Analysis Overview
SHA256
88a89f51b09a9707a5e4ac9e60e076dc588cd32a5ef52180dbab5a44103cd2a2
Threat Level: Known bad
The file JaffaCakes118_88a89f51b09a9707a5e4ac9e60e076dc588cd32a5ef52180dbab5a44103cd2a2 was found to be: Known bad.
Malicious Activity Summary
DCRat payload
Dcrat family
Process spawned unexpected child process
DcRat
DCRat payload
Command and Scripting Interpreter: PowerShell
Loads dropped DLL
Executes dropped EXE
Checks computer location settings
Legitimate hosting services abused for malware hosting/C2
Drops file in Windows directory
Drops file in Program Files directory
System Location Discovery: System Language Discovery
Unsigned PE
Enumerates physical storage devices
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Uses Task Scheduler COM API
Suspicious use of WriteProcessMemory
Scheduled Task/Job: Scheduled Task
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-12-30 02:20
Signatures
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Dcrat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-12-30 02:20
Reported
2024-12-30 02:23
Platform
win7-20240903-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
DcRat
Dcrat family
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\providercommon\DllCommonsvc.exe | N/A |
| N/A | N/A | C:\Windows\addins\cmd.exe | N/A |
| N/A | N/A | C:\Windows\addins\cmd.exe | N/A |
| N/A | N/A | C:\Windows\addins\cmd.exe | N/A |
| N/A | N/A | C:\Windows\addins\cmd.exe | N/A |
| N/A | N/A | C:\Windows\addins\cmd.exe | N/A |
| N/A | N/A | C:\Windows\addins\cmd.exe | N/A |
| N/A | N/A | C:\Windows\addins\cmd.exe | N/A |
| N/A | N/A | C:\Windows\addins\cmd.exe | N/A |
| N/A | N/A | C:\Windows\addins\cmd.exe | N/A |
| N/A | N/A | C:\Windows\addins\cmd.exe | N/A |
| N/A | N/A | C:\Windows\addins\cmd.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Windows Sidebar\f3b6ecef712a24 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Windows Photo Viewer\ja-JP\explorer.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Windows Photo Viewer\ja-JP\7a0fd90576e088 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Windows Defender\es-ES\WMIADAP.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Windows Defender\es-ES\75a57c1bdf437c | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Windows Sidebar\spoolsv.exe | C:\providercommon\DllCommonsvc.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\addins\cmd.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\addins\ebf1f9fa8afd6d | C:\providercommon\DllCommonsvc.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_88a89f51b09a9707a5e4ac9e60e076dc588cd32a5ef52180dbab5a44103cd2a2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_88a89f51b09a9707a5e4ac9e60e076dc588cd32a5ef52180dbab5a44103cd2a2.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_88a89f51b09a9707a5e4ac9e60e076dc588cd32a5ef52180dbab5a44103cd2a2.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\providercommon\1zu9dW.bat" "
C:\providercommon\DllCommonsvc.exe
"C:\providercommon\DllCommonsvc.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\providercommon\csrss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\providercommon\sppsvc.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\providercommon\lsass.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\providercommon\OSPPSVC.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\providercommon\OSPPSVC.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\providercommon\OSPPSVC.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Start Menu\audiodg.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Admin\Start Menu\audiodg.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Start Menu\audiodg.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\OSPPSVC.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\OSPPSVC.