Analysis Overview
SHA256
a57979937859ed51e4b90d5d623243ee619134124481ce57321a6b760e582e10
Threat Level: Known bad
The file JaffaCakes118_a57979937859ed51e4b90d5d623243ee619134124481ce57321a6b760e582e10 was found to be: Known bad.
Malicious Activity Summary
Process spawned unexpected child process
DcRat
DCRat payload
Dcrat family
DCRat payload
Command and Scripting Interpreter: PowerShell
Executes dropped EXE
Checks computer location settings
Loads dropped DLL
Legitimate hosting services abused for malware hosting/C2
Drops file in Windows directory
Drops file in Program Files directory
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Modifies registry class
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Scheduled Task/Job: Scheduled Task
Uses Task Scheduler COM API
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-12-30 01:51
Signatures
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Dcrat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-12-30 01:51
Reported
2024-12-30 01:54
Platform
win7-20240903-en
Max time kernel
146s
Max time network
147s
Command Line
Signatures
DcRat
Dcrat family
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\providercommon\DllCommonsvc.exe | N/A |
| N/A | N/A | C:\providercommon\WmiPrvSE.exe | N/A |
| N/A | N/A | C:\providercommon\WmiPrvSE.exe | N/A |
| N/A | N/A | C:\providercommon\WmiPrvSE.exe | N/A |
| N/A | N/A | C:\providercommon\WmiPrvSE.exe | N/A |
| N/A | N/A | C:\providercommon\WmiPrvSE.exe | N/A |
| N/A | N/A | C:\providercommon\WmiPrvSE.exe | N/A |
| N/A | N/A | C:\providercommon\WmiPrvSE.exe | N/A |
| N/A | N/A | C:\providercommon\WmiPrvSE.exe | N/A |
| N/A | N/A | C:\providercommon\WmiPrvSE.exe | N/A |
| N/A | N/A | C:\providercommon\WmiPrvSE.exe | N/A |
| N/A | N/A | C:\providercommon\WmiPrvSE.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Java\jre7\Idle.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Java\jre7\6ccacd8608530f | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Reference Assemblies\audiodg.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Reference Assemblies\42af1c969fbb7b | C:\providercommon\DllCommonsvc.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\addins\services.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\addins\c5b4cb5e9653cc | C:\providercommon\DllCommonsvc.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a57979937859ed51e4b90d5d623243ee619134124481ce57321a6b760e582e10.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a57979937859ed51e4b90d5d623243ee619134124481ce57321a6b760e582e10.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a57979937859ed51e4b90d5d623243ee619134124481ce57321a6b760e582e10.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\providercommon\1zu9dW.bat" "
C:\providercommon\DllCommonsvc.exe
"C:\providercommon\DllCommonsvc.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\taskhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\providercommon\WmiPrvSE.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Program Files\Reference Assemblies\audiodg.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\audiodg.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Program Files\Reference Assemblies\audiodg.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Windows\addins\services.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\addins\services.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Windows\addins\services.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Program Files\Java\jre7\Idle.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Java\jre7\Idle.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files\Java\jre7\Idle.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\NetHood\wininit.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Admin\NetHood\wininit.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\NetHood\wininit.exe'" /rl HIGHEST /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\taskhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\WmiPrvSE.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\audiodg.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\addins\services.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\jre7\Idle.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\NetHood\wininit.exe'
