52a1476ed6e2 |
| SHA256 | d1cf2fc5ee0b9bf889dafa24785968c90f37d4e405fc2f2e5bc79cdfaae1784d |
| SHA512 | abf52b718823aabe7f9056c7e179f89bfd9df76b290d581c739866d55d17a7746554b5bdc7159471a1d20a0aa75549b17627c301c31c78cbbb5c797baab77cc9 |
memory/1520-507-0x0000000000C40000-0x0000000000D50000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4246e7342ab8f882ab5091c105c1aa1a |
| SHA1 | 20f949a6662c498b93134168653285d9a063cf3a |
| SHA256 | 9b3a984a81598a9b667c89df1eb940060329e908975614bf9eaf0fc5b5427be8 |
| SHA512 | 0317b35374e3254a82331d2ebb7303facf4a91bdcf7cb0427eaebf49befaffe6b96dc5466bff5720404e553a0105669b5703528abc4d2237a5470e3fe5ede501 |
C:\Users\Admin\AppData\Local\Temp\XkJigN4PJf.bat
| MD5 | 818d52263b84cc7030cccb5c8e943a7a |
| SHA1 | c28918b85c1170ca7f7b50f4f9f562946bf42886 |
| SHA256 | dcc6cab4f05fc5a236afa7bb71363f411b9a35366be9ee086bdd4b37f0e08932 |
| SHA512 | b55193c9f6de3d1407d1f75f48e91ae5809b39a61b6453a23249097edc81030f833c458bc1cc77e0654eff470217c102800cf4c09d2b59521f78793a9be5ea8d |
memory/2000-567-0x0000000000100000-0x0000000000210000-memory.dmp
memory/2000-568-0x0000000000250000-0x0000000000262000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 63bca8993ef282705ec3892e2490f08c |
| SHA1 | 28abe39ffa617cd90177dc4c20649e422275e729 |
| SHA256 | 6bbe34d0874da5d8aec021a487abee1560bce08e81a71953b91a5063e228a0a8 |
| SHA512 | 8a0649a6c481f7e10bcf766e22888ff2185f103f58f5769653a8c9f172ac96ddca3226d59a36d4d9cfc8fb6f4bf966ce540b73b69b6b4613f78fe7f90fbdf96e |
C:\Users\Admin\AppData\Local\Temp\zlkj4ltLQI.bat
| MD5 | a016008d01b2acdc51ab821ab5ac737e |
| SHA1 | 24ed95d14902418bbbba55fc8eecba41c09a8644 |
| SHA256 | 0a7ec7ace1e5c9214ad4293c79c63335790fd7f76a34a99301d5ec40d692f6b9 |
| SHA512 | 9f3139d50177b86a8fe56425498f6d5f222308984534c5154b77eb256a52a1d3828d2dfb4c5ca65ab37af7a6dc0df648a17d68d1ed9441f631c03e9ad4403b3b |
memory/1208-628-0x0000000000BB0000-0x0000000000CC0000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | dd3163f955d445d87124a2d7bb805413 |
| SHA1 | 85946353e2cb64f7731eec8bfd95b1816d35badd |
| SHA256 | 8c66c9918fbc3c6ffb127a23987b015b45c6bda2d71145027a3293c65cfaab43 |
| SHA512 | bad52e9edc8434e43f9d3bb83a181ae5a2d175e61a51ad7c9566a8c89b942cb276d200fb0e6165a6620ed144b7aa835e6a65f3903c7721037d9458f8bacf19b5 |
C:\Users\Admin\AppData\Local\Temp\sWmtPUST1G.bat
| MD5 | c89266f3cc2a397cd9c2f5dd289ce203 |
| SHA1 | 52c1c469311c707ef9f92794723eaba3547c8dba |
| SHA256 | 64959f014b62beccb192ccbbdf60277ce155764432e09c21d1db4809a59297b3 |
| SHA512 | d966dcfdee27b9d23f3e5943f34eec435c93fec200c3d235baaffc40314da1d8f44d56729cf086bee01c9b8ceed9e27ddda521b82d8ac5d6cde50f379f9581c8 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-12-30 02:42
Reported
2024-12-30 02:44
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
156s
Command Line
Signatures
DcRat
Dcrat family
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\providercommon\RuntimeBroker.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\providercommon\RuntimeBroker.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\providercommon\RuntimeBroker.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\providercommon\RuntimeBroker.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\providercommon\RuntimeBroker.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\providercommon\RuntimeBroker.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\providercommon\RuntimeBroker.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\providercommon\RuntimeBroker.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\providercommon\RuntimeBroker.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\providercommon\RuntimeBroker.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\providercommon\DllCommonsvc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\providercommon\RuntimeBroker.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\providercommon\RuntimeBroker.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6d8f9429c033fca70e8e0700ba0d1d9d88df2ed8e10488abab08de303068aff7.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\providercommon\RuntimeBroker.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\providercommon\DllCommonsvc.exe | N/A |
