Analysis Overview
SHA256
0b14cc29923cac34825576d1f1488454fd04819bc1af24f406455383fd8edacf
Threat Level: Known bad
The file JaffaCakes118_0b14cc29923cac34825576d1f1488454fd04819bc1af24f406455383fd8edacf was found to be: Known bad.
Malicious Activity Summary
DcRat
Process spawned unexpected child process
DCRat payload
Dcrat family
DCRat payload
Command and Scripting Interpreter: PowerShell
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Legitimate hosting services abused for malware hosting/C2
Drops file in Program Files directory
Unsigned PE
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Uses Task Scheduler COM API
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Modifies registry class
Scheduled Task/Job: Scheduled Task
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-12-30 02:09
Signatures
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Dcrat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-12-30 02:09
Reported
2024-12-30 02:11
Platform
win7-20240903-en
Max time kernel
146s
Max time network
141s
Command Line
Signatures
DcRat
Dcrat family
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\providercommon\DllCommonsvc.exe | N/A |
| N/A | N/A | C:\providercommon\lsm.exe | N/A |
| N/A | N/A | C:\providercommon\lsm.exe | N/A |
| N/A | N/A | C:\providercommon\lsm.exe | N/A |
| N/A | N/A | C:\providercommon\lsm.exe | N/A |
| N/A | N/A | C:\providercommon\lsm.exe | N/A |
| N/A | N/A | C:\providercommon\lsm.exe | N/A |
| N/A | N/A | C:\providercommon\lsm.exe | N/A |
| N/A | N/A | C:\providercommon\lsm.exe | N/A |
| N/A | N/A | C:\providercommon\lsm.exe | N/A |
| N/A | N/A | C:\providercommon\lsm.exe | N/A |
| N/A | N/A | C:\providercommon\lsm.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Windows Portable Devices\spoolsv.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Windows Portable Devices\f3b6ecef712a24 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\DVD Maker\es-ES\spoolsv.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\DVD Maker\es-ES\f3b6ecef712a24 | C:\providercommon\DllCommonsvc.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0b14cc29923cac34825576d1f1488454fd04819bc1af24f406455383fd8edacf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\providercommon\DllCommonsvc.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\providercommon\lsm.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\providercommon\lsm.exe | N/A |
| N/A | N/A | C:\providercommon\lsm.exe | N/A |
| N/A | N/A | C:\providercommon\lsm.exe | N/A |
| N/A | N/A | C:\providercommon\lsm.exe | N/A |
| N/A | N/A | C:\providercommon\lsm.exe | N/A |
| N/A | N/A | C:\providercommon\lsm.exe | N/A |
| N/A | N/A | C:\providercommon\lsm.exe | N/A |
| N/A | N/A | C:\providercommon\lsm.exe | N/A |
| N/A | N/A | C:\providercommon\lsm.exe | N/A |
| N/A | N/A | C:\providercommon\lsm.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0b14cc29923cac34825576d1f1488454fd04819bc1af24f406455383fd8edacf.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0b14cc29923cac34825576d1f1488454fd04819bc1af24f406455383fd8edacf.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\providercommon\1zu9dW.bat" "
C:\providercommon\DllCommonsvc.exe
"C:\providercommon\DllCommonsvc.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\providercommon\taskhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Program Files\DVD Maker\es-ES\spoolsv.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\es-ES\spoolsv.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Program Files\DVD Maker\es-ES\spoolsv.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\dwm.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\dwm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\dwm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Portable Devices\spoolsv.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\spoolsv.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Portable Devices\spoolsv.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\providercommon\lsm.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\providercommon\lsm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\providercommon\lsm.exe'" /rl HIGHEST /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\taskhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\DVD Maker\es-ES\spoolsv.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\dwm.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\spoolsv.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsm.exe'