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\OSPPSVC.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Defender\es-ES\WMIADAP.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\es-ES\WMIADAP.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Defender\es-ES\WMIADAP.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Windows\addins\cmd.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\addins\cmd.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Windows\addins\cmd.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Sidebar\spoolsv.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\spoolsv.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Sidebar\spoolsv.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\explorer.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\explorer.exe'" /rl HIGHEST /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sppsvc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsass.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\OSPPSVC.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Start Menu\audiodg.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\OSPPSVC.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\es-ES\WMIADAP.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\addins\cmd.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\csrss.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\spoolsv.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\ja-JP\explorer.exe'
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\D4akJCd5SR.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\addins\cmd.exe
"C:\Windows\addins\cmd.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tbw0avzYF4.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\addins\cmd.exe
"C:\Windows\addins\cmd.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AWL6wsGpK7.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\addins\cmd.exe
"C:\Windows\addins\cmd.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kQw8FYVnXF.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\addins\cmd.exe
"C:\Windows\addins\cmd.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GUMorhJGzB.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\addins\cmd.exe
"C:\Windows\addins\cmd.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tDjG3X7WPV.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\addins\cmd.exe
"C:\Windows\addins\cmd.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\A1nTHBcTHH.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\addins\cmd.exe
"C:\Windows\addins\cmd.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5ldsg1wMto.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\addins\cmd.exe
"C:\Windows\addins\cmd.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\niOj6yjqzp.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\addins\cmd.exe
"C:\Windows\addins\cmd.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0ZxjVk2zv8.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\addins\cmd.exe
"C:\Windows\addins\cmd.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JhFjyqSsxH.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\addins\cmd.exe
"C:\Windows\addins\cmd.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
Files
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe
| MD5 | 8088241160261560a02c84025d107592 |
| SHA1 | 083121f7027557570994c9fc211df61730455bb5 |
| SHA256 | 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1 |
| SHA512 | 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478 |
C:\providercommon\1zu9dW.bat
| MD5 | 6783c3ee07c7d151ceac57f1f9c8bed7 |
| SHA1 | 17468f98f95bf504cc1f83c49e49a78526b3ea03 |
| SHA256 | 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322 |
| SHA512 | c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8 |