| N/A | N/A | C:\providercommon\RuntimeBroker.exe | N/A |
| N/A | N/A | C:\providercommon\RuntimeBroker.exe | N/A |
| N/A | N/A | C:\providercommon\RuntimeBroker.exe | N/A |
| N/A | N/A | C:\providercommon\RuntimeBroker.exe | N/A |
| N/A | N/A | C:\providercommon\RuntimeBroker.exe | N/A |
| N/A | N/A | C:\providercommon\RuntimeBroker.exe | N/A |
| N/A | N/A | C:\providercommon\RuntimeBroker.exe | N/A |
| N/A | N/A | C:\providercommon\RuntimeBroker.exe | N/A |
| N/A | N/A | C:\providercommon\RuntimeBroker.exe | N/A |
| N/A | N/A | C:\providercommon\RuntimeBroker.exe | N/A |
| N/A | N/A | C:\providercommon\RuntimeBroker.exe | N/A |
| N/A | N/A | C:\providercommon\RuntimeBroker.exe | N/A |
| N/A | N/A | C:\providercommon\RuntimeBroker.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Windows Portable Devices\ee2ad38f3d4382 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\TextInputHost.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\22eafd247d37c3 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Windows Sidebar\Gadgets\RuntimeBroker.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Windows Sidebar\Gadgets\9e8d7a4ca61bd9 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Windows Portable Devices\Registry.exe | C:\providercommon\DllCommonsvc.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\debug\sysmon.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File opened for modification | C:\Windows\debug\sysmon.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\debug\121e5b5079f7c0 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\fr-FR\sppsvc.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\fr-FR\0a1fd5f707cd16 | C:\providercommon\DllCommonsvc.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6d8f9429c033fca70e8e0700ba0d1d9d88df2ed8e10488abab08de303068aff7.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings | C:\providercommon\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings | C:\providercommon\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings | C:\providercommon\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings | C:\providercommon\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings | C:\providercommon\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings | C:\providercommon\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings | C:\providercommon\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings | C:\providercommon\DllCommonsvc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings | C:\providercommon\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings | C:\providercommon\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings | C:\providercommon\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6d8f9429c033fca70e8e0700ba0d1d9d88df2ed8e10488abab08de303068aff7.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings | C:\providercommon\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings | C:\providercommon\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings | C:\providercommon\RuntimeBroker.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6d8f9429c033fca70e8e0700ba0d1d9d88df2ed8e10488abab08de303068aff7.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6d8f9429c033fca70e8e0700ba0d1d9d88df2ed8e10488abab08de303068aff7.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