C:\providercommon\WmiPrvSE.exe
"C:\providercommon\WmiPrvSE.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XIXHPi7vyc.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\WmiPrvSE.exe
"C:\providercommon\WmiPrvSE.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UMVEid32eq.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\WmiPrvSE.exe
"C:\providercommon\WmiPrvSE.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EVfp7xrD4G.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\WmiPrvSE.exe
"C:\providercommon\WmiPrvSE.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\da4noHdFs8.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\WmiPrvSE.exe
"C:\providercommon\WmiPrvSE.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gN51JOWfNX.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\WmiPrvSE.exe
"C:\providercommon\WmiPrvSE.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OvjOVLkpjd.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\WmiPrvSE.exe
"C:\providercommon\WmiPrvSE.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MXvuXcjR4o.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\WmiPrvSE.exe
"C:\providercommon\WmiPrvSE.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qqpXlQnQd1.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\WmiPrvSE.exe
"C:\providercommon\WmiPrvSE.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\F82V1kRox2.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\WmiPrvSE.exe
"C:\providercommon\WmiPrvSE.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uVUt9EuWwA.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\WmiPrvSE.exe
"C:\providercommon\WmiPrvSE.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\U1yQEvZAPO.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
Files
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe
| MD5 | 8088241160261560a02c84025d107592 |
| SHA1 | 083121f7027557570994c9fc211df61730455bb5 |
| SHA256 | 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1 |
| SHA512 | 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478 |
C:\providercommon\1zu9dW.bat
| MD5 | 6783c3ee07c7d151ceac57f1f9c8bed7 |
| SHA1 | 17468f98f95bf504cc1f83c49e49a78526b3ea03 |
| SHA256 | 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322 |
| SHA512 | c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8 |
\providercommon\DllCommonsvc.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/2660-13-0x0000000001060000-0x0000000001170000-memory.dmp
memory/2660-14-0x0000000000550000-0x0000000000562000-memory.dmp
memory/2660-15-0x0000000000570000-0x000000000057C000-memory.dmp
memory/2660-16-0x0000000000560000-0x000000000056C000-memory.dmp
memory/2660-17-0x0000000000580000-0x000000000058C000-memory.dmp
memory/2500-36-0x0000000000D60000-0x0000000000E70000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | adbf33fe427a383e095d64cc2afc520a |
| SHA1 | 77d37cb3c9c84ae164cbbceae6874211b1d2c4b8 |
| SHA256 | 812dd08fc266cd37184fe5c9e8ac432a30ae26f9775456a7b997e8083fedae3d |
| SHA512 | f054592cc2a3a2c17f7bada8470bcf24eb69735156567b33c755ea5d65c779c40bdf1711cf5fc3743f6bda474f05c6db0cc504c35b19f5d570bd5807a7cd9e4d |
memory/1996-47-0x0000000002670000-0x0000000002678000-memory.dmp
memory/2864-46-0x000000001B5E0000-0x000000001B8C2000-memory.dmp
memory/2500-73-0x00000000003C0000-0x00000000003D2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab192E.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\Tar1950.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\Local\Temp\XIXHPi7vyc.bat