\providercommon\DllCommonsvc.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/2676-13-0x0000000000B00000-0x0000000000C10000-memory.dmp
memory/2676-14-0x00000000003C0000-0x00000000003D2000-memory.dmp
memory/2676-15-0x00000000003E0000-0x00000000003EC000-memory.dmp
memory/2676-16-0x00000000003F0000-0x00000000003FC000-memory.dmp
memory/2676-17-0x0000000000400000-0x000000000040C000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | a8edfa4bffed7f5b48982d6be1bcfa07 |
| SHA1 | f13c69f405f7862d10b683be4a12da58858cdcad |
| SHA256 | d81542cb22f0dc6212270ab147d649cdc82f17e0bca30b30ada8377111bbec9f |
| SHA512 | ac98f981c4c85914eb7558b66905fe4759d451b004da512b4b5f282ae4b222f38825090d9c1cf012f93fa00a34db568f3e461dc1ca0c8cd532ed63c9b810f041 |
memory/908-55-0x00000000022C0000-0x00000000022C8000-memory.dmp
memory/908-53-0x000000001B4C0000-0x000000001B7A2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\D4akJCd5SR.bat
| MD5 | 9c75b1dba85b6ff66a17d6022c642797 |
| SHA1 | c1a956d1df03da9a1c55690fad2ab844440384fb |
| SHA256 | 2af8e1e2cf827c76464a38d427d39870173c3c385dd8592f28b1f013145e1f86 |
| SHA512 | cc571816367ce4b1a468ea5807e721af61795b94e6057f65aebdf4963f6064714c423236e87bedb56aa76a28a3749aa22e6b1ac3eef81fda73630a1cdc6adecf |
memory/772-108-0x0000000000930000-0x0000000000A40000-memory.dmp
memory/772-109-0x00000000001C0000-0x00000000001D2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab1FB3.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\Tar1FC5.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\Local\Temp\tbw0avzYF4.bat
| MD5 | a705d9d850bc828eb5950bc29d92d73f |
| SHA1 | a40603cb47fb6f31e7706c2518a59be43b68eb76 |
| SHA256 | c225e58de8eb00bbed728f7ef1b0c29501fa5c85e7595b37d533e481268dd606 |
| SHA512 | dbd7b6b174cf6d6bca5625010c16e7770151a3a0db060003dd3d0e21d39dbc65bfa80ada475c8e069f044775434d8715d1db4a9dbedf0f21c1379ee2194d28fb |
memory/1856-168-0x0000000000AA0000-0x0000000000BB0000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2fb79e3b85c24971d9876b08497eaa29 |
| SHA1 | 746509ace1d0d24bd36daf1023af8457d79c8434 |
| SHA256 | 05dfe3f8a48e4bb4371b95e90c7ec548506e6616392bfcce5d66a2e39ce1aa0d |
| SHA512 | b454a19a6efcb6bb59f59bb6a3272d63b8817d6dcc6958cb1f3850b73814d2cbf62d89c5a06ca15d86c116254ca9d6ce0867d76e73a0622e51b2377dce2b6318 |
C:\Users\Admin\AppData\Local\Temp\AWL6wsGpK7.bat
| MD5 | 70b13c5da1478d11af6b136dd2f5f663 |
| SHA1 | 894a24099050862008f2d77ad39a36d0dac26a82 |
| SHA256 | 975f6beb84e9a3138560938a21f425d5dfa91bc4ca9eaa934ee2e314a7285375 |
| SHA512 | bfc75325c9e8a9c5930009b0d064f1e36295a0323953ca0f73558c51662847253127e44b1018e6bbafabb9c042f6e2679733aa0fbe7dfef9efd4a3caafaa6938 |
memory/2440-228-0x0000000001050000-0x0000000001160000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 742a3abf848007c2737e089789035cd0 |
| SHA1 | a83287fc00a7c42043c6e44a02103f53c52da1ab |
| SHA256 | 965f1f56e20767755c25c8ce8fc1da23fc119a2fdb24e02a085a593a5ebd8ff8 |
| SHA512 | 8ef9c6a81f157ea6214091986cdd46817eeb7e82db2996e2e25e5337b3fcd566610ace5f7e7f9094886bb30f0a4515efe99de0beb1c4a8aab989eb56ee951233 |
C:\Users\Admin\AppData\Local\Temp\kQw8FYVnXF.bat
| MD5 | 7e563f7f3588be116b1d7951eba8d137 |
| SHA1 | 33a8abc51d56d1f95353615f2c5db6f996d6b4f6 |
| SHA256 | 3dfacf793271430c7f156bc7548ae1011016c96a627d7fbc623671f7bf6b8882 |
| SHA512 | 98216996b2d93c85f7db972728c37e200e0569a9031d1dfced68a9230bff44bc5deea79df874154d92f101672e8f1808e09fca66c2a2cbf8849c60864c97f537 |
memory/2256-288-0x00000000004C0000-0x00000000004D2000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e565173e63d3e0014c1b8aa61293c716 |
| SHA1 | 1a529b0f7aed622979012e32ec0f4db4b6185300 |
| SHA256 | ae027655452974d34e54228232a1a0bb834a3a3aa53b536611aff80bfb534757 |
| SHA512 | 2d3db91f2c7fb0be1ce73f1ed9c3bb0fb6e8b9cea0a20d88fa4b0470f75eb48a11e6b272ddcb4e8def2d3d93b96ce5065560e5e9eaddfeec6d7c7bc1cfb7a912 |