C:\providercommon\DllCommonsvc.exe
"C:\providercommon\DllCommonsvc.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 8 /tr "'C:\Windows\debug\sysmon.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Windows\debug\sysmon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 5 /tr "'C:\Windows\debug\sysmon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Portable Devices\Registry.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\Registry.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Portable Devices\Registry.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 8 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\TextInputHost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\TextInputHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 10 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\TextInputHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Windows\fr-FR\sppsvc.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\fr-FR\sppsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Windows\fr-FR\sppsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\providercommon\RuntimeBroker.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\providercommon\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\providercommon\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\RuntimeBroker.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\debug\sysmon.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\Registry.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\TextInputHost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\fr-FR\sppsvc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\RuntimeBroker.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\Gadgets\RuntimeBroker.exe'
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9hYFnRH7ET.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\RuntimeBroker.exe
"C:\providercommon\RuntimeBroker.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QqrgVo7Q94.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\RuntimeBroker.exe
"C:\providercommon\RuntimeBroker.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5AjNu1Vgdj.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\RuntimeBroker.exe
"C:\providercommon\RuntimeBroker.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kUc4JDtx8N.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\RuntimeBroker.exe
"C:\providercommon\RuntimeBroker.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NjKeWzk8OD.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\RuntimeBroker.exe
"C:\providercommon\RuntimeBroker.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KwQfKFARzT.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\RuntimeBroker.exe
"C:\providercommon\RuntimeBroker.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vF7CrwxjwX.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\RuntimeBroker.exe
"C:\providercommon\RuntimeBroker.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BDITavvsiM.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\RuntimeBroker.exe
"C:\providercommon\RuntimeBroker.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AsgPmp9HNF.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\RuntimeBroker.exe
"C:\providercommon\RuntimeBroker.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\D9KWG0zl28.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\RuntimeBroker.exe
"C:\providercommon\RuntimeBroker.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hYa1c8p3ob.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\RuntimeBroker.exe