| MD5 | 5b4b677f885c959611c58272ebb8fc81 |
| SHA1 | a4ee95da14984ca39d5a04a1e419a2678fff1f58 |
| SHA256 | 05cfda4559a01de60165433b4709a8aafc04639d596c9dd160d16e5b15365281 |
| SHA512 | 878e44c4fcf4e8230765775399071679fde4a87ca80cdd6ce2cf40d1e86c9751740a52f47fb4faf40b13aaa0e264ee7f39f3ccfe15a87cde4f4c96a96cf0abbd |
memory/1724-132-0x00000000002A0000-0x00000000003B0000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 88a132cc269b91d13727e5121ce57c86 |
| SHA1 | 65c97604f629f96c3b859336bbb8fb5a658f7313 |
| SHA256 | 34b5f17143f4b42edb906ecae5ee98ac288bd423ad8af2b165a6aa341b496078 |
| SHA512 | 11e683f993a5155f310770fadc53bc53524fb7edf1f63f07e5a6644484fa22d5ec4c1c1a8fa5ed0537c3e65c72e1e95ef88bc5c9a703accea89fd82eb35abda4 |
C:\Users\Admin\AppData\Local\Temp\UMVEid32eq.bat
| MD5 | 5eb42f3dacde8fe78adc8c39f40cb25e |
| SHA1 | 022bc0e688c513a3713e6466bfaa5e7c41911836 |
| SHA256 | 311e09f53391ac08a89148c01a9c2cf4ebf2a08f53e70bf86e9f39c641443413 |
| SHA512 | 02941988c2099901026afcdb4c81200906a104e55f63d1a432b07b0335327d8eeb754cd033b5bdda5618dffdfdf8a9b43cc9538839ad81469fa804eb209e86b5 |
memory/2956-192-0x0000000000090000-0x00000000001A0000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | cbc29ad46499e10a781a950c8c2e809b |
| SHA1 | c818fc8f699b09d211339d3b347d1428656958e9 |
| SHA256 | 8734b7b23baeba09a16bd9c9565576462fd2b86a38f192e9977885a700636603 |
| SHA512 | 1670d61944952822ffefecbadcc132301cff4e3287724341217504e938753d311722c09d8e0d3fca5ba0853d967db5c3565c11902cdac269beed40dbededf7da |
C:\Users\Admin\AppData\Local\Temp\EVfp7xrD4G.bat
| MD5 | fc049c599b2b275e8cfa006b6a7cb762 |
| SHA1 | 87727f6a2378770654f5bf1fe6b2357fea5d3250 |
| SHA256 | 5a5cbbe520ced9d61bc102787218b253356ca1b5c034a58c6e1ad6c8ce8732b6 |
| SHA512 | f84901b8785fb5787215e8372fe6d25aa5d5e5dbd414a0cf144e4651937135ff8b811a456c901e3668cbba75377fc081a25cb9776fdca5755b1936b2630f1401 |
memory/2880-252-0x0000000000E30000-0x0000000000F40000-memory.dmp
memory/2880-253-0x0000000000540000-0x0000000000552000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1a6542c2099438f4fb28744594f79d4b |
| SHA1 | 522891d834f1c719d128cc1b06abd2b54a846b29 |
| SHA256 | 8c7ca7ecd89fe53de3d4633d1a1870bac08cbd114a197b1003f2126bcfb87934 |
| SHA512 | d38a5bf26bde9d67106bb4903913b36c066bf039dcbb93c19788e81a4e83293ae15ca8a3dda0b60f4d0f2a4b1a477cffec990678d7afb83e7aedc3c2899873fd |
C:\Users\Admin\AppData\Local\Temp\da4noHdFs8.bat
| MD5 | 64d3891f280dd0e881d16f25a5fe4fd2 |
| SHA1 | 117d54e513f6a7d82099b1a3ae48d03f148b6ef4 |
| SHA256 | 3fc228380b3ea8a5bfa854cac93869c5e8234fb5d383b7ed339a490f9977a0a2 |
| SHA512 | 8f0b76a0ce379f4b5eec2d03b58af1e61fe3fafaede0d01e63733103194ab85d1a7d5137db9a0f555f000a7cc031bad83a971385957613d6417835316c63a71f |
memory/1992-313-0x00000000013C0000-0x00000000014D0000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b566743ba8dd492e5d96c21a06b19f5a |
| SHA1 | 08b1abf1f3f0024607f9534a352be278045ea7f6 |
| SHA256 | 6c88c01aae24744872f8f2a9f8987dc3c22ec17b8508caf71947158442eaf076 |
| SHA512 | 9cc06b1ae0e3a34667951cc545b2141fc549b5518de49abd2bb81856256b46b2a1adb6a0274cc28420c991a9bff9879b46764a1932893addc909b5556c5ee1a8 |
C:\Users\Admin\AppData\Local\Temp\gN51JOWfNX.bat
| MD5 | 0da76fc34baccb5dcc8137d11dc11ebb |
| SHA1 | d6998b75b0e75d7374bbafaa0af2efcf2815f388 |
| SHA256 | cb7c2c93d7a9d420803e2eeac407d66ea11eabae5e74e0c862688a0fde3e08ce |
| SHA512 | 9ecaf923396f0acca89e78a6703d53fe392673382b55814e0a783a3a8e2d1ca2515a01e31cffdecdc5999e931a36f2f215f71c8bdaea5888089c09074baff4e1 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 28974d45c471083a211463abc263ec00 |
| SHA1 | 843a8af682580b4eef5d17f16cce6d0b4323e7be |
| SHA256 | ec2e407eb2d1d72ab59568b6e71a265468b0f8cb8d56b399fd6b2cf0860f6275 |
| SHA512 | c5ff75d60f8066925fea551be2908fd949a33e045e5103d3864161946ec4b7a53cdb687054e71e3388ae0de60c340499437987e6517db9ce4d1881a8d8b5be5b |
