Analysis Overview
SHA256
0d1424eaa60b12379d786db65f2d5d735802e80d10bb801421cc8b2b6115a598
Threat Level: Known bad
The file JaffaCakes118_0d1424eaa60b12379d786db65f2d5d735802e80d10bb801421cc8b2b6115a598 was found to be: Known bad.
Malicious Activity Summary
DCRat payload
Process spawned unexpected child process
Dcrat family
DcRat
DCRat payload
Command and Scripting Interpreter: PowerShell
Loads dropped DLL
Checks computer location settings
Executes dropped EXE
Legitimate hosting services abused for malware hosting/C2
Drops file in Program Files directory
Drops file in Windows directory
System Location Discovery: System Language Discovery
Unsigned PE
Enumerates physical storage devices
Scheduled Task/Job: Scheduled Task
Modifies registry class
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Uses Task Scheduler COM API
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-12-30 02:41
Signatures
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Dcrat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-12-30 02:41
Reported
2024-12-30 02:44
Platform
win7-20240903-en
Max time kernel
149s
Max time network
153s
Command Line
Signatures
DcRat
Dcrat family
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\providercommon\DllCommonsvc.exe | N/A |
| N/A | N/A | C:\Program Files\MSBuild\Microsoft\csrss.exe | N/A |
| N/A | N/A | C:\Program Files\MSBuild\Microsoft\csrss.exe | N/A |
| N/A | N/A | C:\Program Files\MSBuild\Microsoft\csrss.exe | N/A |
| N/A | N/A | C:\Program Files\MSBuild\Microsoft\csrss.exe | N/A |
| N/A | N/A | C:\Program Files\MSBuild\Microsoft\csrss.exe | N/A |
| N/A | N/A | C:\Program Files\MSBuild\Microsoft\csrss.exe | N/A |
| N/A | N/A | C:\Program Files\MSBuild\Microsoft\csrss.exe | N/A |
| N/A | N/A | C:\Program Files\MSBuild\Microsoft\csrss.exe | N/A |
| N/A | N/A | C:\Program Files\MSBuild\Microsoft\csrss.exe | N/A |
| N/A | N/A | C:\Program Files\MSBuild\Microsoft\csrss.exe | N/A |
| N/A | N/A | C:\Program Files\MSBuild\Microsoft\csrss.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Mozilla Maintenance Service\logs\101b941d020240 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\MSBuild\Microsoft\csrss.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\MSBuild\Microsoft\886983d96e3d3e | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Google\Chrome\OSPPSVC.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\OSPPSVC.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Google\Chrome\1610b97d3ab4a7 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Mozilla Maintenance Service\logs\lsm.exe | C:\providercommon\DllCommonsvc.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0d1424eaa60b12379d786db65f2d5d735802e80d10bb801421cc8b2b6115a598.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0d1424eaa60b12379d786db65f2d5d735802e80d10bb801421cc8b2b6115a598.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0d1424eaa60b12379d786db65f2d5d735802e80d10bb801421cc8b2b6115a598.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\providercommon\1zu9dW.bat" "
C:\providercommon\DllCommonsvc.exe
"C:\providercommon\DllCommonsvc.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Program Files\Google\Chrome\OSPPSVC.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\OSPPSVC.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\Program Files\Google\Chrome\OSPPSVC.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Idle.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\lsm.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\lsm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\lsm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\MSBuild\Microsoft\csrss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\MSBuild\Microsoft\csrss.exe'" /rl HIGHEST /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\Chrome\OSPPSVC.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Idle.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\lsm.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\csrss.exe'
C:\Program Files\MSBuild\Microsoft\csrss.exe
"C:\Program Files\MSBuild\Microsoft\csrss.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WSSqGJyhfL.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\MSBuild\Microsoft\csrss.exe
"C:\Program Files\MSBuild\Microsoft\csrss.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\N7XO3McAFn.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\MSBuild\Microsoft\csrss.exe