C:\Users\Admin\AppData\Local\Temp\GUMorhJGzB.bat
| MD5 | 7c2cc103aa2e0ecd8ee6d8e7f3cbef2a |
| SHA1 | 2850c0766ba7bcd5e477a18974cb4f02d2032bed |
| SHA256 | 978a9419ada2195329c1d942710d4ad46e128f4f6edad1d8f6022c9cf54549f8 |
| SHA512 | fa428d8d1dbe523bc4005c03fb68d31c36b66b0c88294e2274d65f4f0a4cbe921bda08d2743ee8b28ed6b5a7eb7f10ba1b6a5cd74c43424a82c8e5d5b15b85f4 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a7e915807160fb96ad0c94d76de4f439 |
| SHA1 | 11b98b6f3059bedd7db62bcadf95770c4950cb13 |
| SHA256 | 472924c91d85d92d1563ffc1b490f87072b42bf278d66750749be08551b06aa5 |
| SHA512 | a7643cdf666b883d570f548891ce856868a6909b5bb581c509731947b4cbbad6f5e7e6fd9c9d8bf586d2d2b9b1898e9527e3e5a63a2806e82816393edc9efca7 |
C:\Users\Admin\AppData\Local\Temp\tDjG3X7WPV.bat
| MD5 | 799a27018cbdb0da4bd0a37e657870a0 |
| SHA1 | e71efd2d844b586a34f9c8d733290797a6386268 |
| SHA256 | 20c8b4df2bb880cb9e98f4601a96db230e99e4e66ced974c18ef3e3a810b982f |
| SHA512 | 699f075e3c9614ca92e976a68e576d49481743d80515c2c9086815160cce862bfa1d50eff2824b3a718a7411a60595bf3a215174f7b9f1809a46511c60b6ff32 |
memory/1580-407-0x00000000011A0000-0x00000000012B0000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 5df29240e352ff1f7446133f91406c99 |
| SHA1 | 047b5f11cfecd49bbd804970636a6124378417cd |
| SHA256 | 42dfb9bee1855df87a66f69236d0a88cdfce62f5cf2a617f0bade0d9efc72617 |
| SHA512 | ad49d844faf704cfc695b958dfb9969d25804b2bab1ee996b140492279ec4e5e065e64746792d39d669fc1e92394ab6b83428416ad84cba6980e850e757b2408 |
C:\Users\Admin\AppData\Local\Temp\A1nTHBcTHH.bat
| MD5 | fe2eb7522c3e969db96110536e2c6c77 |
| SHA1 | 22537cff7a66e9b2208b93b64b40e0d47bba6078 |
| SHA256 | 5c2ac176b6325bd170fa1a63e5ce7ec8f3b933406dedb35492bcd44de186bb90 |
| SHA512 | 4b3323732c91936df52591238add37f40bcff6ca98d336adcbc4312ea6ae9928dc30ebab093c14f783b4284323f8e03182cb9b90c52aa3a47a373b4257ee66de |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 13e57e13163796a2bb0c745300e6feb9 |
| SHA1 | 1aadebf89c9294c7d6e90f2012123c571219109b |
| SHA256 | e5c4093eba042d1263d7b263c5d7501bcbfb4e40057ddad9ac08df3adb656c90 |
| SHA512 | 13186a4c6b6d51bdadba5fd06303c6792626cd34551ba89cd0894cf48c24051d7de7eca93d1ef95f7f4cfd3d6f9ca1cf6fafe2bfca6ed9ec0a703d45b85ed982 |
C:\Users\Admin\AppData\Local\Temp\5ldsg1wMto.bat
| MD5 | b874e5eddb82c688e25116ef5bf9fce9 |
| SHA1 | 05dc6ccb27619c23476553d20baef397d50853bb |
| SHA256 | 74bb81bc475b2a60f3167eb8ecbd8c3497104dc79a9f5f0867dcdc17d3f27280 |
| SHA512 | c9fd74c59b041d17e9a27eabae40d9976f293c4b5b46149847bd8e4d85def5545b3b7f715f97dc0b4043c831c123e116aca2141f5d33b83ba0ae0bdd41a2376a |
memory/932-526-0x0000000000330000-0x0000000000342000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 75366fe9460bf814dd531a27e30fa97e |
| SHA1 | d3992ea73ffecec01d6d35fda1c93934f2d25735 |
| SHA256 | afd89f931270c4b53741a08a72eda005246142239124db9eb48100c46d2a449d |
| SHA512 | 4bbd1cfb08825cbe859f7d5a0572ae779dd12af410f1e26079fba5df0cefb4b082d97172b740a9774dbb22f42a2cc72013516254c1bbaa130dc60197fdb2fcaa |
C:\Users\Admin\AppData\Local\Temp\niOj6yjqzp.bat
| MD5 | 757f5c45a4a052b383c304626c033653 |
| SHA1 | 1231442633d2974338fca1278b82f30fc1bfa8d1 |
| SHA256 | fe36a82b44982451431b4e2d02397b3e595bbd8e607439cb68a8930eaf50be87 |
| SHA512 | 73f0808cc79942fd2725bcf7dc3c16a8a01106727d17fe73ce9703e5ccab0fb42f6a57a0ca9a64618a3e36a09696c28cc7bca7823eade9d4999e74e1a53e4359 |
memory/1632-586-0x0000000000640000-0x0000000000652000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 292be81011f7ff724dc8d45205564ea1 |
| SHA1 | 1033340083c362be81859f2c3eddf08fe4e6439a |
| SHA256 | 989321295928b3de82319315431039dfb5dc00c67fa6f5bcaae0c5949189380f |
| SHA512 | e55ab8b0b5a151826c7e5140117c611e152f78474a30be5e6089c8ba212d24c05d088badf1af0843a76be1d1d4676095fb2efd45b8af9c6d9e8fd71e6c300574 |
