Analysis Overview
SHA256
dfdf6f6fe3208ab1f52c73fbc2809645827ed959af4dc4f7dc100f3049fbe5d6
Threat Level: Known bad
The file JaffaCakes118_dfdf6f6fe3208ab1f52c73fbc2809645827ed959af4dc4f7dc100f3049fbe5d6 was found to be: Known bad.
Malicious Activity Summary
Dcrat family
DCRat payload
DcRat
Process spawned unexpected child process
DCRat payload
Command and Scripting Interpreter: PowerShell
Executes dropped EXE
Checks computer location settings
Loads dropped DLL
Legitimate hosting services abused for malware hosting/C2
Drops file in Program Files directory
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Uses Task Scheduler COM API
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Scheduled Task/Job: Scheduled Task
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-12-30 02:27
Signatures
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Dcrat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-12-30 02:27
Reported
2024-12-30 02:30
Platform
win7-20240903-en
Max time kernel
145s
Max time network
146s
Command Line
Signatures
DcRat
Dcrat family
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\providercommon\DllCommonsvc.exe | N/A |
| N/A | N/A | C:\Program Files\MSBuild\Microsoft\csrss.exe | N/A |
| N/A | N/A | C:\Program Files\MSBuild\Microsoft\csrss.exe | N/A |
| N/A | N/A | C:\Program Files\MSBuild\Microsoft\csrss.exe | N/A |
| N/A | N/A | C:\Program Files\MSBuild\Microsoft\csrss.exe | N/A |
| N/A | N/A | C:\Program Files\MSBuild\Microsoft\csrss.exe | N/A |
| N/A | N/A | C:\Program Files\MSBuild\Microsoft\csrss.exe | N/A |
| N/A | N/A | C:\Program Files\MSBuild\Microsoft\csrss.exe | N/A |
| N/A | N/A | C:\Program Files\MSBuild\Microsoft\csrss.exe | N/A |
| N/A | N/A | C:\Program Files\MSBuild\Microsoft\csrss.exe | N/A |
| N/A | N/A | C:\Program Files\MSBuild\Microsoft\csrss.exe | N/A |
| N/A | N/A | C:\Program Files\MSBuild\Microsoft\csrss.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Google\Chrome\WmiPrvSE.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Google\Chrome\24dbde2999530e | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Mozilla Maintenance Service\logs\explorer.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Mozilla Maintenance Service\logs\7a0fd90576e088 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\MSBuild\Microsoft\csrss.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\MSBuild\Microsoft\886983d96e3d3e | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Google\Chrome\WmiPrvSE.exe | C:\providercommon\DllCommonsvc.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_dfdf6f6fe3208ab1f52c73fbc2809645827ed959af4dc4f7dc100f3049fbe5d6.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_dfdf6f6fe3208ab1f52c73fbc2809645827ed959af4dc4f7dc100f3049fbe5d6.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_dfdf6f6fe3208ab1f52c73fbc2809645827ed959af4dc4f7dc100f3049fbe5d6.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\providercommon\1zu9dW.bat" "
C:\providercommon\DllCommonsvc.exe
"C:\providercommon\DllCommonsvc.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Program Files\Google\Chrome\WmiPrvSE.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\WmiPrvSE.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Program Files\Google\Chrome\WmiPrvSE.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Idle.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\explorer.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\MSBuild\Microsoft\csrss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\MSBuild\Microsoft\csrss.exe'" /rl HIGHEST /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\Chrome\WmiPrvSE.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Idle.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\explorer.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\csrss.exe'