C:\providercommon\lsm.exe
"C:\providercommon\lsm.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LW19r029AS.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\lsm.exe
"C:\providercommon\lsm.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2qVagYZlTM.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\lsm.exe
"C:\providercommon\lsm.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tcplHXgq9Q.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\lsm.exe
"C:\providercommon\lsm.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WSSqGJyhfL.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\lsm.exe
"C:\providercommon\lsm.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DXR1U0Y5m3.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\lsm.exe
"C:\providercommon\lsm.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jaxwQXfGLd.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\lsm.exe
"C:\providercommon\lsm.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EOPCJ2Obyf.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\lsm.exe
"C:\providercommon\lsm.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mMyBvdYgq2.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\lsm.exe
"C:\providercommon\lsm.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VoHf0I0Wzs.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\lsm.exe
"C:\providercommon\lsm.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pgCyA6Uc1O.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\lsm.exe
"C:\providercommon\lsm.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
Files
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe
| MD5 | 8088241160261560a02c84025d107592 |
| SHA1 | 083121f7027557570994c9fc211df61730455bb5 |
| SHA256 | 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1 |
| SHA512 | 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478 |
C:\providercommon\1zu9dW.bat
| MD5 | 6783c3ee07c7d151ceac57f1f9c8bed7 |
| SHA1 | 17468f98f95bf504cc1f83c49e49a78526b3ea03 |
| SHA256 | 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322 |
| SHA512 | c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8 |
C:\providercommon\DllCommonsvc.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/2772-13-0x0000000000B10000-0x0000000000C20000-memory.dmp
memory/2772-14-0x0000000000750000-0x0000000000762000-memory.dmp
memory/2772-15-0x0000000000A10000-0x0000000000A1C000-memory.dmp
memory/2772-16-0x0000000000A00000-0x0000000000A0C000-memory.dmp
memory/2772-17-0x0000000000A20000-0x0000000000A2C000-memory.dmp
memory/2040-34-0x0000000000880000-0x0000000000990000-memory.dmp
memory/2872-60-0x000000001B690000-0x000000001B972000-memory.dmp
memory/604-61-0x0000000002780000-0x0000000002788000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | d2955540224727a9900f5d2c483bb836 |
| SHA1 | d9b343d6043b23ade7c60bbb95961fe6cf679e55 |
| SHA256 | 3c3219cec153c9ac2c8aeaaf06b354f8afaf456485d6f85617237fed8f6f05a3 |
| SHA512 | 1a1467440b1e3646ab090b32851545ea214cdeebda6e83fe639cff94516edf1c4f1d3c27e48a8ecc576262ed00a0996c003c780523d4945f0912b3dfe6958579 |
memory/2040-45-0x0000000000410000-0x0000000000422000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CabE9E4.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\TarE9F7.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\Local\Temp\LW19r029AS.bat
| MD5 | bb3604cfe115864f8d3825efd0aec200 |