C:\Users\Admin\AppData\Local\Temp\0ZxjVk2zv8.bat
| MD5 | ee5c0d6928d5639febdc817bcbbef807 |
| SHA1 | fb0842966b6c2c2156aad2a1b62d115adcbccf7e |
| SHA256 | 796aa4c0032c0d7a7ecf8226e70b3c0c5cc116469090d845850b27da1fdb0f98 |
| SHA512 | 8892bf1ef8ae504edf7ca44b0396e135a491f0fb24f37f5ab3e9b1dff59c512be62f637601267671b33f47feb42192a45331ca51ceab51ba2e31fbd28df3387f |
memory/1032-646-0x0000000000290000-0x00000000003A0000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7a13c4c0d36bc554de80a77c71a0f319 |
| SHA1 | 15a57619c66ff28e1d650da20d16f40a673e1792 |
| SHA256 | 4fb39d186337d112d643ae5d61139eccbc784a26991d7c4bcd4aa9889e557ee8 |
| SHA512 | 05476e50c1024cf0a650ab58b42d52baf26390a20e96c0ef32893338928959e6a878d9b9b9055f4215b80b6c91104011f64c7d1ee701422b445dc434c42b8ca2 |
C:\Users\Admin\AppData\Local\Temp\JhFjyqSsxH.bat
| MD5 | 0c7b1eb518254f1a7d5b02e1c68c8c29 |
| SHA1 | 88a37080d5b9b681fbe3509d0c472e658a8932b3 |
| SHA256 | 2ebd200b9259709fc2b452c786896346781a8a874b9f4c34166a38fcebd19ae3 |
| SHA512 | 8ba38c963e751e127bda9165022385bba250cc8cd70cf03f1bcf20e0eb33b572ba47ab93ac2f8f4a09260d2dfcb90721b2d19b3e5ed12944b10e6558f9888db4 |
memory/1252-706-0x0000000000280000-0x0000000000390000-memory.dmp
memory/1252-707-0x0000000000480000-0x0000000000492000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-12-30 02:20
Reported
2024-12-30 02:23
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
149s
Command Line
Signatures
DcRat
Dcrat family
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_88a89f51b09a9707a5e4ac9e60e076dc588cd32a5ef52180dbab5a44103cd2a2.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Templates\sysmon.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Templates\sysmon.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Templates\sysmon.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Templates\sysmon.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Templates\sysmon.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Templates\sysmon.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Templates\sysmon.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Templates\sysmon.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Templates\sysmon.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\providercommon\DllCommonsvc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Templates\sysmon.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Templates\sysmon.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Templates\sysmon.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\providercommon\DllCommonsvc.exe | N/A |
| N/A | N/A | C:\Users\Admin\Templates\sysmon.exe | N/A |
| N/A | N/A | C:\Users\Admin\Templates\sysmon.exe | N/A |
| N/A | N/A | C:\Users\Admin\Templates\sysmon.exe | N/A |
| N/A | N/A | C:\Users\Admin\Templates\sysmon.exe | N/A |
| N/A | N/A | C:\Users\Admin\Templates\sysmon.exe | N/A |
| N/A | N/A | C:\Users\Admin\Templates\sysmon.exe | N/A |
| N/A | N/A | C:\Users\Admin\Templates\sysmon.exe | N/A |
| N/A | N/A | C:\Users\Admin\Templates\sysmon.exe | N/A |
| N/A | N/A | C:\Users\Admin\Templates\sysmon.exe | N/A |
| N/A | N/A | C:\Users\Admin\Templates\sysmon.exe | N/A |
| N/A | N/A | C:\Users\Admin\Templates\sysmon.exe | N/A |
| N/A | N/A | C:\Users\Admin\Templates\sysmon.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Boot\Resources\it-IT\SearchApp.exe | C:\providercommon\DllCommonsvc.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_88a89f51b09a9707a5e4ac9e60e076dc588cd32a5ef52180dbab5a44103cd2a2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings | C:\Users\Admin\Templates\sysmon.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings | C:\Users\Admin\Templates\sysmon.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings | C:\Users\Admin\Templates\sysmon.