C:\Program Files\MSBuild\Microsoft\csrss.exe
"C:\Program Files\MSBuild\Microsoft\csrss.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tfVhKC50lX.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\MSBuild\Microsoft\csrss.exe
"C:\Program Files\MSBuild\Microsoft\csrss.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\n9GQh003RW.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\MSBuild\Microsoft\csrss.exe
"C:\Program Files\MSBuild\Microsoft\csrss.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fg7ffKrc0I.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\MSBuild\Microsoft\csrss.exe
"C:\Program Files\MSBuild\Microsoft\csrss.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dk6czFnjgV.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\MSBuild\Microsoft\csrss.exe
"C:\Program Files\MSBuild\Microsoft\csrss.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\c38FLB8gIG.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\MSBuild\Microsoft\csrss.exe
"C:\Program Files\MSBuild\Microsoft\csrss.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\moqrXfpsIj.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\MSBuild\Microsoft\csrss.exe
"C:\Program Files\MSBuild\Microsoft\csrss.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hC9SSnetfo.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\MSBuild\Microsoft\csrss.exe
"C:\Program Files\MSBuild\Microsoft\csrss.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HAJBVlyJNQ.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\MSBuild\Microsoft\csrss.exe
"C:\Program Files\MSBuild\Microsoft\csrss.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LEBHQwxRW8.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\MSBuild\Microsoft\csrss.exe
"C:\Program Files\MSBuild\Microsoft\csrss.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\15yWIDpGaf.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\MSBuild\Microsoft\csrss.exe
"C:\Program Files\MSBuild\Microsoft\csrss.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2K3DLFE7WC.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
Files
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe
| MD5 | 8088241160261560a02c84025d107592 |
| SHA1 | 083121f7027557570994c9fc211df61730455bb5 |
| SHA256 | 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1 |
| SHA512 | 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478 |
C:\providercommon\1zu9dW.bat
| MD5 | 6783c3ee07c7d151ceac57f1f9c8bed7 |
| SHA1 | 17468f98f95bf504cc1f83c49e49a78526b3ea03 |
| SHA256 | 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322 |
| SHA512 | c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8 |
\providercommon\DllCommonsvc.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/2264-13-0x00000000009C0000-0x0000000000AD0000-memory.dmp
memory/2264-14-0x0000000000570000-0x0000000000582000-memory.dmp
memory/2264-15-0x0000000000590000-0x000000000059C000-memory.dmp
memory/2264-16-0x0000000000580000-0x000000000058C000-memory.dmp
memory/2264-17-0x00000000005A0000-0x00000000005AC000-memory.dmp
memory/2900-32-0x0000000001300000-0x0000000001410000-memory.dmp
memory/2368-58-0x0000000001D90000-0x0000000001D98000-memory.dmp