| SHA1 | b232e841415b294c92586d881f7be8c56d3b9065 |
| SHA256 | 18e15a5a9fc8ada356d9c79640cfb54e374c12bdae3e02bdfc76e7be05d92151 |
| SHA512 | feb11c92a30fe46634ce8b75a87332324af2a5f3a3ae48611b7760f9c2dbcef9167778c038c3eb4fbb268476faa2d6e99fb882929244ec808cfb04d46798f94f |
memory/1636-125-0x00000000009F0000-0x0000000000B00000-memory.dmp
memory/1636-126-0x0000000000440000-0x0000000000452000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | af643fb6807ea16d2716d473535c25c3 |
| SHA1 | 042412790e9f0910abdce34d22da7f9d873cd3fd |
| SHA256 | 1e946313b975abcbb68a50960a4e79296dbf3d6b1c09c4efd0fae1bd8cc47dbc |
| SHA512 | b53c57435551a7947100db9ef4c28e4c7bee9f89af33364bcbd117886babf8e546e43202716ceb692fbb3a71247ff40c5462dc1a7455463e660a9605bc6fda0c |
C:\Users\Admin\AppData\Local\Temp\2qVagYZlTM.bat
| MD5 | 0911304f23d4511e232ed1ebd9e5cc2f |
| SHA1 | 8693eff178de3c9bc738dde075c68f10d64b5ec1 |
| SHA256 | ee082c229a9a187231f34c36eb8d6d3920d55cc3e074960c3422a1c69d58ad07 |
| SHA512 | 9cc85178dd9b33f911469a21a05d9651f8bff840074cb2db216da8ac76900b8d1a1ca4c12b953b30d78d8521ac2dd736f64e0989aa3d1d4460ef2cf79201245a |
memory/2820-186-0x0000000000F10000-0x0000000001020000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c03c7b805532132763c7821064f136ef |
| SHA1 | f8de427f1800c1569282b3da00d57988cd3cfd21 |
| SHA256 | 1251cde26d8df57d3414076c4864302abefa8be905bb6fe18d7fc0fe364a8c74 |
| SHA512 | 4463291ccbf5023d8e7ffd2936966a23979f24d72d1760ed2672ea78d1f8c722cd2d4a3cf5b28e8f1225f9c6528a869b94721fc0c881b1d215e9c50dd4d5037f |
C:\Users\Admin\AppData\Local\Temp\tcplHXgq9Q.bat
| MD5 | b4934ab696138c1f144acb8ab8106e19 |
| SHA1 | 174d048a2f7c4e0e54adc0a2a164d7b9ed242e74 |
| SHA256 | bd8bcf62858b92e8603eb3ea607eba6c6822ef1a14b796f5841395bcb5ed21e3 |
| SHA512 | 3390ea3228c9d76fc6dbd30fae8af9b5b5aef4a1543e61e3040007bda9032ffe25860b408bb1676034f1f192628834eb95cdda3184511029f74541abfb10ba7e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4af22a948cb30f5b761bcbc53f859222 |
| SHA1 | ea53afe1281af888977034596abead93dfe32142 |
| SHA256 | 22512a0ec373b93add39c9d8d1f4f0aafbe23865f147d87464607aa7cbeb25db |
| SHA512 | a39e321feb6719d78c1bb436c4f0a7838e00f4bd222060d6d95c1c41ec720825dd5dc3810df390bad04354cbe41d7cb4b272bfdefa5ade9549d74bb182cf48a5 |
C:\Users\Admin\AppData\Local\Temp\WSSqGJyhfL.bat
| MD5 | a5599b59fd7fed966f2f573b94027961 |
| SHA1 | a04b3bca87454ac2e9226b6e98cb0df61f3248bb |
| SHA256 | 5d121d4b62140db536469666f6f2efc8aa3e350f98530d31be8ceb743ceca53a |
| SHA512 | 1544eb054a3213a30accee16a786e8982a0746391bcfd934f95d990ca2921f70a3b07a739275e905e409d573cc4f4f3d295bc846bed75d6f3c8e8aa00d63fe31 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 200ed242678da3e69b977e67fc12a72d |
| SHA1 | 355d579b11e21c4c93e27d447be460440f694b5b |
| SHA256 | dd8f96b0f19c184b7152494ad41029baa835d24522a823c43c1d2b132f9f1711 |
| SHA512 | 79b1fb4e1b00cbd13e6e0740483e38e2be59187dd51f58212dabfee421a9afaf1c0bc771a3b68ab496419c8d4a605e41253bf99e5fe99672c38d511c4d4ae06b |
C:\Users\Admin\AppData\Local\Temp\DXR1U0Y5m3.bat
| MD5 | 0e327413e72d15e7e2fde393b6541d49 |
| SHA1 | f8b6ba1aae4c1e5b6bb126ac70b772fd1b969801 |
| SHA256 | fe3ba28d7b82afa22d62764667ae2af1141b398ead9fe713ca20fab52009f022 |
| SHA512 | 108854c96b88b55fbbf2f57fd89a8680ee59621f3b2e65a404f908b9589fbc851f950f9860ec1ef53d10c7d23d44cf86ab8b28a64ac250e1c0fa2fff2862ff19 |
memory/1448-364-0x0000000000140000-0x0000000000152000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 06f8f5321ae81d9878229d93bc7ec347 |
| SHA1 | 2f513e03cc49ac0277d3cd035ddc50cbf592eccd |
| SHA256 | 30d2a979bef4fdeaedaebb3d082994f27f7a08ef7b118958f5a220111dbe5bc6 |
| SHA512 | e84d5db0ee166ab7a27d02153176706742a361d6f7f1e45cc44d2e7aab86dea8059f56502d97296420215ad84575bc19ec16e450605cc3d42bb34ad9cc5f2779 |
C:\Users\Admin\AppData\Local\Temp\jaxwQXfGLd.bat
| MD5 | 79479d67c3958307f5f86760973c337b |
| SHA1 | 7166c9709e2025a427e62eba54a2e43a71511f64 |