"C:\Program Files\MSBuild\Microsoft\csrss.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eUivgxqvfs.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\MSBuild\Microsoft\csrss.exe
"C:\Program Files\MSBuild\Microsoft\csrss.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IPU7rAfrPc.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\MSBuild\Microsoft\csrss.exe
"C:\Program Files\MSBuild\Microsoft\csrss.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yQKAuQiBIV.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\MSBuild\Microsoft\csrss.exe
"C:\Program Files\MSBuild\Microsoft\csrss.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LgxiiauvsB.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\MSBuild\Microsoft\csrss.exe
"C:\Program Files\MSBuild\Microsoft\csrss.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1Gu59oh2IN.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\MSBuild\Microsoft\csrss.exe
"C:\Program Files\MSBuild\Microsoft\csrss.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DegeIw2hse.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\MSBuild\Microsoft\csrss.exe
"C:\Program Files\MSBuild\Microsoft\csrss.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qO35UmqwIy.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\MSBuild\Microsoft\csrss.exe
"C:\Program Files\MSBuild\Microsoft\csrss.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0Sh6ipYOoX.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\MSBuild\Microsoft\csrss.exe
"C:\Program Files\MSBuild\Microsoft\csrss.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
Files
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe
| MD5 | 8088241160261560a02c84025d107592 |
| SHA1 | 083121f7027557570994c9fc211df61730455bb5 |
| SHA256 | 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1 |
| SHA512 | 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478 |
C:\providercommon\1zu9dW.bat
| MD5 | 6783c3ee07c7d151ceac57f1f9c8bed7 |
| SHA1 | 17468f98f95bf504cc1f83c49e49a78526b3ea03 |
| SHA256 | 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322 |
| SHA512 | c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8 |
\providercommon\DllCommonsvc.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/2896-13-0x0000000000070000-0x0000000000180000-memory.dmp
memory/2896-14-0x0000000000540000-0x0000000000552000-memory.dmp
memory/2896-15-0x0000000000560000-0x000000000056C000-memory.dmp
memory/2896-16-0x0000000000550000-0x000000000055C000-memory.dmp
memory/2896-17-0x0000000000580000-0x000000000058C000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\JE0YFJX1IMUMR6BOFCY7.temp
| MD5 | 8620a1a5ac537434304cc8c7119e5ad1 |
| SHA1 | 58a0177b861cec304557e93a8a3a82ea06410a93 |
| SHA256 | 87e8a48439079e3003f3fadbd101b06d480b55dc3d7a293d0d5e121426396e64 |
| SHA512 | 39e553ba557fbec09b8c5070b0a290085fd5301ea0c82ea53c9a1a79b2bfe99016a2cc59e6a90876f82d3dec562dc58a9ac62713d2742781e382084022bdf7bd |
memory/1896-49-0x000000001B6D0000-0x000000001B9B2000-memory.dmp
memory/2432-58-0x0000000000010000-0x0000000000120000-memory.dmp
memory/1644-57-0x0000000001EC0000-0x0000000001EC8000-memory.dmp
memory/2432-59-0x00000000005D0000-0x00000000005E2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab149C.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\Tar14CD.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\Local\Temp\WSSqGJyhfL.bat
| MD5 | 7a3a5502acf6af616f1f930fe25a9441 |
| SHA1 | 2e4b0a65fd7eb24e9ad361782bbfacc15951a6f6 |
| SHA256 | 3c65fb06810fc30fa612acb3c60147c86068f75e3b6d8223e46651d76252c509 |
| SHA512 | 94e1ed87e8d57ff7539fe94f9a75872f497b5cafd0123d418c74c8ab84777179a5fb8fdafe356199cd7d937ae172913112619e4a77d25686d132a4a2050c1940 |
memory/2068-118-0x00000000013A0000-0x00000000014B0000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b4b53eecfda2ca7fb18302a73d015c0e |
| SHA1 | c2033f0da684aa2a197a8c84e7af0690a2771aea |
| SHA256 | 257af08f650f7f551cc1c87a0ca674923151835ff34bdf83d61a863772b64cb1 |
| SHA512 | f2fa5d0a771548abe5a8f4f65063a9a4668cfd17377365643d764b0978f60e1a1b582c5fa5b36ad12b0687042283c3140d0b57632ca40f95c48301f4a8b83f6f |
C:\Users\Admin\AppData\Local\Temp\N7XO3McAFn.bat
| MD5 | 4d776d35f1cb5c082087b3f07918fb79 |
| SHA1 | 1ca5b7dfba26390d3fc92616f479c2c8fb30eea8 |
| SHA256 | 9290fa1836b3c65d7521e7b652864aea7e2a95aea45b04b17a80a0ab35cfc0ad |
| SHA512 | df3b787842a5ff7a0bfcb39d1de20f719066fa0948c38aaeb1ca744edfe7e333f703982785114c8abc6f8bcf9b144109f8a2587e5c43428cc5d1067bfbd16bb4 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7b34745b34d0fb50516a88d85a2dc8fa |