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings | C:\Users\Admin\Templates\sysmon.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings | C:\providercommon\DllCommonsvc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings | C:\Users\Admin\Templates\sysmon.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings | C:\Users\Admin\Templates\sysmon.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings | C:\Users\Admin\Templates\sysmon.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings | C:\Users\Admin\Templates\sysmon.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings | C:\Users\Admin\Templates\sysmon.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_88a89f51b09a9707a5e4ac9e60e076dc588cd32a5ef52180dbab5a44103cd2a2.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings | C:\Users\Admin\Templates\sysmon.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings | C:\Users\Admin\Templates\sysmon.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings | C:\Users\Admin\Templates\sysmon.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_88a89f51b09a9707a5e4ac9e60e076dc588cd32a5ef52180dbab5a44103cd2a2.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_88a89f51b09a9707a5e4ac9e60e076dc588cd32a5ef52180dbab5a44103cd2a2.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
C:\providercommon\DllCommonsvc.exe
"C:\providercommon\DllCommonsvc.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\providercommon\services.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Templates\sysmon.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Users\Admin\Templates\sysmon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Templates\sysmon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\csrss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\sihost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\sihost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 13 /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\sihost.exe'" /rl HIGHEST /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\services.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\sysmon.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Templates\sysmon.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\csrss.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\Chrome\Application\SetupMetrics\sihost.exe'
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kIZaRYwl1q.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Admin\Templates\sysmon.exe
"C:\Users\Admin\Templates\sysmon.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Kz6bOuYaab.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Admin\Templates\sysmon.exe
"C:\Users\Admin\Templates\sysmon.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gW6qUMg8Bu.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Admin\Templates\sysmon.exe
"C:\Users\Admin\Templates\sysmon.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OxVZsORhRP.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Admin\Templates\sysmon.exe
"C:\Users\Admin\Templates\sysmon.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gW6qUMg8Bu.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Admin\Templates\sysmon.exe
"C:\Users\Admin\Templates\sysmon.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KqyXtY4PgZ.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Admin\Templates\sysmon.exe
"C:\Users\Admin\Templates\sysmon.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nKCzYbro9F.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Admin\Templates\sysmon.exe
"C:\Users\Admin\Templates\sysmon.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\C0VS1u4WCC.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Admin\Templates\sysmon.exe
"C:\Users\Admin\Templates\sysmon.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZcfpJnj91J.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Admin\Templates\sysmon.exe