memory/2368-57-0x000000001B670000-0x000000001B952000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\U98IYCLQC53MT4DWSBR9.temp
| MD5 | 2eab39f326bf5d5aedef07889eaa56c2 |
| SHA1 | 87f64636a48db8bb36e08a9e3d47586e0bdff763 |
| SHA256 | 58a6470710786f6972019cdb5b872308419aaa86bc0299f3a834cd9f6fb92c00 |
| SHA512 | df516dbc4e611ed16d818042135b9c8574ee8ea513ae56bff0fe988b186bcada8958d11524490b91317d396b25ad2825d18dd466947c0ed0a5056facb51f1067 |
C:\Users\Admin\AppData\Local\Temp\CabB0DA.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\TarB0FC.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\Local\Temp\tfVhKC50lX.bat
| MD5 | 4660e09700adcc8297fc7611ab3b2c68 |
| SHA1 | 556083e6c40c4a48fde38a850acd12975db1a586 |
| SHA256 | 5f4b3edbbb0a42b50e2298920b8d379c2bc914bf848de6fc171123f43b8098b8 |
| SHA512 | d926729dbb2185bb33ee5c58733dba824b9bf03561faf71484b866d35433b3c3a8b228f7657220939111f7bb5621405aa63424c12d68b3003134d38feb194838 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 151f0b475f068cafb492c6b4a851c71a |
| SHA1 | d6ed464e3096c24cb8fff49700cfb613b498b4c2 |
| SHA256 | f3970e19e6cbc8e1956332c7584509ce8ddad4b709eb4ad83ac7fbd0d8c44542 |
| SHA512 | f867db67dc58c17216f4e133628a3158d0ea07444d1263001ee907ae6d0003343dc190ce1fd04ce0fa0207652202317517b8de5f71d880a0cf3c0522ae288b66 |
C:\Users\Admin\AppData\Local\Temp\n9GQh003RW.bat
| MD5 | 1ae0d52c24db7b6ca0837706ef84b499 |
| SHA1 | bd131cde49740af0a4cd77a7b6f59f08ba37edb9 |
| SHA256 | 74d29848659c0d964efbff45346232efda23295cc917f7b1d07cfbb36ce13fd9 |
| SHA512 | e4e65dfb66c9919322cd1de0d7df2bcbafc4f9634b81b038826c46e190cf3f6e84f8f2e1a17299977cbfbd8071a37797989d190f5f82a7724796188d9dd7f2bf |
memory/2268-176-0x0000000000440000-0x0000000000452000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 5567abda592f63172aed03bebf1622e5 |
| SHA1 | d12c4db782b247a4b32d0efbd4b73dfb903c1e88 |
| SHA256 | ce9fc2a61d6a2ec6986b8f74437b38a624996d92e31802b8818649105246077c |
| SHA512 | efb731570ab8691199ffb486349d113dbb87c6b3a747a0544229ce927f553440763040d850adf681ea66f4a29b9f41664262d211e92f8fafb275a46bf64958d4 |
C:\Users\Admin\AppData\Local\Temp\fg7ffKrc0I.bat
| MD5 | c31afaec91c537659b71a630a1be7e02 |
| SHA1 | 24bc1c86466f793ed829bc8185615dda17ddbf47 |
| SHA256 | 51b3e7514578684326e40e8a28c503304804e9abc125a485ff438815cfb10e61 |
| SHA512 | 7580564d0ee264d2ca6a24c59dc4490c758cca492592a0d906eecee06b51aa5f3d3d4c88fb9457125340a1a5f8810906163b983bde15aca87a36b903aea703f7 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 22c0a7af02e6f2d761683bfd9a754efd |
| SHA1 | 6365922d32896b11a90666da006b45bf5189f791 |
| SHA256 | 55229d0e98361f0652960dbeaeab11b92049993892ee2cce4cdca853e33fb784 |
| SHA512 | 45e3592aabdcefab0d29b1968f761f0c81622e18093af1350867e3fa3a4af2ac8a62fb60845bf9437b49f08b0f3cfcaa9cd452cf4d29a5ada052ed2dd9ec9014 |
C:\Users\Admin\AppData\Local\Temp\dk6czFnjgV.bat
| MD5 | 2ffb24ee4ea2296ee1465af194aac48f |
| SHA1 | 3fb532e33b78d85d69f0085da544ec807cb32467 |
| SHA256 | 84ee284dfc1e05dbe898554bfda9a11abad9224badfc0fc7fae6a42fac8ff43c |
| SHA512 | c19aaba7cb92991e758e70a4b0d810af7390a4fb0f1227a862a50fa9580d763b9fa306d9400fc95cb99c977e7730a41a3a841e3a5f1eb451746877e74f663f15 |
memory/2228-295-0x0000000000090000-0x00000000001A0000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | cb8bae453f438d5897107546f578448e |
| SHA1 | 7d55b24d08bb7a232f612cfc145ac30a8bb53f80 |
| SHA256 | 4b8d0fafa68616f0828e93c1e8375f93c06ba76548773bdf2db8c9d04100dbe1 |
| SHA512 | 0478f4573f71b924c6d7cdeaece7463304b11c23321d07378b5ef560425d8f99665a77ff5580b543066eeda73f8b49e554d116db1b84957656e7a3c60a96862a |