| SHA1 | 40ba3ae4cf89befc09378f44ad3e378532e46e7f |
| SHA256 | b9b213d022d1d6651e2f6cd8f90f2cc499f9201d012fb7679b00c816a65d9bf3 |
| SHA512 | 42d2fa25e6362f4e648e5b6dbb20d99b74295775bc016d2efa02a7fcf60c3ac4b72fcd4d8f4c07b974d98e4baf09718f8b568dbd074b9e10d2d3d1560d4249da |
C:\Users\Admin\AppData\Local\Temp\eUivgxqvfs.bat
| MD5 | 8f39679d791826dad83910be1deabd71 |
| SHA1 | 03a4163c51d214dcd8eaa10522f00859796ecc4b |
| SHA256 | 05d39808aa6e7c6b142931f19623ae79e88bff7c57c8f2c526518b5d75df3d5c |
| SHA512 | ead369882cb791b61520fa7d73d2a3b43071a0c68c80666740c19b148aef1920864406c0772b1a65d52f6d330c850428d57671e92b792e11c75694a25b80aa72 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 20643d296a3abd703475b77e3acec5ec |
| SHA1 | 88072f03432820c21cef8ab71772dd402b8eb229 |
| SHA256 | 2cc38c4001238e2ac855da28ca82a7328298c8cd2d02c4d2c5a429091703a9e3 |
| SHA512 | 1237538b2543f0ba1b0f73099e9b6057c9e523621fe6aa4f0bd490a400503bece8cf979913bf20a621e9ecb5268ce46aec3fda82c51aa59fa12f5fb6c8a7fe1e |
C:\Users\Admin\AppData\Local\Temp\IPU7rAfrPc.bat
| MD5 | 48171886fb1beba5aa2da88471d71fcb |
| SHA1 | cdb704d91af34f2fe42b83aab93c03c45493d0f5 |
| SHA256 | 051f575e0a263e1e68be35a7e49d2a9dd497313771c3ef770ec27d34c3df8a80 |
| SHA512 | d60693042e1bf709932cb802c0c452d81b7012b6e279ccda8bf7eeb53d30ea37d1e54f151ac4e6fcebaa7b045a8937ff60149b918b4ab357fdc3a7a23778a065 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 190da28354a14106eef46388f445cc6a |
| SHA1 | 83b05041784b71bb2c0c58d42c67068a0296a700 |
| SHA256 | 6a1f54940bc40468a2069390d5456a9657a3afbb04ada70792362b02df1abc4f |
| SHA512 | eb697a805b165c080b914c98671d5daf265e3694f0979d45a12b884d8c49cba6cdcdc1a5bad3bf14d249a580dd3b26d57a2675adbd07e9c1b06eda47aadab40c |
C:\Users\Admin\AppData\Local\Temp\yQKAuQiBIV.bat
| MD5 | c87605716b3604f5cddfda150437d10f |
| SHA1 | c70a1a8dc8e1b1929cb81748cc9634565a6e2fa0 |
| SHA256 | 17a02031d96bf671d2c979b8529f7c6228394124ce68448c9b5ad3c432d77825 |
| SHA512 | 1ce363d3716a10fbdf0431b6544f1104c22361ac962177b3ccd1a95a0c76e1660673864b3f5fb1af11cb0b55baac3014094e1859718fe6f2a99a203a3b896839 |
memory/2292-355-0x0000000000340000-0x0000000000352000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 0e2684512959ad8dbfa9ba8fb66ea26a |
| SHA1 | 2f481285af7ef8b4027cf5326fc73ce6c954b417 |
| SHA256 | 4db812543233656cd296109f0ffb1e6158a403ada440ab9bc43b214ca9efcc2d |
| SHA512 | 5acd5a0dab0f32256b11c118efbd1ed312db1e12d3c4be1d83b7b305d49fcc907b96d2dd24342646e77169e391dceefb1829cea2c7a1891203f9ed499a945638 |
C:\Users\Admin\AppData\Local\Temp\LgxiiauvsB.bat
| MD5 | 4ea2b8e7f7e3d1456726825edae95c2e |
| SHA1 | a1a32966da5b7845a9b0502805c0b09120036d38 |
| SHA256 | c9918226edc0d67428642aa657d8d3f18cf0f76cfb32d63a46fbc551f1389689 |
| SHA512 | 7b9193270ab942d645566e882edef5f9d2f10bba3e8684067c6fbf95745b892a3e4e2d227ec4511b77447dd9c0c411b3e1a06add0a2c0e84a8081931af7151c9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c1afd9be066b42461ff0e8209e61ca82 |
| SHA1 | 599ba965f6a72a64c1ecabf2e52704ac9d250fc9 |
| SHA256 | d4b8dda38e024d7f3a3694a4b5b4f15f6572a7a87dec34061a1f3eacfffbcdb4 |
| SHA512 | 3d631e60d959ed6031b7c7823ff53b75f811b1b9867d448437d181c45077e492921f7f76bd9f89c7a5dddf5f021d2f96cea11121f0ffc09da03505bde9e352a1 |
C:\Users\Admin\AppData\Local\Temp\1Gu59oh2IN.bat
| MD5 | 02f932ce7e126d283982434200b3d0c5 |
| SHA1 | 85f1d2f6582c64f5131be8a9e96b824cd4b8d7ac |
| SHA256 | 9ae0a8ee18ba9bd7af78c8d86df0e23a1f707a2f617f950759937f505ab348ac |
| SHA512 | 98a32de94893418f5574a581e4351495461a8cc1b5ac6505b28a9f3d7a06d95e4d80b90e012a7c0aabd34fc356155460eff6b90f0bc1981e44b5996396aaffaf |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 38c0285d0a253f6a02efd1e07b461e13 |
| SHA1 | 9adfc3649807f99f0a31ceb256e9e7edbd59e8b2 |
| SHA256 | 382fad704fd2e07f988cafe2a33feec2b20b90c4170ad6609a199b8145426f70 |
| SHA512 | c406f8c20cc69a29bf1bcc9763ca0550bf165acc7873be4c9dc94a9615f8416241348f298213e37dab3e337591018f7beaabe6da02e226f5bd82578aaaace4e0 |
C:\Users\Admin\AppData\Local\Temp\DegeIw2hse.bat
| MD5 | 264e0de8b2dd5b19df3d8a8ff5df030a |
| SHA1 | 2937505c94fa9e4eed221fedc7c670a55480e30e |
| SHA256 | 98dea75e8d22b8f87840e874680c13555fdfcd5ac301411630fc871e3de5715c |
| SHA512 | 3d377dfd5f28e48fffe51f9e84931bdf4cf0b2a8703614b893bbcf3bfd65ec80ac74a6b1c3b19e0578d471bbafc52b12c468a118ce0239f381d75c4ad655c2ae |
memory/2600-533-0x00000000000F0000-0x0000000000200000-memory.dmp