| SHA256 | 3bdeff7110b556ec77e139a27e734f19894ac5ed9669b04e3fb7a064ba6cc8da |
| SHA512 | fc665dabefcc1218da2a14786fa09c397c57bc886437e8b6a2ab529f7b2bcc14230111423f39b81ba0a7e7ac054dcb2124e3d422767ece6c038636ee198b1a0e |
memory/2248-424-0x00000000002C0000-0x00000000002D2000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | bf406f1ea330d674feaa8b8df4746ffb |
| SHA1 | fc75cefa96e820554e453b13e03798076c51b194 |
| SHA256 | b8226f9b5113d23c8a9d1015c55cd6cd594ecd658a33f65db503058ac21f785b |
| SHA512 | 3f4196bee7f2493f4f87813e4858d9697cfd7df9ec5b451a95eadbcd46e470d8c9530f3af850bd1cd95070b8af72ae21ee6940e9014e60994643d674905c60db |
C:\Users\Admin\AppData\Local\Temp\EOPCJ2Obyf.bat
| MD5 | b10a6e82b0e2c0f7428778da3bc393cc |
| SHA1 | 09477b9102db7a16ab1df1892a40ba3b2996dd3e |
| SHA256 | 647fbd2532f50b4a1a594732c9c645e88371200b2eb564c80e2af58e2e038f27 |
| SHA512 | 7d04bce60440dc7191f45e18eb6749e292bdfca7ec3a78ea95b3d6c202b4536df52768952e7fce6ab2428f1b2d7c1bc1c1c9f6fc0cc798c2dc2d43aeb4626f2b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e79d7a36b1a734f7ef62527bffa286c7 |
| SHA1 | 6db92d649454383e98551bd728b83274ebcdbfc4 |
| SHA256 | 2fdb4fc74c103e09f8649f82a8d5621400bfe37c3a5e53d9a3eff17b28a31ae6 |
| SHA512 | e4e5d0c50da02ee572b2587c90b644fec16a7e0754c1ae81ea24df9f51143d1b0a929bb2db69de823ed1159a45eb852e15bb612b2e10211cfdd184979371a5fd |
C:\Users\Admin\AppData\Local\Temp\mMyBvdYgq2.bat
| MD5 | 52f638605b0d4e8a849d26206c3954f1 |
| SHA1 | 9953f5ec8ec9a98db8bf7b50d6d604bed84e677a |
| SHA256 | 50622bf9a68c707d4886d83d06682d8ed5485d94f3fead124e3e336928217e08 |
| SHA512 | 6862af4f7f9dd06dea37d92eaea6be973d3456627825f16b76d74bf932f2398955047a3b8f6191ca68dbbef8e0b4bff9db6b3644f91cb247d8f3f29817934882 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2f11730a6b01c30138b4edd247cbad45 |
| SHA1 | ca9bd6e7f1974b47f560292ff0ce2d7723be07d5 |
| SHA256 | 8881ffd0abb38e73e34e057bb22b7a015820fa8f5846f26012721a9140ae27e5 |
| SHA512 | 3350d0d7ee69e861d2bd324fde01b1ca25d005a12618afb7fcf245b71f6c2852ab5771c60a0707f35af6e30db79b33e4c4328bb0bd03b79601c9ce7c04ae82e5 |
C:\Users\Admin\AppData\Local\Temp\VoHf0I0Wzs.bat
| MD5 | c4d99491dcda05616c102210e809c074 |
| SHA1 | 5d4984ff47497dfe0fad4b357e7e3400c72626bc |
| SHA256 | 4a5272b07b19336d19d063572d3d7ad3600cb0dd719ad17379916525c41cbd2c |
| SHA512 | 6d653acbdb51d87952dab0782da6ac6859deb3b346240988510514a036a1f7770022400f3169f903ada943e5ec2965454f73b4ca889347829f9db4a64de84af5 |
memory/1376-602-0x0000000001020000-0x0000000001130000-memory.dmp
memory/1376-603-0x0000000000980000-0x0000000000992000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c5d43b9d28811c75f5af61d1edad8644 |
| SHA1 | 03fed4a689cfe88d804d3ebe3f39d74ded91fc8a |
| SHA256 | 8fe0b91f75e2832817e4524b29a22b60a00a8a2332a4126781816c28c8b16e00 |
| SHA512 | 146a4b6b7f0609408aeb724ba00df9cbfe3180e2d1c10dded4c55db85fb3197455cae8d67912ea3fec5d81d529fc7980b6c59e4e233bfd571849f846d7ccebd6 |
C:\Users\Admin\AppData\Local\Temp\pgCyA6Uc1O.bat
| MD5 | 4189820fe92c7d78505d7b7a33fd0e74 |
| SHA1 | 6e2d5a60afe2db616f9cb13cf4df54d8ab3d2947 |
| SHA256 | c6fd818832e5952dd3924cb5a5f386625cbf08f241f684c601e933c651e82a0c |
| SHA512 | e90ec4b88ba20946b47bcf67b115518f62d3aeda8147df75be6bad24f7f8fdcd0c92eeadb097f603d8b072e9da901d75025181b18adce8ee940b832acdf94615 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-12-30 02:09
Reported
2024-12-30 02:11
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
DcRat
Dcrat family