C:\Users\Admin\AppData\Local\Temp\c38FLB8gIG.bat
| MD5 | 2ceaa488c1d1c42205bf1b37f2c269d2 |
| SHA1 | dd6dfcfc0242af894f5699ad4c8bc83b83a6b1b5 |
| SHA256 | de87cd1edf39fc202816e7d6a00f60f7e82527b12df54fec0e463cb3986c7222 |
| SHA512 | 23f3c9a0a935df43dd63b9d7cf225a91c5a554cf714212fe4494070711ca84f968168d4fd4547762eddfb664c8a794b2fe4a1fd5ea14ab076bc3d84847c350ad |
memory/2696-355-0x00000000010E0000-0x00000000011F0000-memory.dmp
memory/2696-356-0x00000000006C0000-0x00000000006D2000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | fe5f279f533bad868160cd73f34d4986 |
| SHA1 | a6533622d292881ee2dd3ec1fcbf32c089921589 |
| SHA256 | fb8c268c2d620ffb0c9ded94d14f6cd5e0fda178d8df4e7c74e565923c38e2c7 |
| SHA512 | 2d264c7f6f0979c2d49a771ffec38fcdd528eb38748eb1a6756b4618abaa778e4ebe969e970f940feb0df32ca00d6ca8fc489a02a299c4efb8f0e8ada03418ee |
C:\Users\Admin\AppData\Local\Temp\moqrXfpsIj.bat
| MD5 | eb6aa59fa12e1b96268cdb30063c2780 |
| SHA1 | 3ac03b47185e1960b8a21a536358587969d4631f |
| SHA256 | a758d54e5d2b008494880b2d9eeb3774c2a8483a5926e85d5c0006e949c74f2a |
| SHA512 | ef9b2d94e0a40e72b635fbb700e4391cd65a28f069387bc164a521c99a11ea2c20ede1e6f5ef964dd6125eaa6b0a68515d497721ad41c030c0848b8a97d20095 |
memory/288-416-0x00000000002C0000-0x00000000003D0000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 0cdc41b5c467e3fbe459801fa6646edd |
| SHA1 | cd4c16a90ef90f8ee8c69c23a869f9cf8e6aeedf |
| SHA256 | 2867b7d06a917d816956b26abe682d4b4f1dd3c99cf252bc983c32a4526a3843 |
| SHA512 | 1caf705a185833aa69d98f779a039025e3b3f69343fbb5dd3218f99695c00b0c9224e3e5509c1c673f9a2e1d816b5248f4d81cf74bfaa7ed8d956a4239f0fcd5 |
C:\Users\Admin\AppData\Local\Temp\hC9SSnetfo.bat
| MD5 | 5e9c255938845d617b70e278da102874 |
| SHA1 | 6ac49326ace12f821c7af4f5e06ba26fb79253ed |
| SHA256 | db15b9cd7ff6e4874902dbce3e5cf3dd69202fc7c62ee111eeb1c34a5601f215 |
| SHA512 | e8bc9ac033de8acf33f7334f85c346122acd72740c25adefcafcf49c8c09a75e21910e9ee3582ada9f52ae623c57f57c49a47e0b0a6459973d829125227cb7cd |
memory/2364-476-0x00000000010C0000-0x00000000011D0000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 088ff6a59899731be11b7f7568f05bc7 |
| SHA1 | 15872d0eb41e4ecebefff9e548fa58f9ca7afdcb |
| SHA256 | 85df8d5f33d68aa53f65e235d068da5f0678ec4f39ff2d4c2f75eebbe7f768bf |
| SHA512 | d1ef8d78fc93d99a31180e341fcc6f340c0f2549fdda9a9d0c696e1ab0d529e74445fcc9a215ed21b76e676872b1c9118d8b0ee40aa49a7acd87963b0df2845e |
C:\Users\Admin\AppData\Local\Temp\HAJBVlyJNQ.bat
| MD5 | 44f16a23f2a36963612b8c3dfc669324 |
| SHA1 | 5c88e0aac23900b868640da18c2984fcc474a193 |
| SHA256 | ea4437f7aca21c97536d6ab9af3f88f62708ed623ae713ace7b635a5350ae10e |
| SHA512 | abe0072cddcf936d61641e18fd22f0860c6403ddff56ecdb64e895600aa3586dece7daaf0a5f5dd710f08afbe72d1fc00e6098428284c8cdfe6c15edbca456aa |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 5f1f936f49126e718d9f8dfec7b0c3f9 |
| SHA1 | 81808ac6e082fe53ca6e9a42b663276def0f83a7 |
| SHA256 | 3a92919c29a9c1f79ca9e787b990fdb03939b23cd760cbdf09935524310cf5ab |
| SHA512 | 02fdb5b7e9c5394cf89e2f3824cce2e8f1e16c3c491aaff6e2b0aca371b6da3ed118ba6afac41df9561a4b52a1db76dffd70f7fab800e8006b906f94fa65edc1 |
C:\Users\Admin\AppData\Local\Temp\LEBHQwxRW8.bat
| MD5 | 6fe2b116f24fdbb87b85893c71cf3bcf |
| SHA1 | 8b11b5982e54cc9290c0bcbe45a41fa6d26eba0b |
| SHA256 | bdddb96c26a58a2dd4beef4371d36f0323a937a16d2abd9a74797f37b6b0f98b |
| SHA512 | b14e5c7c0f1e34d844cb4e5d075a66c4f7a841b939036a4c55d1ac09754480b47c84dfc283263582356ff235aae3cf90d4cc16838d178ee7610d343dcc513bb0 |