memory/2600-534-0x00000000002D0000-0x00000000002E2000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | fa70e16b5386efd8c712c8c8c22880c2 |
| SHA1 | 986eec7dac757ffa05cb191c73184c42e0120fb4 |
| SHA256 | 00af822507b4d607acdfb6d395de7df5725a60272521d248c43818e8b2f24bfe |
| SHA512 | 611cf65b20b9af13a098f951c8e4700f9dc6b59e65c979c502fa328aab931be03d17aa38ed7bc31a216b0e4d3d569495ae440780a453c5418f6b25fcc9f37425 |
C:\Users\Admin\AppData\Local\Temp\qO35UmqwIy.bat
| MD5 | d90c8eeb0df0ee91a07f2276d22a9e0f |
| SHA1 | c08535ca5461db10c1472fe6fea3810d7d981a9d |
| SHA256 | c54ecfc10a1cfc76c48e2fe1b4b9ae808c692574dfb50fd7cc55ea914cc218f5 |
| SHA512 | 3b607d86ed186eaaf5d23652d94746bf9d5145b982035de76ebc72d3236f6a491d7d602b375e6a481b8f38f5725b38213be8579c03d19b588469e8ad56ce9eb7 |
memory/1668-594-0x0000000001350000-0x0000000001460000-memory.dmp
memory/1668-595-0x00000000005C0000-0x00000000005D2000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3c70aa56d0ca3995ad9b2ac2ed3df388 |
| SHA1 | bf62e17fa6f10805ba7bd4a722f8a8c7e57abd44 |
| SHA256 | f49b8d5c22bab134387ef794a66d72d2a4656aac5d40c66d62dfd99d73a7dd4f |
| SHA512 | 4052e08355a995c949aba1c15c8173bd5a457317528bdba6534a431a96f09ea1a8cd164529ffafd5c048e83919f0aa37b2686fe8566a1d831ed9243838f7041c |
C:\Users\Admin\AppData\Local\Temp\0Sh6ipYOoX.bat
| MD5 | 1e70046fbce9fe0ef5030be1e8820b4f |
| SHA1 | 11db1394af91fabc2e31fb4acde16369c4e1a35f |
| SHA256 | 18ec7263794ab34cfc6354140ed41b8799b10a2603f1a6d63723cb4a74bc1e68 |
| SHA512 | e00742d751f3b48b43ee78d40ebf0e073665c6973f3c54f091a9332d38d720ad4b33a8db6c9a9d0a5cb41d0db25689a6c4b0191dbf2de131ca443ce99a73d386 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-12-30 02:41
Reported
2024-12-30 02:44
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
153s
Command Line
Signatures
DcRat
Dcrat family
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Default\Templates\unsecapp.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Default\Templates\unsecapp.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Default\Templates\unsecapp.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\providercommon\DllCommonsvc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Default\Templates\unsecapp.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Default\Templates\unsecapp.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Default\Templates\unsecapp.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Default\Templates\unsecapp.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Default\Templates\unsecapp.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0d1424eaa60b12379d786db65f2d5d735802e80d10bb801421cc8b2b6115a598.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Default\Templates\unsecapp.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Default\Templates\unsecapp.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Default\Templates\unsecapp.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Default\Templates\unsecapp.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\providercommon\DllCommonsvc.exe | N/A |
| N/A | N/A | C:\Users\Default\Templates\unsecapp.exe | N/A |
| N/A | N/A | C:\Users\Default\Templates\unsecapp.exe | N/A |
| N/A | N/A | C:\Users\Default\Templates\unsecapp.exe | N/A |
| N/A | N/A | C:\Users\Default\Templates\unsecapp.exe | N/A |
| N/A | N/A | C:\Users\Default\Templates\unsecapp.exe | N/A |
| N/A | N/A | C:\Users\Default\Templates\unsecapp.exe | N/A |
| N/A | N/A | C:\Users\Default\Templates\unsecapp.exe | N/A |
| N/A | N/A | C:\Users\Default\Templates\unsecapp.exe | N/A |
| N/A | N/A | C:\Users\Default\Templates\unsecapp.exe | N/A |
| N/A | N/A | C:\Users\Default\Templates\unsecapp.exe | N/A |
| N/A | N/A | C:\Users\Default\Templates\unsecapp.exe | N/A |
| N/A | N/A | C:\Users\Default\Templates\unsecapp.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Internet Explorer\it-IT\22eafd247d37c3 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\sysmon.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\121e5b5079f7c0 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Microsoft Office 15\ClientX64\9e8d7a4ca61bd9 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Internet Explorer\it-IT\TextInputHost.exe | C:\providercommon\DllCommonsvc.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\CbsTemp\9e8d7a4ca61bd9 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\Speech\Common\fr-FR\RuntimeBroker.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\Downloaded Program Files\dwm.