"C:\Users\Admin\Templates\sysmon.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\E3sOpJujjE.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Admin\Templates\sysmon.exe
"C:\Users\Admin\Templates\sysmon.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\16sHyqWYU0.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Admin\Templates\sysmon.exe
"C:\Users\Admin\Templates\sysmon.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VlbjwdcMOl.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Admin\Templates\sysmon.exe
"C:\Users\Admin\Templates\sysmon.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8KwMxVG80h.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
Files
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe
| MD5 | 8088241160261560a02c84025d107592 |
| SHA1 | 083121f7027557570994c9fc211df61730455bb5 |
| SHA256 | 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1 |
| SHA512 | 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478 |
C:\providercommon\1zu9dW.bat
| MD5 | 6783c3ee07c7d151ceac57f1f9c8bed7 |
| SHA1 | 17468f98f95bf504cc1f83c49e49a78526b3ea03 |
| SHA256 | 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322 |
| SHA512 | c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8 |
C:\providercommon\DllCommonsvc.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/4800-12-0x00007FFA49183000-0x00007FFA49185000-memory.dmp
memory/4800-13-0x00000000004F0000-0x0000000000600000-memory.dmp
memory/4800-14-0x0000000000ED0000-0x0000000000EE2000-memory.dmp
memory/4800-15-0x0000000000EF0000-0x0000000000EFC000-memory.dmp
memory/4800-16-0x0000000000F00000-0x0000000000F0C000-memory.dmp
memory/4800-17-0x0000000000F10000-0x0000000000F1C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5ey5fb3v.vrc.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2204-37-0x000001B747D60000-0x000001B747D82000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\kIZaRYwl1q.bat
| MD5 | 6e716b008076fc896d126e91fc439aaa |
| SHA1 | c8a7aa45d2c7e9990801188053173f0c2b06f893 |
| SHA256 | f08528f1eef456e546df2c3b60b0b0bf51d46c0d2e85e51c15c7ae46a63a170e |
| SHA512 | 698fccd0d4ec8a76308d81463f3368eb3514a5245c4648be62848c3a3291d8daef1db681601c2ec406a7f94834f62f8aaed531d6da24fddef01c1e0e122c11f4 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d28a889fd956d5cb3accfbaf1143eb6f |
| SHA1 | 157ba54b365341f8ff06707d996b3635da8446f7 |
| SHA256 | 21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45 |
| SHA512 | 0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 62623d22bd9e037191765d5083ce16a3 |
| SHA1 | 4a07da6872672f715a4780513d95ed8ddeefd259 |
| SHA256 | 95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010 |
| SHA512 | 9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 596e43d85d1c25052a79828316838daa |
| SHA1 | ea5097f3bc59912a83e49b9b82b7c61d47211abe |
| SHA256 | 7f1e24cc58c330028ba731a195ffc868257850684faf12d1ff9c31d2696ee017 |
| SHA512 | 2bf4e607a30eb3407561e8edb0032f9ba25b375eb48235f890fecfa515ca287f66745c4b13f4754634aef9b5db61f48a349027b46a0ecf274730d5806f1b2971 |
memory/3684-105-0x000000001B840000-0x000000001B852000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Kz6bOuYaab.bat
| MD5 | d0387f83178b01bf5348d8b6d758d629 |
| SHA1 | 513234cb1bb86394c2244927b579f637d29faade |
| SHA256 | 4e27656981fd3ca62774f08e5abd5fea841e746e9d107cf26ca5c8bdbeefac21 |
| SHA512 | 91c9a40edaca71391bfcff641eaed5ac023dc93f7fc7a64552abfb5e0c52c8911de2d0aab65984f5b0edb1aaed4e9a430fe0266b0a743c51724e74a57cf2543e |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\sysmon.exe.log
| MD5 | baf55b95da4a601229647f25dad12878 |
| SHA1 | abc16954ebfd213733c4493fc1910164d825cac8 |
| SHA256 | ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924 |