C:\Users\Admin\AppData\Local\Temp\OvjOVLkpjd.bat
| MD5 | 527f51fa41b615541a954d3709c4c9eb |
| SHA1 | 8320b49784036787d309c9f551948d054a2de721 |
| SHA256 | 775abbd522ccf0aa7e260aae6eb202a0f1f9890cdef44d00f3e5bef63e61da39 |
| SHA512 | af04a9c2e5b88f2bfdd95c6759a1e1a38ea428fa78b659c35918fa954a0a621252e811638f9d140690b7ac86f16400fba2b7f253f618840801ead4e5caee9a69 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2cd201de0ebf708d3f9650705350eea0 |
| SHA1 | 669c5f4c1e68b053f0690e3b48ad89a04e28a0a0 |
| SHA256 | 497f29a296f840056a827480ca2e20fbfa3d5015c7f50add60e919142d4243ac |
| SHA512 | c885ab2e1269c00483785fcc432e5790bfcacf30b590b2d86038d524f13743b745cc9b1e1e0113dfa4aa0ee4e3fe3ca4d2b7c9efcca2b8ba76187b1da359c5d6 |
C:\Users\Admin\AppData\Local\Temp\MXvuXcjR4o.bat
| MD5 | e65df733917177742be472a3ac3a2825 |
| SHA1 | 1bc7c6c5a8b75785c859513288da67de6cb05f02 |
| SHA256 | 72e575db9518b21e758854cd755a6ae3936bb5a9e9ee52c14d5aa79ac9739fec |
| SHA512 | bc56ac6a4e73495d6464c1d3e3427d012357010d616307b4d5e50012717e13f35d552340847d829e6025b0bd3f3f19998a18d3599b2ea353cb050e2bd8d13cff |
memory/2668-491-0x0000000000140000-0x0000000000152000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 112ecfa9715c54530ed22710d3c58a0e |
| SHA1 | dc5022c59a36c9afa46830034b2a78f1cc153900 |
| SHA256 | 942b23d8fe4ff0768f567459831c85f32e183a5392e8514c985e7dffe7197156 |
| SHA512 | efd2c496b1a956ded8fb8313f92cc1ad90f8921970807a007d986c4f553a45ad8b10c357e814cede6397807127e538d5ca3de507d4ddba4c060f95e79a61ab30 |
C:\Users\Admin\AppData\Local\Temp\qqpXlQnQd1.bat
| MD5 | 029d9c5520643722795c857f65326e07 |
| SHA1 | eeb4bf838a7701c29f406ecd00e732101f880926 |
| SHA256 | 16658b0cd52dc57c9baf09cbd7acb6674fc5a494f867bbef899b99559244a0d9 |
| SHA512 | 197c5790290b423f340609cc2b03872d2a41dc3d11fc9cb76d48ec10753958201fdac517c2568510e47981e45fc2e754d0ebb8f7154fafaa975f271132ee86b9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d2ad47008b6041373e7c7a2598ccc557 |
| SHA1 | 043ed616c3e7298048b9b3aca706de38e9aceafd |
| SHA256 | 3d8b9b2c75be7156e7025ef6a37e495833e3494c7002da3dd19f8001ea1b51ef |
| SHA512 | ceaacdef535865db0c831779603d598851c4344d87bc6388fe7f021775e389d0f5bb2f097ff21b577b10ea901540818479cc817e19346e66a0726d0f0062f857 |
C:\Users\Admin\AppData\Local\Temp\F82V1kRox2.bat
| MD5 | c92d5e628b3296b79008bcde943137b3 |
| SHA1 | 8654528fed7548a18907a111e9cef1ee43baf82e |
| SHA256 | a9f49ad375b177db714dbea3589a7b246aad4552c3ad9e7b748db6803ffaa68b |
| SHA512 | f007537e098cbe4668761f25181a85d491b1557e890a0dfd44bbfa52af0fe13696ca74df850636943c38452020f5cd08bde63837dfca1f4ea0d705acfc304543 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 5a33adb65e91372675eaf3b2f52d7b77 |
| SHA1 | 98030702b9942d7d46be0f917ca96c3ee1a19f86 |
| SHA256 | 90f9178f7f5a6875cf579381b2e1af0bc688ba6a71542f423681ddb570fb610c |
| SHA512 | 606291bcf5df6906b82fa9aa8a11d3ebfc2e78d45dbb9dd426abe17b6a7c4b39a4561f2e8217f6f943bfea1e3c6e821d62c5a6bdffc74a808690c79add7a9f16 |
memory/800-668-0x0000000000020000-0x0000000000130000-memory.dmp
memory/800-669-0x00000000003D0000-0x00000000003E2000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | dc812d14feba4e9cee24e8e768b55ee5 |
| SHA1 | a3315bd85d32dd908e660d4503abea362d809897 |
| SHA256 | 6f5533da5cded92b52321ebe4565cf6e526f11580ba01e06063962e086c7ae54 |
| SHA512 | 662734b36b43c500a9a768bbafa1bec8ac6cabc630e0be5fcac73b6e6ab73b72da9442ba01807ed48ae08fe76d693182252da9b4bb3f76a4ae54bb3c66a8e40b |
C:\Users\Admin\AppData\Local\Temp\U1yQEvZAPO.bat
| MD5 | 01600015d6ab334e040be7e545c47932 |
| SHA1 | 2b24ce3f7c464bf0f84584599519a0dc4e367a02 |
| SHA256 | 8b353376fcc2175d743c8a40e44f4bc7756b65d2b285ef9c80ddd8e9b92f270b |
| SHA512 | 398641f1f9fb52ed1df4acdc1cc6e1e83495ea339a006bd86503d209d892b026b4500ab8015037e46e1cb4431e24d1f606b626b4d038ac47557ba8b004aef032 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-12-30 01:51