memory/1268-595-0x0000000001370000-0x0000000001480000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8164401295ad85cb796baa49d7524707 |
| SHA1 | de9153edc6e1ac65000f36e02c645e38d8380e24 |
| SHA256 | e4be4e6ef77f3a003442197bcf007a36cf11a79da39a6afbb9fdc90e1a6d8628 |
| SHA512 | e05839ddadd94b84dff0d8e28fc7fc4efb1f3784078eef1622b10dc457fb53e8d1ab17f36e958d17e8428a785f60ded97fe8d4f71e2abdf65b6518a16e080a17 |
C:\Users\Admin\AppData\Local\Temp\15yWIDpGaf.bat
| MD5 | 9067d3d3c67f78b0a9e62d4f9a7dfae3 |
| SHA1 | 79d002669034312b7d08ccc4d9a1fc4f49b7e031 |
| SHA256 | 2265c5733270a46031c235a1b730fa913c3652c7f3b63b65991c6cc68dfc76ec |
| SHA512 | ab5949c3a870f9914e159e372bf89cb394f9dd459dcde9af3dd3ba9e0c4e6c39e210a9b7f7b52872d96e023ec48fa9294bfddf66de0625846079972b6b9dcdc9 |
memory/2868-655-0x0000000000390000-0x00000000004A0000-memory.dmp
memory/2868-656-0x00000000005E0000-0x00000000005F2000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3439a2b86aeffc5c4fd8f43157fa84d3 |
| SHA1 | 06d57b9abbe15269f018ad78640fde3062358656 |
| SHA256 | ade96b129004e35751de144802ace7899ed65b4f6a75d60e0d3cf4e39a9ad695 |
| SHA512 | 57e19a2d367f463eeb06f889a791286c123e2c3d001e0113f16654844468f656dbf83f3311e12685285a075a5ceda384415dc789cb9f6658a8645ca706a9419b |
C:\Users\Admin\AppData\Local\Temp\2K3DLFE7WC.bat
| MD5 | 7f968c3c7cd5239cb67cc5329ce43833 |
| SHA1 | e6ad3b81bb5e372fa88eb9c2d9459a04103ef633 |
| SHA256 | 6ae9da66d4785858414dd5fcacc6eb52e2a90cb6f5caf10cec0a5e0721eb1653 |
| SHA512 | c52f5c5a782330709e22ea619155d92ae85038506d9d9fbc94dc0b0333feb8cc8229e594f1c3d4b25f6d3a735a61a62e563f05281502cf63510005b360b3aa77 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-12-30 02:27
Reported
2024-12-30 02:30
Platform
win10v2004-20241007-en
Max time kernel
146s
Max time network
150s
Command Line
Signatures
DcRat
Dcrat family
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\providercommon\DllCommonsvc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_dfdf6f6fe3208ab1f52c73fbc2809645827ed959af4dc4f7dc100f3049fbe5d6.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe | N/A |
Executes dropped EXE
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Uninstall Information\66fc9ff0ee96c2 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Windows NT\TableTextService\cmd.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Windows NT\TableTextService\ebf1f9fa8afd6d | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Internet Explorer\SIGNUP\ea9f0e6c9e2dcd | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Windows Portable Devices\conhost.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Windows Portable Devices\088424020bedd6 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Uninstall Information\sihost.exe | C:\providercommon\DllCommonsvc.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_dfdf6f6fe3208ab1f52c73fbc2809645827ed959af4dc4f7dc100f3049fbe5d6.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings | C:\providercommon\DllCommonsvc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings | C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings | C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings | C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings | C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings | C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings | C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings | C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_dfdf6f6fe3208ab1f52c73fbc2809645827ed959af4dc4f7dc100f3049fbe5d6.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings | C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings | C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings | C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings | C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings | C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe | N/A |