| SHA512 | 24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545 |
C:\Users\Admin\AppData\Local\Temp\gW6qUMg8Bu.bat
| MD5 | 6a9dfa895745a9f2c2f26db250a5aea7 |
| SHA1 | 610a4e5a119f37c6ccd0693ae1361e75fc830921 |
| SHA256 | 8cc4b5ee95f4cf8c50210d17cc6d3d406b132084fe1841ce0141a5927101cfe1 |
| SHA512 | abdeedb56ccc766080ce1a29020473cae370bdd48d75a54ebca700fa9b201736eaf5a481271b7a94f5390d5cbd2daf3ae474b85dbd5cde984716f219b34cad18 |
C:\Users\Admin\AppData\Local\Temp\OxVZsORhRP.bat
| MD5 | 54a57cf27e9dacd1fc725337aaadacbe |
| SHA1 | c28f41dd2cb733059ad439fe726572ee65bd17cb |
| SHA256 | 78a2d7568a265605676694aab725b5928023900e77159aaa429672ac38faba7f |
| SHA512 | ca2372772df50ed2b0617e55d1161ef616c18eb32163e2eb07078a345ae0395da028e2ce9317ade7d8ddda04316e1545e75d86fd5373c02a5315264ac6df5cad |
memory/1844-126-0x0000000001250000-0x0000000001262000-memory.dmp
memory/3428-133-0x00000000029F0000-0x0000000002A02000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\KqyXtY4PgZ.bat
| MD5 | 2ca9f2877f3a54c17c4b30a277e05388 |
| SHA1 | 000d1efde7365fe62f0685e5b649a0757c622676 |
| SHA256 | d91db55fab3700b5707eaa9dfa296b5dbf39dc3228b4f648420f154bbef86dba |
| SHA512 | 0c985e1001047132edab20a37da531af706773be8523996f675bb92db3b3b8b07f3aa36e4ee6771c4af4dc67507686504a3ec525dd1d3b9d19fa3ac264d07ba5 |
C:\Users\Admin\AppData\Local\Temp\nKCzYbro9F.bat
| MD5 | c83e7d3a8951d321636ec57d7554a1a5 |
| SHA1 | fb3fc59300f44fe9cfafbfc8df24c9dfb76e9a7c |
| SHA256 | 8f4d290a07f4a96ca2992b140aeac87bbc9e6cc3f65671cb14be57866f858231 |
| SHA512 | d93b2d75a876b614676a94e6d39f9ede98073ca146451e252b079cee798f8bc1a79e42aac9b0fa568dfac239fc0344489c294fc7763d80ff7c09202a921b1365 |
C:\Users\Admin\AppData\Local\Temp\C0VS1u4WCC.bat
| MD5 | 69d4f6fdc593f81f57749aef7ed5d239 |
| SHA1 | 257ca0ea2a31238ea5dcea25ac22907bea6a1301 |
| SHA256 | 7d36c5888d13196213157a39ee01a9457c6a2ec9d2eeac9f4262e5c3fee74c5c |
| SHA512 | f7a552503dc3fc971af59870a03c0e3ab9f30b35ed190710786e9ec88aebff518f1589f48bbf37cff9d3b5b134a6288b8a7322869b89e7960896968dc2d34217 |
C:\Users\Admin\AppData\Local\Temp\ZcfpJnj91J.bat
| MD5 | 7894d67972628d3d84d68815d5bf168e |
| SHA1 | bf701bb2fd6d790daf60afae032c461926e5dc52 |
| SHA256 | a5706cc6e6523f40163070055b9c1084f6749fcadfaf7cfac651648dcc0cebff |
| SHA512 | e30605227ba9610d71257ae3250c303cc24362bcaaafbe6124cf31c4a600d547f955dfa81739ba7de32c4e4ac0a391cd58ba37ea9a9e30726acfb43cafe1ba6b |
C:\Users\Admin\AppData\Local\Temp\E3sOpJujjE.bat
| MD5 | 6532e075dda73fe5bc803b2e4807e6fd |
| SHA1 | 0f0e09a9a35c239c52e740e4fda6360fc67069d9 |
| SHA256 | 8c20ce1d2c327fee7cb0a98f3c79fcabe43ae2e12374d45c93a73fdf11b5540a |
| SHA512 | 37a24ae41f9aa9afc74b8a9ecb57027009ff87253efe1e433a2ec01056d4bc0e9e2ce0f46566889f30586ae8b0034f09887f255bfae01253e4d7afa391754ca0 |
C:\Users\Admin\AppData\Local\Temp\16sHyqWYU0.bat
| MD5 | f3a04dd5fad112f291d0d2fa7bde538d |
| SHA1 | 8e7205c106640fc9e191e558407d78442cc8829a |
| SHA256 | 6ac4409d0908a71df69f2c2d0ce464227e3d6ef123e5e4ff89de9c8514ccf7d2 |
| SHA512 | f9f2d4e50bc8c1fc21a492f2b7df003fbf8c8ac4f078f5962a94a4531afdfce2795589ddf7ad52d66159bbf52cca96ffbf81515b8258c7053341cc07d20fd580 |
C:\Users\Admin\AppData\Local\Temp\VlbjwdcMOl.bat
| MD5 | 72b1f6e8581c6939cba901fb18e7f514 |
| SHA1 | 3ccfeb7518edeee366cc9fdb3700c87ff15500e4 |
| SHA256 | 39b2c71c065761aff504f60374bcbfe0fc30a1c871834375cc2305ee648e5dc9 |
| SHA512 | 43a61ce7da77918ea12b63e5605b6953ec6a06042698bff24af00b2d83c8f53be9b3cfff91bc5435d34ca2518ef644571cb333d99bf4037bc0d21dc38a0e89da |
C:\Users\Admin\AppData\Local\Temp\8KwMxVG80h.bat
| MD5 | e885b0da24888fb541e6ff524cb95f05 |
| SHA1 | b05a49302fa01a15f4e54a4cedf22b0ce9c13e2c |
| SHA256 | f1082cfdd72709e14f1362195cdb350167c93555f6739f81a01ebf4b7addfe23 |
| SHA512 | 20c0ebcb65d341a7edeaaf5c53033a977c5a514d11fb9544c53002a76a40c0ca303596ca3b4be6d19ffbbf92bafc3e0e1135e808af3128c488c271a0e86a6042 |