Reported
2024-12-30 01:54
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
145s
Command Line
Signatures
DcRat
Dcrat family
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a57979937859ed51e4b90d5d623243ee619134124481ce57321a6b760e582e10.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\providercommon\DllCommonsvc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe | N/A |
Executes dropped EXE
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Microsoft Office 15\ClientX64\dllhost.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Microsoft Office 15\ClientX64\5940a34987c991 | C:\providercommon\DllCommonsvc.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\GameBarPresenceWriter\DllCommonsvc.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\GameBarPresenceWriter\a76d7bf15d8370 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\BitLockerDiscoveryVolumeContents\sppsvc.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File opened for modification | C:\Windows\BitLockerDiscoveryVolumeContents\sppsvc.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\BitLockerDiscoveryVolumeContents\0a1fd5f707cd16 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\appcompat\appraiser\RuntimeBroker.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\appcompat\appraiser\9e8d7a4ca61bd9 | C:\providercommon\DllCommonsvc.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a57979937859ed51e4b90d5d623243ee619134124481ce57321a6b760e582e10.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings | C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings | C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings | C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings | C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings | C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings | C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings | C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings | C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings | C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings | C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings | C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings | C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a57979937859ed51e4b90d5d623243ee619134124481ce57321a6b760e582e10.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings | C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings | C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings | C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe | N/A |
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a57979937859ed51e4b90d5d623243ee619134124481ce57321a6b760e582e10.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a57979937859ed51e4b90d5d623243ee619134124481ce57321a6b760e582e10.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
C:\providercommon\DllCommonsvc.exe
"C:\providercommon\DllCommonsvc.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\sppsvc.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\sppsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\sppsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Windows\appcompat\appraiser\RuntimeBroker.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\appcompat\appraiser\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Windows\appcompat\appraiser\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 9 /tr "'C:\Windows\GameBarPresenceWriter\DllCommonsvc.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Windows\GameBarPresenceWriter\DllCommonsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 6 /tr "'C:\Windows\GameBarPresenceWriter\DllCommonsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\dllhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\providercommon\dllhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\providercommon\spoolsv.