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_dfdf6f6fe3208ab1f52c73fbc2809645827ed959af4dc4f7dc100f3049fbe5d6.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_dfdf6f6fe3208ab1f52c73fbc2809645827ed959af4dc4f7dc100f3049fbe5d6.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
C:\providercommon\DllCommonsvc.exe
"C:\providercommon\DllCommonsvc.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Downloads\cmd.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\Public\Downloads\cmd.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Downloads\cmd.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Contacts\taskhostw.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Users\Admin\Contacts\taskhostw.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Contacts\taskhostw.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 7 /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\SearchApp.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\SearchApp.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 11 /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\SearchApp.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 6 /tr "'C:\providercommon\sihost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\providercommon\sihost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 6 /tr "'C:\providercommon\sihost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Portable Devices\conhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Portable Devices\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 10 /tr "'C:\Program Files\Uninstall Information\sihost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\sihost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Program Files\Uninstall Information\sihost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\cmd.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\cmd.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\cmd.exe'" /rl HIGHEST /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Downloads\cmd.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Contacts\taskhostw.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\Chrome\Application\SetupMetrics\SearchApp.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\csrss.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sihost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\conhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\sihost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\TableTextService\cmd.exe'
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FDjabAlDYP.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe
"C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lHo4kC1bcD.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe
"C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VeFqpJq3BV.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe
"C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aWJwCUxpp4.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe
"C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hJP5Gj8VmP.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe