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\Downloaded Program Files\6cb0b6c459d5d3 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\IdentityCRL\INT\fontdrvhost.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\IdentityCRL\INT\5b884080fd4f94 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\CbsTemp\RuntimeBroker.exe | C:\providercommon\DllCommonsvc.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0d1424eaa60b12379d786db65f2d5d735802e80d10bb801421cc8b2b6115a598.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings | C:\Users\Default\Templates\unsecapp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings | C:\Users\Default\Templates\unsecapp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings | C:\Users\Default\Templates\unsecapp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings | C:\Users\Default\Templates\unsecapp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings | C:\providercommon\DllCommonsvc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings | C:\Users\Default\Templates\unsecapp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings | C:\Users\Default\Templates\unsecapp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings | C:\Users\Default\Templates\unsecapp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings | C:\Users\Default\Templates\unsecapp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings | C:\Users\Default\Templates\unsecapp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings | C:\Users\Default\Templates\unsecapp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings | C:\Users\Default\Templates\unsecapp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings | C:\Users\Default\Templates\unsecapp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0d1424eaa60b12379d786db65f2d5d735802e80d10bb801421cc8b2b6115a598.exe | N/A |
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0d1424eaa60b12379d786db65f2d5d735802e80d10bb801421cc8b2b6115a598.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0d1424eaa60b12379d786db65f2d5d735802e80d10bb801421cc8b2b6115a598.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
C:\providercommon\DllCommonsvc.exe
"C:\providercommon\DllCommonsvc.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Windows\Downloaded Program Files\dwm.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\dwm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Windows\Downloaded Program Files\dwm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\providercommon\dllhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 13 /tr "'C:\Program Files\Internet Explorer\it-IT\TextInputHost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\it-IT\TextInputHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 7 /tr "'C:\Program Files\Internet Explorer\it-IT\TextInputHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\sysmon.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\sysmon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\sysmon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Desktop\StartMenuExperienceHost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Users\Public\Desktop\StartMenuExperienceHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Desktop\StartMenuExperienceHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Documents\My Pictures\SearchApp.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Users\Admin\Documents\My Pictures\SearchApp.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Documents\My Pictures\SearchApp.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\fontdrvhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\All Users\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Users\Public\System.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Public\System.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Users\Public\System.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Windows\IdentityCRL\INT\fontdrvhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\IdentityCRL\INT\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Windows\IdentityCRL\INT\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Windows\CbsTemp\RuntimeBroker.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\CbsTemp\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Windows\CbsTemp\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Templates\unsecapp.