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Program Files\dotnet\services.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Program Files\dotnet\services.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Program Files\dotnet\services.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Program Files\dotnet\services.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Program Files\dotnet\services.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Program Files\dotnet\services.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Program Files\dotnet\services.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Program Files\dotnet\services.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0b14cc29923cac34825576d1f1488454fd04819bc1af24f406455383fd8edacf.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Program Files\dotnet\services.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Program Files\dotnet\services.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Program Files\dotnet\services.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\providercommon\DllCommonsvc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Program Files\dotnet\services.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Program Files\dotnet\services.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Program Files\dotnet\services.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\providercommon\DllCommonsvc.exe | N/A |
| N/A | N/A | C:\Program Files\dotnet\services.exe | N/A |
| N/A | N/A | C:\Program Files\dotnet\services.exe | N/A |
| N/A | N/A | C:\Program Files\dotnet\services.exe | N/A |
| N/A | N/A | C:\Program Files\dotnet\services.exe | N/A |
| N/A | N/A | C:\Program Files\dotnet\services.exe | N/A |
| N/A | N/A | C:\Program Files\dotnet\services.exe | N/A |
| N/A | N/A | C:\Program Files\dotnet\services.exe | N/A |
| N/A | N/A | C:\Program Files\dotnet\services.exe | N/A |
| N/A | N/A | C:\Program Files\dotnet\services.exe | N/A |
| N/A | N/A | C:\Program Files\dotnet\services.exe | N/A |
| N/A | N/A | C:\Program Files\dotnet\services.exe | N/A |
| N/A | N/A | C:\Program Files\dotnet\services.exe | N/A |
| N/A | N/A | C:\Program Files\dotnet\services.exe | N/A |
| N/A | N/A | C:\Program Files\dotnet\services.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\dotnet\c5b4cb5e9653cc | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\dotnet\services.exe | C:\providercommon\DllCommonsvc.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0b14cc29923cac34825576d1f1488454fd04819bc1af24f406455383fd8edacf.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings | C:\Program Files\dotnet\services.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings | C:\Program Files\dotnet\services.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings | C:\Program Files\dotnet\services.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings | C:\Program Files\dotnet\services.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings | C:\Program Files\dotnet\services.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0b14cc29923cac34825576d1f1488454fd04819bc1af24f406455383fd8edacf.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings | C:\Program Files\dotnet\services.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings | C:\Program Files\dotnet\services.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings | C:\Program Files\dotnet\services.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings | C:\Program Files\dotnet\services.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings | C:\Program Files\dotnet\services.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings | C:\Program Files\dotnet\services.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings | C:\Program Files\dotnet\services.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings | C:\Program Files\dotnet\services.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings | C:\Program Files\dotnet\services.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0b14cc29923cac34825576d1f1488454fd04819bc1af24f406455383fd8edacf.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0b14cc29923cac34825576d1f1488454fd04819bc1af24f406455383fd8edacf.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
C:\providercommon\DllCommonsvc.exe