"C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4vYRXbn8bW.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe
"C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6raUEgr1vJ.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe
"C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JhFjyqSsxH.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe
"C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RgqsKqwwLg.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe
"C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VeFqpJq3BV.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe
"C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jFR8woBO6B.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe
"C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lHo4kC1bcD.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe
"C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6raUEgr1vJ.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe
"C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.129.81.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
Files
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe
| MD5 | 8088241160261560a02c84025d107592 |
| SHA1 | 083121f7027557570994c9fc211df61730455bb5 |
| SHA256 | 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1 |
| SHA512 | 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478 |
C:\providercommon\1zu9dW.bat
| MD5 | 6783c3ee07c7d151ceac57f1f9c8bed7 |
| SHA1 | 17468f98f95bf504cc1f83c49e49a78526b3ea03 |
| SHA256 | 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322 |
| SHA512 | c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8 |
C:\providercommon\DllCommonsvc.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/4388-12-0x00007FFD30E43000-0x00007FFD30E45000-memory.dmp
memory/4388-13-0x00000000005D0000-0x00000000006E0000-memory.dmp
memory/4388-14-0x00000000028F0000-0x0000000002902000-memory.dmp
memory/4388-15-0x0000000002910000-0x000000000291C000-memory.dmp
memory/4388-16-0x0000000002900000-0x000000000290C000-memory.dmp
memory/4388-17-0x0000000002930000-0x000000000293C000-memory.dmp
memory/2020-45-0x00000155A8860000-0x00000155A8882000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_g0hula1x.evk.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Admin\AppData\Local\Temp\FDjabAlDYP.bat
| MD5 | 820f7492c3828554e26a1dd74e7f170a |
| SHA1 | 6d909bfc6e2fd4c009fe9e7283cd92aafa33d24e |
| SHA256 | 178e99949daa4375cb7809b6d9b81a679ba84b8cb897099f3b86a78847e02e78 |
| SHA512 | 5ee3483f3704ffafde697a14c184076b0178ea1a2cb2ceecb7ee2d3817b0b727cf00abdd6230e847025a59f592286a4efee544bef8eac95a71c657b060aa6280 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d28a889fd956d5cb3accfbaf1143eb6f |
| SHA1 | 157ba54b365341f8ff06707d996b3635da8446f7 |
| SHA256 | 21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45 |
| SHA512 | 0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | cadef9abd087803c630df65264a6c81c |
| SHA1 | babbf3636c347c8727c35f3eef2ee643dbcc4bd2 |
| SHA256 | cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438 |
| SHA512 | 7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085 |
C:\Users\Admin\AppData\Local\Temp\lHo4kC1bcD.bat
| MD5 | 92bcba5362ecdd5a1715a195fea95634 |
| SHA1 | a8fa82d8e1c47a2a2a2dfdb151768f8925e41de4 |
| SHA256 | fe40e5ebcd47e868dccee14bec97ebebf22f2ca9f6566247deb807e6985e08fb |
| SHA512 | afe1344aadf6e1b9d5110eb4c6c006d62258d43c4814a9b751bc546e87367d1906d408e4e973f963317e523b2acf6a7e78dcc5374a207f497c93adf8ff996339 |