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\Idle.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\DllCommonsvc.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Users\Default User\DllCommonsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\DllCommonsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe'" /rl HIGHEST /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\BitLockerDiscoveryVolumeContents\sppsvc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dllhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\appcompat\appraiser\RuntimeBroker.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\GameBarPresenceWriter\DllCommonsvc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office 15\ClientX64\dllhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\conhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dllhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\spoolsv.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\lsass.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\Idle.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\DllCommonsvc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe'
C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe
"C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xjNnGM38uG.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe
"C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0PvuKmrV6l.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe
"C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pkmftNZ3Wr.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe
"C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9Z120WfzwF.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe
"C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tcplHXgq9Q.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe
"C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\asjVMp8zxr.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe
"C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\b3FUfZROOv.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe
"C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6SU00hIhBO.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe
"C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\R8cJcUuQgj.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe
"C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CV35gbisF1.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe
"C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\M53DwaTFc6.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe
"C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NHYDEKme3A.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe
"C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kvUluF99a5.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe
"C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AKY6NrPTox.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe
"C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\asjVMp8zxr.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe
"C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
Files
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe
| MD5 | 8088241160261560a02c84025d107592 |
| SHA1 | 083121f7027557570994c9fc211df61730455bb5 |
| SHA256 | 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1 |
| SHA512 | 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478 |
C:\providercommon\1zu9dW.bat
| MD5 | 6783c3ee07c7d151ceac57f1f9c8bed7 |
| SHA1 | 17468f98f95bf504cc1f83c49e49a78526b3ea03 |
| SHA256 | 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322 |
| SHA512 | c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8 |
C:\providercommon\DllCommonsvc.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/3200-12-0x00007FFFD1D83000-0x00007FFFD1D85000-memory.dmp
memory/3200-13-0x0000000000D30000-0x0000000000E40000-memory.dmp