"C:\providercommon\RuntimeBroker.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KwQfKFARzT.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\RuntimeBroker.exe
"C:\providercommon\RuntimeBroker.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nGW3UwTeX7.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\RuntimeBroker.exe
"C:\providercommon\RuntimeBroker.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.111.199.185.in-addr.arpa | udp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.130.81.91.in-addr.arpa | udp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
Files
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe
| MD5 | 8088241160261560a02c84025d107592 |
| SHA1 | 083121f7027557570994c9fc211df61730455bb5 |
| SHA256 | 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1 |
| SHA512 | 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478 |
C:\providercommon\1zu9dW.bat
| MD5 | 6783c3ee07c7d151ceac57f1f9c8bed7 |
| SHA1 | 17468f98f95bf504cc1f83c49e49a78526b3ea03 |
| SHA256 | 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322 |
| SHA512 | c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8 |
C:\providercommon\DllCommonsvc.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/2544-12-0x00007FFEF6E33000-0x00007FFEF6E35000-memory.dmp
memory/2544-13-0x0000000000A40000-0x0000000000B50000-memory.dmp
memory/2544-14-0x0000000001520000-0x0000000001532000-memory.dmp
memory/2544-15-0x0000000002EA0000-0x0000000002EAC000-memory.dmp
memory/2544-16-0x0000000002E80000-0x0000000002E8C000-memory.dmp
memory/2544-17-0x0000000002E90000-0x0000000002E9C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pluqywwn.wrr.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4956-43-0x00000275FDAC0000-0x00000275FDAE2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\9hYFnRH7ET.bat
| MD5 | 4abcc3207ece2e444a4f9dca90244e4a |
| SHA1 | c3cc327223bd107a48175c09f1b7c7f1e30de241 |
| SHA256 | 90acb3e0a02ecdce0c4e89fe286a82c692b0717b4242bc417dbeb8b61ad74654 |
| SHA512 | 72c8b6606c191303276ac789c6a2f77e0d9cea60f5411f8e74f94d539a9b72efc3d9f940d3816f01b27f4dacf799b6aa0f35b45feeb1d0832d0f629ecfa9f707 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d28a889fd956d5cb3accfbaf1143eb6f |
| SHA1 | 157ba54b365341f8ff06707d996b3635da8446f7 |
| SHA256 | 21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45 |
| SHA512 | 0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | cadef9abd087803c630df65264a6c81c |
| SHA1 | babbf3636c347c8727c35f3eef2ee643dbcc4bd2 |
| SHA256 | cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438 |
| SHA512 | 7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | bd5940f08d0be56e65e5f2aaf47c538e |
| SHA1 | d7e31b87866e5e383ab5499da64aba50f03e8443 |
| SHA256 | 2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6 |
| SHA512 | c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406 |
memory/3348-116-0x000000001D300000-0x000000001D312000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\QqrgVo7Q94.bat
| MD5 | 1722b4980e5e881c52bbfffa0675acfe |
| SHA1 | 115e181ac96590a6c8f589c347b76a3ed1bf7942 |
| SHA256 | bf31f4a3a8a73e2d58a90b0ad2250b41757e161e8d78d023910870c4c6d967ce |
| SHA512 | f0c97a7bbd4d2fef5223b4152f5b6cc0f8345e6151c5c4a1e6f892655cbd30e72cfb0c964dbb005684661b3737cc584b0898fb3994c3cc5d32de9e2e55dc24e9 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RuntimeBroker.exe.log
| MD5 | baf55b95da4a601229647f25dad12878 |
| SHA1 | abc16954ebfd213733c4493fc1910164d825cac8 |
| SHA256 | ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924 |
| SHA512 | 24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545 |
C:\Users\Admin\AppData\Local\Temp\5AjNu1Vgdj.bat
| MD5 | f00b33f15947c360501e1fed79cf5492 |
| SHA1 | 024513660b53a36ad0709d3f5f83a651364ce33d |
| SHA256 | ab39a13831e324874b5b634a47c989a97e3b582a2fef26ab2bb1d3d1ec5168dc |