memory/1604-163-0x000000001CAB0000-0x000000001CC1A000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\taskhostw.exe.log
| MD5 | baf55b95da4a601229647f25dad12878 |
| SHA1 | abc16954ebfd213733c4493fc1910164d825cac8 |
| SHA256 | ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924 |
| SHA512 | 24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545 |
memory/2032-170-0x000000001CA00000-0x000000001CB6A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\VeFqpJq3BV.bat
| MD5 | c2c1261181c6887ace6c53b20dd30c6e |
| SHA1 | c8bcd2f57e0715b1941e405ae01f92ea1e78789a |
| SHA256 | a99f81b9b16267b6fd75028633d4cd4f59692fced65ee4f2f5e9284cc953ede5 |
| SHA512 | e76cf82eafafc62d6d42d1699271a29e3f95318b8f411a411c39f876397b90a5965db0b9cb9853aa9a2580787dd95883fdd06e62816c54e67f79cbf180abd0ac |
C:\Users\Admin\AppData\Local\Temp\aWJwCUxpp4.bat
| MD5 | a1f43007e927e1791079613f677a43a2 |
| SHA1 | 4cf00e45d465b54fe1031cca018a2ac3c2272286 |
| SHA256 | 232df95fbcc8ee7157ca0438713ce04f935653f66cdcb7b7c4da227cc80456f2 |
| SHA512 | e080e1b7aecbdde6fa5464f3a775834d3814c91f760a11d97724dd31122d5b1475bbb93cb81e638dfc9bccfa03b429fd311388b954bac903cec5942f0bb6d00a |
C:\Users\Admin\AppData\Local\Temp\hJP5Gj8VmP.bat
| MD5 | 242003e7a06d414fea9974a79879fca9 |
| SHA1 | 579b60e9f77619649c1e09c4658657082ab986b0 |
| SHA256 | 143cd769ad587b2a245af4a93773364b847c1c9aff4c97121eaf5b43943eb0f8 |
| SHA512 | b1fa0ce53ff91abfd11bd9b6baca1772f489191e821c31e3cbb6cad0c59649a55ded22796f3f697c31a3721bd171ca84aea081e1b4ac956139142a69274af230 |
C:\Users\Admin\AppData\Local\Temp\4vYRXbn8bW.bat
| MD5 | 4435dd52a652b8acf6712dc96dc09c39 |
| SHA1 | 8e18233347aad3a7ad4205ae7363fc4976307645 |
| SHA256 | aa2b36b9ccedfd788d0df09c0e44f5a66cfe5e7e5cf1aa49843d3afac3df210a |
| SHA512 | bff773e1225bd4878bf556cc6af80861dabac68d4419003e5101dea26f0a319890e4c29b43553ad914e05678c206cdd9da6de7c93fbf8d8396c4157c24bfa1cd |
memory/2848-191-0x0000000002FF0000-0x0000000003002000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\6raUEgr1vJ.bat
| MD5 | 74513d67254e25d8826691f2cb50785f |
| SHA1 | 04003b8b25b8b2902ad8f82a223eb091f1b766c9 |
| SHA256 | ea0d3c0904c43a55e27c29cbf488ae45a4f99231f6f32bb210b3c1195b4c20e2 |
| SHA512 | 1fdefc610fc13c54ecfef0bbb4af8bf00a63c04e6d4732f2e4ac491a03b2ed9d0fadf154198205406d9ae454c8ec349a911fbe75d8b88bb4598f3a1976b1b6be |
C:\Users\Admin\AppData\Local\Temp\JhFjyqSsxH.bat
| MD5 | b7715f2b96e4b65e0bcbfba16f5b383b |
| SHA1 | bbdbe743303285c56cfd03885039452581718367 |
| SHA256 | 30c8139762a1e6d3bdb2f372b8c73a271a5cc8777b1605ff2b800fd617eec9a6 |
| SHA512 | 1b3de1f30fe30f887f98f466beb67374de42da703bb811ab80548fd646ad1ed4340031c588874960c3d2c9ddd1f0a6c7937eba648a49abec8a804080f23ce195 |
C:\Users\Admin\AppData\Local\Temp\RgqsKqwwLg.bat
| MD5 | 3c1ada63de53e24b1053ad213bff7b6f |
| SHA1 | 3ec5c0589751aabb34c520841244b2574a5d8345 |
| SHA256 | 10ac6fcf27a9b8b9f959c5d617b202a70d17481050881f64fbc11bf98da9ae10 |
| SHA512 | b2f9eaee0176a6ab27edf3716265f2276d053f27adaa87abe3b02d9f04be440bb315b0037db6bc90ecaf6e4b4cbe5577977eb18098d2b1bfeb8b7084f8ebc138 |
memory/2284-216-0x00000000029A0000-0x00000000029B2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\jFR8woBO6B.bat
| MD5 | a2097af67a3ed07e330a2f4420d02846 |
| SHA1 | da1e37f67cbbabeff845fceeba0b56190e3575d6 |
| SHA256 | c9c41e3dbe95e1c3922b1a761fd7165184607b0a5370b49e074fded0a310c485 |
| SHA512 | 1cc83801939e2ca3591cfb017776fd311a61576ab6621b90364f0b37a8960605429f701d2b2d8de7c1e8bc2c0128fb2378c76495e98e62e63609ab2476011254 |
memory/2564-235-0x0000000000C20000-0x0000000000C32000-memory.dmp