memory/3200-14-0x0000000001750000-0x0000000001762000-memory.dmp
memory/3200-15-0x00000000017C0000-0x00000000017CC000-memory.dmp
memory/3200-16-0x0000000003080000-0x000000000308C000-memory.dmp
memory/3200-17-0x0000000003090000-0x000000000309C000-memory.dmp
memory/8-68-0x000001C72D1E0000-0x000001C72D202000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_oyufstej.h4r.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/5016-126-0x0000000001190000-0x00000000011A2000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 6d3e9c29fe44e90aae6ed30ccf799ca8 |
| SHA1 | c7974ef72264bbdf13a2793ccf1aed11bc565dce |
| SHA256 | 2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d |
| SHA512 | 60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | cadef9abd087803c630df65264a6c81c |
| SHA1 | babbf3636c347c8727c35f3eef2ee643dbcc4bd2 |
| SHA256 | cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438 |
| SHA512 | 7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 62623d22bd9e037191765d5083ce16a3 |
| SHA1 | 4a07da6872672f715a4780513d95ed8ddeefd259 |
| SHA256 | 95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010 |
| SHA512 | 9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | bd5940f08d0be56e65e5f2aaf47c538e |
| SHA1 | d7e31b87866e5e383ab5499da64aba50f03e8443 |
| SHA256 | 2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6 |
| SHA512 | c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 5f0ddc7f3691c81ee14d17b419ba220d |
| SHA1 | f0ef5fde8bab9d17c0b47137e014c91be888ee53 |
| SHA256 | a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5 |
| SHA512 | 2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3 |
C:\Users\Admin\AppData\Local\Temp\xjNnGM38uG.bat
| MD5 | 87af4d68c556a0540a551a52b079269b |
| SHA1 | 17e68367ad300d565d494d4be6e64259f46c447d |
| SHA256 | 24ea8a5a98dec27e6b558c365e20e9c242437354d571b9c79257c9f58e9d32b2 |
| SHA512 | a98b21bb85f8d37c61672cf62e28ea46a3ff8c51767aef76b074dce1b5997bcefaaa3d840e2350534ea68968639ed9ec15e0cd5c3ff239497041bdbd85f3109a |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\winlogon.exe.log
| MD5 | baf55b95da4a601229647f25dad12878 |
| SHA1 | abc16954ebfd213733c4493fc1910164d825cac8 |
| SHA256 | ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924 |
| SHA512 | 24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545 |
memory/1668-207-0x00000000010E0000-0x00000000010F2000-memory.dmp
memory/1668-212-0x000000001C250000-0x000000001C2F1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\0PvuKmrV6l.bat
| MD5 | 9115e77695f1e0c5fe90e2e015429813 |
| SHA1 | 7948f86788da9ecbf76e9c4b26de41486722e2dd |
| SHA256 | b5e765fb4ad1bf483dce47e00ede9151377c500b0b8928f20e051c67ac034d70 |
| SHA512 | aae8e6b32a364bc97d6347e71cd732b38fcc335ba3a176501875bfe7ee6a5011954df0db1a0c86ca0218532d716c5de45f58fab63dafb1c12eee5c43ca83c8ed |
memory/1804-219-0x000000001C670000-0x000000001C711000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\pkmftNZ3Wr.bat
| MD5 | 5fccef33d3a14edefc43797bbc1b6dd6 |
| SHA1 | b52f54777dce664b56506bff5ebcfa2ba685c3d0 |
| SHA256 | 9797e6150019e97241f2de24ec5abe33f5a3a83698f77313ea288184ad55b274 |
| SHA512 | 4a3b88808695aa56b09774fcab1c8c62e9d13f96e8be768f2d1823e0bc27bae5b733b7db583fdb155b6b670f78060fd3863f1bf7ba9d21ad1572808c97eae423 |
C:\Users\Admin\AppData\Local\Temp\9Z120WfzwF.bat
| MD5 | b5000a3ce34661a65c79054ecafcc765 |
| SHA1 | 8b08497facc668f48ef78cd77b98bbe778e097c1 |
| SHA256 | bed03f83f075b2762b1e3ba02a8b4dbfbbef6dec6b1c388323a106af14b40f22 |
| SHA512 | 593de0c9f3824a2a9e928714bae007463e7d4015a38c4ce933314bf961d0d1eed44632f3b5a6f6d24d978a9382066acf185e113422c3d14fc6058ae1649a67fa |
C:\Users\Admin\AppData\Local\Temp\tcplHXgq9Q.bat
| MD5 | a448d78b877d481b4864ade072efa46a |
| SHA1 | aa086b940bbfecbdce2714861578a9c21d112c1b |
| SHA256 | 9be912895b8949cbded5bcaf2b0c9e88a6a94bd7d0bec3aad4da3982eb8dca59 |