"C:\providercommon\DllCommonsvc.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\providercommon\System.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\unsecapp.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Users\Admin\unsecapp.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\unsecapp.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\providercommon\System.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files\dotnet\services.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\dotnet\services.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Program Files\dotnet\services.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Users\Default\csrss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\Default\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\System.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\unsecapp.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\System.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\TextInputHost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\dotnet\services.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\csrss.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\csrss.exe'
C:\Program Files\dotnet\services.exe
"C:\Program Files\dotnet\services.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\n7UEJyIAjk.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\dotnet\services.exe
"C:\Program Files\dotnet\services.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8wkcP7O697.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\dotnet\services.exe
"C:\Program Files\dotnet\services.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gSW9k5bhgR.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\dotnet\services.exe
"C:\Program Files\dotnet\services.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LdHmevWlG3.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\dotnet\services.exe
"C:\Program Files\dotnet\services.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DegeIw2hse.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\dotnet\services.exe
"C:\Program Files\dotnet\services.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SXiopUTlQe.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\dotnet\services.exe
"C:\Program Files\dotnet\services.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\826UXRAQMN.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\dotnet\services.exe
"C:\Program Files\dotnet\services.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZfR0hqQ1j6.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\dotnet\services.exe
"C:\Program Files\dotnet\services.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XaHtVPtwVH.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\dotnet\services.exe
"C:\Program Files\dotnet\services.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GvLkm7sAXX.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\dotnet\services.exe
"C:\Program Files\dotnet\services.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iOYCRAfa0D.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\dotnet\services.exe
"C:\Program Files\dotnet\services.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dXV640YnNf.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\dotnet\services.exe
"C:\Program Files\dotnet\services.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\60iZj2KDpL.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\dotnet\services.exe
"C:\Program Files\dotnet\services.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Tcsv1v0qfT.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.109.199.185.in-addr.arpa | udp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 181.129.81.91.in-addr.arpa | udp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
Files
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe
| MD5 | 8088241160261560a02c84025d107592 |
| SHA1 | 083121f7027557570994c9fc211df61730455bb5 |
| SHA256 | 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1 |
| SHA512 | 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478 |