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Users\Default\Templates\unsecapp.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Templates\unsecapp.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Users\Default\AppData\Local\winlogon.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default\AppData\Local\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Users\Default\AppData\Local\winlogon.exe'" /rl HIGHEST /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\upfc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Downloaded Program Files\dwm.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dllhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\it-IT\TextInputHost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dwm.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\sysmon.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Desktop\StartMenuExperienceHost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Documents\My Pictures\SearchApp.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\fontdrvhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\System.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\IdentityCRL\INT\fontdrvhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\CbsTemp\RuntimeBroker.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Templates\unsecapp.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\RuntimeBroker.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\SppExtComObj.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\AppData\Local\winlogon.exe'
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KKwjPx7JIG.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default\Templates\unsecapp.exe
"C:\Users\Default\Templates\unsecapp.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QHkN6qNcbm.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default\Templates\unsecapp.exe
"C:\Users\Default\Templates\unsecapp.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8Usvo58uhQ.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default\Templates\unsecapp.exe
"C:\Users\Default\Templates\unsecapp.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hlBWXN5z7R.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default\Templates\unsecapp.exe
"C:\Users\Default\Templates\unsecapp.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CMv1BFFgLz.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default\Templates\unsecapp.exe
"C:\Users\Default\Templates\unsecapp.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XBBOHPKclM.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default\Templates\unsecapp.exe
"C:\Users\Default\Templates\unsecapp.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GN7B3lpeta.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default\Templates\unsecapp.exe
"C:\Users\Default\Templates\unsecapp.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GTS4B5cy6p.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default\Templates\unsecapp.exe
"C:\Users\Default\Templates\unsecapp.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GTS4B5cy6p.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default\Templates\unsecapp.exe
"C:\Users\Default\Templates\unsecapp.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HEz7ZQMTyX.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default\Templates\unsecapp.exe
"C:\Users\Default\Templates\unsecapp.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NHYDEKme3A.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default\Templates\unsecapp.exe
"C:\Users\Default\Templates\unsecapp.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7ezzJRb6cS.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default\Templates\unsecapp.exe
"C:\Users\Default\Templates\unsecapp.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4WSxKcEorb.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.111.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 181.129.81.91.in-addr.arpa | udp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
Files
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe
| MD5 | 8088241160261560a02c84025d107592 |
| SHA1 | 083121f7027557570994c9fc211df61730455bb5 |
| SHA256 | 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1 |
| SHA512 | 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478 |
C:\providercommon\1zu9dW.bat
| MD5 | 6783c3ee07c7d151ceac57f1f9c8bed7 |
| SHA1 | 17468f98f95bf504cc1f83c49e49a78526b3ea03 |
| SHA256 | 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322 |