| SHA512 | 56d28d39a4e64cb156ce98499ec0d087c3e0a8bb9f5a05c83f1c1ec3f48b5b1e44f5a3f8a75712cb664ceb1fa99a6ae20e12019580598035d4d6124470aaf93b |
C:\Users\Admin\AppData\Local\Temp\kUc4JDtx8N.bat
| MD5 | dfcffd74446ba4c141145e64c2ad2540 |
| SHA1 | a90214ceb5266c00ce616d6d821c17773015db7c |
| SHA256 | f14dcbb52d161200456ce21e649a55f362ed1727fbbe046b4c96283fde5acc86 |
| SHA512 | df838dce46033ed78c6efaaca324d734851b948631d92609828a3d138f2493c3306b313a99f8a21ca0caa8a7f5cff6b3482aa4b53f455f25650f6c195d14327f |
memory/4384-135-0x000000001CA00000-0x000000001CB02000-memory.dmp
memory/4108-142-0x000000001D000000-0x000000001D102000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\NjKeWzk8OD.bat
| MD5 | 64cb1144350fff78f51748d057c5fccc |
| SHA1 | cdf2ed3f4896d7f4359116a6ee6279b5a915ade5 |
| SHA256 | bcd0dd9f6e45ac907fc4eea9f3ba8906f18171cbc842ff5ab6e56d3466411061 |
| SHA512 | d7157e6d6706eaa5f265a0c60028a9909376d621f8e53e34851f5e7485db3c6d9514f866ddab0ce475d36a8558183b81ea434f8b625626acb9a1930de6dc57db |
memory/3284-150-0x000000001CB00000-0x000000001CC02000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\vF7CrwxjwX.bat
| MD5 | aef01560c9a461ace84754307ef0804f |
| SHA1 | 079a514af6a279328cde26b06876fc977449cbfd |
| SHA256 | 8178cf23d189580f07f73a42ca0d98120c58f2f0598c6f705fa8c6124a09d17e |
| SHA512 | 9c6e569332311bf024f665debd3b589fefeb65e45ed109bf162cfaa4dfda60d77cde57cc0b14e4658c92ea1bb0c43d440c59e947b342435cdc35d37db0ec6080 |
C:\Users\Admin\AppData\Local\Temp\BDITavvsiM.bat
| MD5 | 6de785efd6526da38d37f14fb9fe8fc3 |
| SHA1 | 633478ac62af0aa79186eab697dfb2e1ebf8a056 |
| SHA256 | a8d873051c2fb2e1213b0260253ccaf9aec98188b3d919245f45f91368424a2f |
| SHA512 | 3e7209e800865012aeca9cbd891cbbafd9a31b3e6657392fff4e22321c6970d9bfa3d9aaafc5b11244f80ca3e8e5499c61643ad8fcd3e8e38ade355d9538fc72 |
C:\Users\Admin\AppData\Local\Temp\AsgPmp9HNF.bat
| MD5 | c9168bbade509fd6a19710fc148f14ba |
| SHA1 | 8e55947a9f713409d938a32560f1b1b35577c47f |
| SHA256 | b36f0eb615be2665e2c6d4c8f8b5efdfe1ad15a4746d93836e4c22cafe42f81c |
| SHA512 | 50316b47e5c25ee069b99ca2e4a766af661c66e59c52f5dec19492c597264a5032462e85101972a25bff405da3411753d42eec7cad890fc4356199a3df815769 |
C:\Users\Admin\AppData\Local\Temp\D9KWG0zl28.bat
| MD5 | 1851078bfa9dba17e007c17616f38f1f |
| SHA1 | 10d3b22308a260c5d4efbf00a34bd8cfd0d936f5 |
| SHA256 | fc42beab32b713b775149f10ff9af3bab6cb785baca92262e627e8140f22b9aa |
| SHA512 | 29ccbd4ec01fcc5ddc278cfa4aee3887beff21ab1507b1bc712495653631820f8c0a86fe21a0f10cb1b7245cbf6656cc22da9b94fb5c9417df808fba238d3587 |
C:\Users\Admin\AppData\Local\Temp\hYa1c8p3ob.bat
| MD5 | 08852af7340772f11e8a5965fe428854 |
| SHA1 | fd7bfe34f13b68757c58bba735b512a4f3f9e3f8 |
| SHA256 | 7eb4d12e359e924bac718f69d14b4f9bea1cd1eb59038b14b450e0b53bcdc237 |
| SHA512 | 6cd7145ee519196074a663c072770ea82346d0e6422defac3974b19e3166f69c4863f000be36c242161313ff3a117eb08ccbbbf756d64e86624c2101d2a9e0e8 |
memory/4868-177-0x000000001BDF0000-0x000000001BE02000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\KwQfKFARzT.bat
| MD5 | d62a8047dba663760da05c75f2ed9aaa |
| SHA1 | 3cf3a95d4d1a5341d45a6f9fc66a8e6d6d586e3e |
| SHA256 | da3d1634e149238512f59cf963b2c6dc0bf426a68166ce32c98ac6f37f70a970 |
| SHA512 | fd34ed87e77d66d3d993fd7e30c22e7471f3b6f5cf072aef32db60d58df0dcf5a9bff3ac3f6133c81fc796bd2e6e24e9184d596fe4ab7e8dbfcb1bd2e7515d60 |
C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat
| MD5 | d86760c2f21e55c8abd49e62281284ad |
| SHA1 | af3806e007cc600e8619bf531dbb0186820b6b8b |
| SHA256 | 2560627667e5d47e9a371246045758fcb161d0e3644d7f46e0f33546d17747d0 |
| SHA512 | 7e33c030608ccbba24f011c2e1352a43a379bb72756b9fb2e93514bd22aff76906c8d4ae426c0df3c48bc61bb4946270abc88a850315adc4cb332ff22ede500c |