| SHA512 | c20d79f06c5591fd11d97c5eabe3c163981024c41def1515eedf16bdbc50a35c71ade99f5d3987887bd2f22f170bb807f0ede90e08180ded0b69d350a8f6fbe9 |
C:\Users\Admin\AppData\Local\Temp\asjVMp8zxr.bat
| MD5 | 852f721c89a864eed9fa57e6d3a507f3 |
| SHA1 | 5f482cc6477e5291ccc252900a7909369476e149 |
| SHA256 | 30dde8518a482a7a7a8f56a470a858a6423d25af0128983ef1ee19b7bdc098ef |
| SHA512 | c4a373b355f5c3762ff4138cf48711aadad6c11dc7af69bd0b2dc3fb97f3b746942b63984a04c852992042a3dcc1a9819d54463bd9f7752b5b2636e5c3a66731 |
C:\Users\Admin\AppData\Local\Temp\b3FUfZROOv.bat
| MD5 | c60669db9241d305a1fa423cbafeefe3 |
| SHA1 | 1990dcd0b86c30b5e7ca3a4c5046c53d6c650d0c |
| SHA256 | 84e818dd8783e00c307be74137131151cf7d5369370567a33bfcc03bd39d4b11 |
| SHA512 | a961047e3bf3622bedb8d463eaa9397040f5467ca5c76e0f620a03afdc7893a3d58c86295ed2736d3a61c1fa0adff827efd9762d7d59fa1ea500d0486d127317 |
memory/2752-246-0x0000000001000000-0x0000000001012000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\6SU00hIhBO.bat
| MD5 | 42a500fd7053ec107c299fd5a9da4ea9 |
| SHA1 | be7c6ba2270191e50bef5f204aaf72e1dbad1e92 |
| SHA256 | 4f5571579babf410901135ea9eaf7e0d24fc97e4d5a4f9feb8bc742db8df0b41 |
| SHA512 | f7c314518b11aff6f212f7a849f82a27beafcbfd9fd828cd423b070f0720e6b6ec794d28c56408700a56f284b25f1d72c4514cf6adf3c65537d9845892825049 |
memory/4988-257-0x000000001CA50000-0x000000001CBF9000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\R8cJcUuQgj.bat
| MD5 | 704b0c798de27e0cf0bd10a841ce89f6 |
| SHA1 | e940e7552dca958cf8306ee03c1a1bc5bcbc60fc |
| SHA256 | 20d5f8646a87b7d93db5b8a610907f9a4bbaabe5c3fb2861bdceef099f15ac53 |
| SHA512 | 0db54e1f85c248e67c7dad1f676e7bd0b2fff9af44d5322ff94eb29933fa8d542c1441950a8a4908f5f31c50e8aa2d0323ba9732e02aebe41495fee11bf8707e |
memory/224-260-0x00000000026B0000-0x00000000026C2000-memory.dmp
memory/224-265-0x000000001C140000-0x000000001C2E9000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CV35gbisF1.bat
| MD5 | d99b8561129f2a485c28aa9bd9f29623 |
| SHA1 | c337a915042117a7e9d9a7c065c0fe7837ef8160 |
| SHA256 | eb1371a4f418dcbf5466020320f7125518d58c50a7af77bc21cbf0c9ff4863e8 |
| SHA512 | d4e616f0d2b3083c138ac50e9c097f7973c40533b7ad7edd19503adbde855a80bc7abacd042120445e8ebe44623619caec8c3d08dfaaef15fdb0e7fb093a30df |
memory/112-268-0x0000000002B00000-0x0000000002B12000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\M53DwaTFc6.bat
| MD5 | 9ac08c7c13a135ff10b96872a9a3cf14 |
| SHA1 | 1a53d7548a9ccb458225b5d3a1a7e5e26448429a |
| SHA256 | c15e153d03dafe09bd2dba5663a84dbc442aea4a8e8f229dd5c393c19f2a2edd |
| SHA512 | 856afd25c6cd83af4258587106729cdb43a9f70c5fae9a3286ac42012fd2832ff7631543341d6f0695ecaeaf4bb29905322ac9d6e84d05a0f666782675f6c694 |
C:\Users\Admin\AppData\Local\Temp\NHYDEKme3A.bat
| MD5 | e5f4a9fa6e16dbe7f4879ce274f4badc |
| SHA1 | 78e0470f665dae43baaac9a125533ca81f613bb4 |
| SHA256 | 2d806c27bd3710013c337cc610962272cd4cf31954f8114d40c262b6559be490 |
| SHA512 | 43f4440fbb08438a85856b77fbcac045682f27690b099427076d26515531e768b301b588a96e9c822414160d293b2712d0d3b80f7900cc067b86657ea4a11cf4 |
memory/3516-281-0x00000000029E0000-0x00000000029F2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\kvUluF99a5.bat
| MD5 | 047927a3c0fd847168a1f526576dfaa5 |
| SHA1 | 5e7f9560d169e10f775fe37badd158d605ef3f0b |
| SHA256 | 45256ad397b156322dbf09e9402a0083e78fa7ec73b44377bff4fcef2a8bc1a0 |
| SHA512 | 3c37ca71b4fe24e18a1eeac8fee8313b8476c016e374a60a5478dbbe4f19d494d9efdd005cc0b74d7c5430ab3466f41cb8b360543933cc2d88247ad6af831cdf |
C:\Users\Admin\AppData\Local\Temp\AKY6NrPTox.bat
| MD5 | b71dc8a864d28397e13f5c332e123c22 |
| SHA1 | 67dc377db8c4c65bf0b89ed883d1865f53fafc39 |
| SHA256 | 7ca3fb79e72a67490f0fc467f939ef0b72aed2e026b003759cc7f65683bfb983 |
| SHA512 | a9ef39cb5a4322a04751c35f41af7846cfaf51e52ff19ddc55ea0dfd0b29eb67c162b0ada8b48f7b51b0dcbd40f7951b043a61b31e081fea205bc84d1838cb02 |
memory/4368-300-0x00000000007D0000-0x00000000007E2000-memory.dmp