| SHA512 | c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8 |
C:\providercommon\DllCommonsvc.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/1456-12-0x00007FF8BCD33000-0x00007FF8BCD35000-memory.dmp
memory/1456-13-0x0000000000CE0000-0x0000000000DF0000-memory.dmp
memory/1456-14-0x00000000030D0000-0x00000000030E2000-memory.dmp
memory/1456-15-0x00000000030E0000-0x00000000030EC000-memory.dmp
memory/1456-16-0x000000001B900000-0x000000001B90C000-memory.dmp
memory/1456-17-0x000000001B910000-0x000000001B91C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jya0atca.yye.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1660-75-0x000001A762E20000-0x000001A762E42000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\KKwjPx7JIG.bat
| MD5 | bb8faab5fff8bfbe236a2f80b59bf7e8 |
| SHA1 | ccbd10fa2a162545968ae76a6e16ac307c6e9abc |
| SHA256 | b0f29157b0fd44f599ffd2da7a52421563ef85d68df28eb44bf1d0927b3e48fe |
| SHA512 | f100bc4235e6da2b4c98397cf4181f0eed837a88d7d92501480146a981243428a35e3a93e917ae5d3dea60ef23fb2e6d8ab30671941a232b70099805e90e653c |
memory/2360-223-0x00000183F1510000-0x00000183F167A000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | a43e653ffb5ab07940f4bdd9cc8fade4 |
| SHA1 | af43d04e3427f111b22dc891c5c7ee8a10ac4123 |
| SHA256 | c4c53abb13e99475aebfbe9fec7a8fead81c14c80d9dcc2b81375304f3a683fe |
| SHA512 | 62a97e95e1f19a8d4302847110dae44f469877eed6aa8ea22345c6eb25ee220e7d310fa0b7ec5df42356815421c0af7c46a0f1fee8933cc446641800eda6cd1b |
memory/2100-227-0x0000014B25240000-0x0000014B253AA000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 3b387104c7229348274d18cf0351b050 |
| SHA1 | fa8e878ccaed2bc9aeb8322631a3e8b9fcfdab04 |
| SHA256 | ee90089822718af3ec05ea4846850e21790163a593e101312fe0ec1d20177fdb |
| SHA512 | 23fe2aedc0130c25a0aba854f506b0a48657132792265e63c658fcfe6b0c8327c7ae951b7456707ec626b69b3716232c685fb7f82174a1d29ab0c66c307a29e2 |
memory/1596-230-0x0000018FF4EE0000-0x0000018FF504A000-memory.dmp
memory/1192-233-0x000002A02D760000-0x000002A02D8CA000-memory.dmp
memory/3516-236-0x000002A29B2A0000-0x000002A29B40A000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | cadef9abd087803c630df65264a6c81c |
| SHA1 | babbf3636c347c8727c35f3eef2ee643dbcc4bd2 |
| SHA256 | cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438 |
| SHA512 | 7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085 |
memory/4244-243-0x000001BACB670000-0x000001BACB7DA000-memory.dmp
memory/4960-251-0x000002F2A7670000-0x000002F2A77DA000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | bd5940f08d0be56e65e5f2aaf47c538e |
| SHA1 | d7e31b87866e5e383ab5499da64aba50f03e8443 |
| SHA256 | 2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6 |
| SHA512 | c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | e243a38635ff9a06c87c2a61a2200656 |
| SHA1 | ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc |
| SHA256 | af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f |
| SHA512 | 4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | aaaac7c68d2b7997ed502c26fd9f65c2 |
| SHA1 | 7c5a3731300d672bf53c43e2f9e951c745f7fbdf |
| SHA256 | 8724dc2c3c8e8f17aeefae44a23741b1ea3b43c490fbc52fd61575ffe1cd82bb |
| SHA512 | c526febd9430413b48bed976edd9a795793ad1f06c8ff4f6b768b4ad63f4d2f06b9da72d4fcfa7cb9530a64e2dc3554f5ad97fd0ab60129701d175f2724ef1ac |
memory/1076-272-0x0000027E1EC40000-0x0000027E1EDAA000-memory.dmp
memory/1636-269-0x000001C9D82E0000-0x000001C9D844A000-memory.dmp
memory/3680-268-0x000002033F710000-0x000002033F87A000-memory.dmp
memory/3248-267-0x000002929B560000-0x000002929B6CA000-memory.dmp
memory/3076-260-0x000001BE27F70000-0x000001BE280DA000-memory.dmp
memory/1816-257-0x000002B5FBDB0000-0x000002B5FBF1A000-memory.dmp
memory/552-254-0x0000024D74130000-0x0000024D7429A000-memory.dmp
memory/3512-250-0x000001DBAE7F0000-0x000001DBAE95A000-memory.dmp
memory/1660-249-0x000001A762FC0000-0x000001A76312A000-memory.dmp
memory/876-244-0x000001D3CD740000-0x000001D3CD8AA000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 59d97011e091004eaffb9816aa0b9abd |
| SHA1 | 1602a56b01dd4b7c577ca27d3117e4bcc1aa657b |
| SHA256 | 18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d |
| SHA512 | d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6 |
memory/4148-275-0x000001C5DBDD0000-0x000001C5DBF3A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\QHkN6qNcbm.bat
| MD5 | 206b5c4e535c93c1f99653168388d72d |
| SHA1 | bb388e3b9af65507955e5c0769b5b4aff19db696 |