C:\providercommon\1zu9dW.bat
| MD5 | 6783c3ee07c7d151ceac57f1f9c8bed7 |
| SHA1 | 17468f98f95bf504cc1f83c49e49a78526b3ea03 |
| SHA256 | 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322 |
| SHA512 | c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8 |
C:\providercommon\DllCommonsvc.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/3928-12-0x00007FF8BC243000-0x00007FF8BC245000-memory.dmp
memory/3928-13-0x0000000000F90000-0x00000000010A0000-memory.dmp
memory/3928-14-0x0000000003110000-0x0000000003122000-memory.dmp
memory/3928-15-0x000000001BCC0000-0x000000001BCCC000-memory.dmp
memory/3928-16-0x0000000003280000-0x000000000328C000-memory.dmp
memory/3928-17-0x0000000003290000-0x000000000329C000-memory.dmp
memory/1600-48-0x000001816CA50000-0x000001816CA72000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qjwzrtjf.4xf.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2320-98-0x00000000013E0000-0x00000000013F2000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 62623d22bd9e037191765d5083ce16a3 |
| SHA1 | 4a07da6872672f715a4780513d95ed8ddeefd259 |
| SHA256 | 95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010 |
| SHA512 | 9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 6d3e9c29fe44e90aae6ed30ccf799ca8 |
| SHA1 | c7974ef72264bbdf13a2793ccf1aed11bc565dce |
| SHA256 | 2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d |
| SHA512 | 60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 77d622bb1a5b250869a3238b9bc1402b |
| SHA1 | d47f4003c2554b9dfc4c16f22460b331886b191b |
| SHA256 | f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb |
| SHA512 | d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d28a889fd956d5cb3accfbaf1143eb6f |
| SHA1 | 157ba54b365341f8ff06707d996b3635da8446f7 |
| SHA256 | 21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45 |
| SHA512 | 0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c |
C:\Users\Admin\AppData\Local\Temp\n7UEJyIAjk.bat
| MD5 | 6c65da0ed579b4120beff5bb615ae0d2 |
| SHA1 | 62093fb6d2636ed54d10423e4afe5c439bf9576d |
| SHA256 | 86c3a74c91aff0539edcf019e55ec1eda24f1a1a11812456a88e42b438f6cc14 |
| SHA512 | f71a00ef90a336774c2b1f8df2c9ff80b7b1e42289d8b71c30eed313cf2e4d54ec297670a4bd5c0d8939ef49ad13fe2770bf1ad24854b209a364fcef83f5a85b |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\services.exe.log
| MD5 | baf55b95da4a601229647f25dad12878 |
| SHA1 | abc16954ebfd213733c4493fc1910164d825cac8 |
| SHA256 | ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924 |
| SHA512 | 24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545 |
memory/940-146-0x000000001D490000-0x000000001D639000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\8wkcP7O697.bat
| MD5 | 0f6776a780d0bf0e324aec220dcfabd7 |
| SHA1 | 2e804442eb00f2bdf282ce1a2aa7624bf6f7feb8 |
| SHA256 | 69f44e4001833f1b79ceb49e9af89ec180b5ded92ff2bcd4d9e97aae65176f53 |
| SHA512 | 85943f05480f8e385bf9d8751c209fc25cd6120d3f75af846ce53d134d88bdf2e6bcaf0489b5aa5ea5632c110182beef232cf1959cbbcc7bd5ad7624a234c017 |
memory/556-153-0x000000001D600000-0x000000001D702000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\gSW9k5bhgR.bat
| MD5 | 681e0648dd4d75c5ffd48f0bf0926aa9 |
| SHA1 | 5da8ac97b7853f6578539bc70ccdb289f87ea1ca |
| SHA256 | 2b7e6406bb0b772a33139ecc70b00e08fcb4d91b3a3fc850a9522c6658034d40 |
| SHA512 | 1d6fb6a5a119a90c2d252f229771f5a7be46556226b5dec6378f174060599f57bc78128e361f59703028f0e8ac36b9a2ec654d2123f356a4795a2a2ccf99b75a |
memory/5112-160-0x000000001D700000-0x000000001D802000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\LdHmevWlG3.bat
| MD5 | 48ddd95a6b9eac09f8f6a12246d5fe23 |
| SHA1 | 64afdc168530c17c789338ec736e5b4c688358be |
| SHA256 | d2d9eb1d502f0fae042aaf62018a0941cf3cb8d20ec5fb749e103383387aec90 |
| SHA512 | e69ef71b9f7b06bf10c440e6ef5c85d60ca194e185c6d8eb059f1351d02e633ae79298e58e2053271f48cfdd09f7ecf5cf21ef473cb4c757a3b4b9ead016f4ac |
memory/648-167-0x000000001CF00000-0x000000001D002000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\DegeIw2hse.bat
| MD5 | a6fee2f05ca9c085c8468a0f12335f1e |
| SHA1 | 017e80bc694aef8dc2f96c7e851786b608c9209e |
| SHA256 | a1f422c7843e16793898360950c32bf51eaa411b6f77e7299b08cc7314d5c36f |
| SHA512 | 91f80f7d3880d77dbcf53aadc31fc596b67ef109c80ac3480a13349b4a05e6eca3fffc3858624b5f2aa372b222d95f8f779e040ee66e7f558905d4bf15af5869 |
memory/1488-174-0x000000001D300000-0x000000001D402000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\SXiopUTlQe.bat
| MD5 | 15a4591f42209aad03474b3236257b9a |
| SHA1 | 1e3a215e818f2600bd6717e511e5286805a66853 |
| SHA256 | 23abd63a5959340ec04cae0dc5ef5d28fa62acb3d5bb65cfb8c2b516706fa5a6 |
| SHA512 | 0607876b2fb22e304d2897132b12da0d1c6947d7e2be869318cf25ae60242d998ee55431670ba53ae3a8945ac8d882f58b67fb59192e166ab52937669b340c52 |
C:\Users\Admin\AppData\Local\Temp\826UXRAQMN.bat
| MD5 | 3044681b42cc5e83e69342ad2bcf23f4 |
| SHA1 | c7e74b72914c65f115226ccf9c1671be65f3c790 |
| SHA256 | 0fcc4ddf2178f90ddf4001859aa74f37e6cf400fe7c3b1900de569cc3aee47ce |
| SHA512 | f80c26b4b0b3904fc29cfaeb2b1fb29f50d0c7c7d07108d1e379b0ee9ba2a1848af99ff949ba5d6742188dfd08227c83ddac3e414be1c6db4f1af9246d255a97 |
memory/2028-182-0x000000001D4B0000-0x000000001D659000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ZfR0hqQ1j6.bat
| MD5 | f86b02fe00be828b537e002adcd399d1 |
| SHA1 | 5f2503d915ca994f3f04f4432016c7cd079007fa |
| SHA256 | af1621066be7837277294c275f9767c9e6c6a2ae1547dd299a01a0c21a7c0a59 |
| SHA512 | da7fed02ba9b89ee17f8fc03468bb978ae2891fc42afc2dbf11b0f49f991f1bd987ad3f3d5a96b575d3aad697d3cbaeff27f8868cb8e6858d74c485830c9c0a6 |
memory/3596-190-0x000000001B5F0000-0x000000001B602000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\XaHtVPtwVH.bat
| MD5 | 3d7ce200f866d36653ca8d1c14f89d81 |
| SHA1 | d85417ea1401de687a134151e836fbf83cffab5f |
| SHA256 | 5d026c4f4105fe6389b2bc11df15ad132005f71ba66586e3eaaf06b575c09f41 |
| SHA512 | a50d27e885050d244b3426d60f66e03968605936406e8a516bc807b42615c872253a80a2b66f521e577a054cbdc6407ef68d5134e094f98ceb5cf2a6938ea237 |
C:\Users\Admin\AppData\Local\Temp\GvLkm7sAXX.bat
| MD5 | 2464c7489ac8f99bb1c01f22d8315383 |
| SHA1 | a218597b9db18f5d12f2a70f8c8985f7277f8236 |
| SHA256 | de1e2fd8302a9cc2f3aef6a00553365857e7e17cd1502cccc1840252618e2f3b |
| SHA512 | cf21c8b770dfea97dc942f8f269ddd2491a9c962f62f3c37b3351f55db117d4e11239132891817328a9c40bed2de6162bd4ac627a80c399f8d54c3c929fc3632 |
C:\Users\Admin\AppData\Local\Temp\iOYCRAfa0D.bat
| MD5 | 11f9593ab27608615597c447089d0f66 |
| SHA1 | 5e59a665cd2cb4f388d60afd1d207c22030988d4 |
| SHA256 | 2b3e20d4c1e270ac5589464a123250f81155bb6a148e4c8e634331108475e555 |
| SHA512 | 09521ed9bcc4fe22a0a864b01e0864eef71048de0fdbb661f93845205c40a6cfef866b0d4b70870dd662052189df9d38623464bb929ad9e155edb739cea9cde1 |
C:\Users\Admin\AppData\Local\Temp\dXV640YnNf.bat
| MD5 | e20d5432b35e690ef8514fd173f1cf09 |
| SHA1 | 19a9b8431c3d649b8b031702aed4121228a152e0 |
| SHA256 | 7afc4aa15b894ed88115b54c8c845beafd0f4ae2bf39fa55e45b3373e12bc5d3 |
| SHA512 | be66543591e3717bd4e230fd3267a29c1b002c566955bb858d332d6b6a4cf72683699c0b88a2e2b258246a2eb5477f5520c6a73707d0b9700de03a2edbff26bc |
C:\Users\Admin\AppData\Local\Temp\60iZj2KDpL.bat
| MD5 | 3b780cdbdc0cd3aeabc94a4bb80046f5 |
| SHA1 | 9f6be926f998be43df784b14154cc8e2e404aea6 |
| SHA256 | d56c1c7b75d935977ebc058b879df29fa781b1685dfdcc9ad6c89b696982b017 |
| SHA512 | e8186b90ef1ed9fb06f921537dacbc2890acd5579bce4eb062175dbb25c5768984dbcb71becca27a1c5d92e0e61e1ad70366b05d3f0e3e365f3f5f6be1a54e24 |
memory/860-221-0x000000001C5F0000-0x000000001C602000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Tcsv1v0qfT.bat
| MD5 | 63c8f34a4181874a34f3d7bb406164ec |
| SHA1 | 3aafc2b3fc2ab7ec6f15f5cdb66dd67b08164b40 |
| SHA256 | f0ef44d9e8b7fcd761509456f4a75e27ec122fe77ce1823be70180bd98e44e4d |
| SHA512 | a238ba54a593917cdf132a9985ad1c46e8a3c80c3a318181f7b9f2b46146e8d260bafa1dc87cce5abe99e4ea7a8842a1033c68f53b85f70a5c7ef00012bda3f1 |