| SHA256 | 6fd32885716b985a81e5726319978de3b31b2cc51b2dbdb5d1a66bc1849906d3 |
| SHA512 | 0f9c8f7a50a18011402a4857d01d3071af292c8238cd62558ac46097e0a2d8872d4e59dddeeb2d719f1d7df4d639bdd60b6965c82361981b6b81fd8308711990 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\unsecapp.exe.log
| MD5 | baf55b95da4a601229647f25dad12878 |
| SHA1 | abc16954ebfd213733c4493fc1910164d825cac8 |
| SHA256 | ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924 |
| SHA512 | 24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545 |
C:\Users\Admin\AppData\Local\Temp\8Usvo58uhQ.bat
| MD5 | 79c0a05a10eea50ac37cc41c166873b1 |
| SHA1 | 1abc2a0283427985bd68f01b0515b9d9285fdb85 |
| SHA256 | 2b947194415f51c093061234e85a1a6a1c9c4dd20b84d2d00cf3621a1334c2c6 |
| SHA512 | fc41b58c8a22663050ab0011ba538fe7db533b747107dbf84a22c8dd492220232fa662b3fc96450483e0f5b55c53e28dd78784c32e8d5b715cdb110aa5f1014d |
memory/2360-293-0x00000000019A0000-0x00000000019B2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\hlBWXN5z7R.bat
| MD5 | 724426cbdadfbfe08efd2bd0fda836d2 |
| SHA1 | 97e68441c74b23789c0e792a3fa7121a454f30d1 |
| SHA256 | 3202f92580d8dbbfa62ecc83fa1df539d33ece9f4c015d608ae15bdc0eeff252 |
| SHA512 | 631a9729484f2330b55b837b4d561c8c85ef5eaafc2150fe023080b56d1b1ba4248efe26e0f796c0afdf2e6fbd7368217f099531cc6f11c7d6a2de169a85a21c |
C:\Users\Admin\AppData\Local\Temp\CMv1BFFgLz.bat
| MD5 | ea3bf1f152016542782574cc270bc26f |
| SHA1 | 2b579ed9c8f0494e87eac5a662d1847a63cfb700 |
| SHA256 | 7f15c23e854a0d20dd2fb8cc184425473e2196ffaa5e1fc28ce8f46c2d867d39 |
| SHA512 | 284e99b182c18d7525e765fae2d833985c33fefbe94802b968c6c6f22145605ac935ecc93b66f445df087b1200142fe538bd5ae5af095321998fb89a40e7a91b |
C:\Users\Admin\AppData\Local\Temp\XBBOHPKclM.bat
| MD5 | 014fe1f8e6b797e801f5a0412c61ea4a |
| SHA1 | 014b629d1c1a73019d17da4c8270665fd8d6637c |
| SHA256 | 571e0323298d0de854f31c97e5481b32982620d5ce0dd8957c1114d5a2c49a9b |
| SHA512 | 983344bd8297b3e49ad99a2615f7853eab6b191180d30b12e6b767c0d243592d9fc077fba8891f5af6e9d1a803ad006fe8d320956dd81bf2b20b74387fc800db |
C:\Users\Admin\AppData\Local\Temp\GN7B3lpeta.bat
| MD5 | de54df26cda763a15d4d03fc3f1fa9a1 |
| SHA1 | df8d86e541cf87350bfd5b3c9245f33d4550c85c |
| SHA256 | 089b52d859b771f3a90007c3ebd4329958f6a822a743ff3d03bc88acaaed3c21 |
| SHA512 | c8e032f149c2251831f1c67c1e2669ece4b20bd37692eaeebb6e2345f92a533517ad64241f20978f4cc2dc9e6c0d09b16e925d223c84d0e1a8df3fa6073f1b6f |
C:\Users\Admin\AppData\Local\Temp\GTS4B5cy6p.bat
| MD5 | b528402fbd020622be330aaee980e2f5 |
| SHA1 | fe938613240fceacbf871c40d2799187bf0c50fa |
| SHA256 | cdbaa98a2652141edefeea8d27ef8ed8f31b02fad4a656475aa6bb04b79b70f9 |
| SHA512 | 5126f49e546a04311e33c39188be8e4bc560724b94122028e72349482318493317018a20a2c1f4ace25b04dcc1028ab40ee0966f9c01f9643dbd7845527185b8 |
memory/4088-324-0x0000000000CD0000-0x0000000000CE2000-memory.dmp
memory/5648-331-0x0000000001840000-0x0000000001852000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\HEz7ZQMTyX.bat
| MD5 | 8050dad0cc21d384bb7a0ac7462b0f63 |
| SHA1 | 7e73176cb44290d7e503b8eeb164819486dff433 |
| SHA256 | ba9349a59b66b47ab48b9ea61f30e1f6a8f95ec9cccf0e8c2739e218ef45dc17 |
| SHA512 | 97dc4b2184eed143345dddec1d515b5a3f88add01bd64836a6c46ee4cf4ac61ce6273ebc1c45c1d48ba677aae031736ddb42f3d3d5f51c2f1a8115798e64d34a |
C:\Users\Admin\AppData\Local\Temp\NHYDEKme3A.bat
| MD5 | 892404a2213aa8781ebd79822124b3bd |
| SHA1 | e0bce3b62f3288fce0508c08112c97c1562e0ad1 |
| SHA256 | 715cf5b583b17471cfee8859118110c8d331d1c67f8b427982518d75de4183b3 |
| SHA512 | 213c890f9f06bda92ed1ca9b6f997c9715b020eaf92cd41c87b45e5fbe0b09664700db3d7310b3fd2eb13d086864d19eae9fae7fc551f213250684531f6009b0 |
memory/5960-344-0x0000000001310000-0x0000000001322000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7ezzJRb6cS.bat
| MD5 | ffc78199e07c01fcfd0bb27c0007f5c4 |
| SHA1 | a0ff619cb17c2706bb8f6497f104aa5f25244846 |
| SHA256 | 04839925a01d0814383ac48c973dcf17c070549ee72f4e95604f6b2bf2abb487 |
| SHA512 | d37deb4267d9bc63efe9950860dab88f7ce52a01444cf4560e1f21087d1c2a0efcff73ec8ded90eb26dea382d6dd45f5326e1aceb319f4f032a2c88f9cdf536e |
C:\Users\Admin\AppData\Local\Temp\4WSxKcEorb.bat
| MD5 | 6c4ef59fc5adfb7ac881ac5935a2b10b |
| SHA1 | f2409c711760d8e1aa1d27172ee5bdaabee8aa7e |
| SHA256 | 209ebd100b224269a6c408d88fc0b7771e3c7568e11eb3f598f5d1288a796bc0 |
| SHA512 | 4274e929e45b2a4a8ee967506345d6fce489f2121ed9ed0a3d19a93db3be82c4e308cf5a47bce45185afa4007ae3563be27af64bcc58c17f2e7006d495744bae |