Analysis Overview
SHA256
71f09cd837628dea19f731b255aa669853a37c378192429d86d71bbd554bd0a3
Threat Level: Known bad
The file JaffaCakes118_71f09cd837628dea19f731b255aa669853a37c378192429d86d71bbd554bd0a3 was found to be: Known bad.
Malicious Activity Summary
Dcrat family
Process spawned unexpected child process
DCRat payload
DcRat
DCRat payload
Command and Scripting Interpreter: PowerShell
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Legitimate hosting services abused for malware hosting/C2
Drops file in Program Files directory
Drops file in Windows directory
System Location Discovery: System Language Discovery
Unsigned PE
Enumerates physical storage devices
Modifies registry class
Uses Task Scheduler COM API
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Scheduled Task/Job: Scheduled Task
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-12-30 02:31
Signatures
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Dcrat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-12-30 02:31
Reported
2024-12-30 02:34
Platform
win7-20240903-en
Max time kernel
149s
Max time network
153s
Command Line
Signatures
DcRat
Dcrat family
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\providercommon\DllCommonsvc.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\cmd.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\cmd.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\cmd.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\cmd.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\cmd.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\cmd.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\cmd.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\cmd.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\cmd.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\cmd.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\cmd.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\cmd.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\ebf1f9fa8afd6d | C:\providercommon\DllCommonsvc.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\RemotePackages\RemoteApps\101b941d020240 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\Vss\Writers\System\wininit.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\Vss\Writers\System\56085415360792 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\RemotePackages\RemoteApps\lsm.exe | C:\providercommon\DllCommonsvc.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_71f09cd837628dea19f731b255aa669853a37c378192429d86d71bbd554bd0a3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_71f09cd837628dea19f731b255aa669853a37c378192429d86d71bbd554bd0a3.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_71f09cd837628dea19f731b255aa669853a37c378192429d86d71bbd554bd0a3.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\providercommon\1zu9dW.bat" "
C:\providercommon\DllCommonsvc.exe
"C:\providercommon\DllCommonsvc.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\cmd.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\cmd.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\cmd.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\csrss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\AppData\Roaming\cmd.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Roaming\cmd.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\AppData\Roaming\cmd.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Windows\RemotePackages\RemoteApps\lsm.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\RemotePackages\RemoteApps\lsm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Windows\RemotePackages\RemoteApps\lsm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\providercommon\dllhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Windows\Vss\Writers\System\wininit.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\Vss\Writers\System\wininit.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Windows\Vss\Writers\System\wininit.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\providercommon\OSPPSVC.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\providercommon\OSPPSVC.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\providercommon\OSPPSVC.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\audiodg.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\providercommon\explorer.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\cmd.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\csrss.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\cmd.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\RemotePackages\RemoteApps\lsm.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dllhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Vss\Writers\System\wininit.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\OSPPSVC.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\audiodg.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\explorer.exe'
C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\cmd.exe
"C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\cmd.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QO5FEA9wo1.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\cmd.exe
"C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\cmd.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9avng9MHpa.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\cmd.exe
"C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\cmd.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\x5nMQhEI33.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\cmd.exe
"C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\cmd.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VoHf0I0Wzs.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\cmd.exe
"C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\cmd.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Wm5t4PlH1R.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\cmd.exe
"C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\cmd.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\F82V1kRox2.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\cmd.exe
"C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\cmd.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\b3FUfZROOv.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\cmd.exe
"C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\cmd.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IMpAoVHioU.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\cmd.exe
"C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\cmd.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\cmd.exe
"C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\cmd.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\epFjAgKouK.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
Files
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe
| MD5 | 8088241160261560a02c84025d107592 |
| SHA1 | 083121f7027557570994c9fc211df61730455bb5 |
| SHA256 | 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1 |
| SHA512 | 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478 |
C:\providercommon\1zu9dW.bat
| MD5 | 6783c3ee07c7d151ceac57f1f9c8bed7 |
| SHA1 | 17468f98f95bf504cc1f83c49e49a78526b3ea03 |
| SHA256 | 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322 |
| SHA512 | c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8 |
C:\providercommon\DllCommonsvc.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/2680-13-0x0000000000FA0000-0x00000000010B0000-memory.dmp
memory/2680-14-0x00000000002C0000-0x00000000002D2000-memory.dmp
memory/2680-17-0x0000000000480000-0x000000000048C000-memory.dmp
memory/2680-16-0x00000000002D0000-0x00000000002DC000-memory.dmp
memory/2680-15-0x00000000002E0000-0x00000000002EC000-memory.dmp
memory/1212-42-0x0000000000080000-0x0000000000190000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\QO5QXC5CPF025TPBDVUZ.temp
| MD5 | d06d1cb298244f9755c8a9f0e49488b3 |
| SHA1 | b1ba4336cdd9c19b267ea474f9f8044be4770b83 |
| SHA256 | ed9fa0eaa3490a6c79c1154b9506226537d55f3a96dd2c74d259a207a0a7e5c3 |
| SHA512 | c5ea5de462f28e1b1a012cc3e504bb555e66fbc3b1d9910e97738a62d7accafec526dc8cab0abfeece73935ba15aa4746544300cd01015f9be680491062d93c9 |
memory/2952-54-0x0000000001C10000-0x0000000001C18000-memory.dmp
memory/2952-53-0x000000001B630000-0x000000001B912000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CabC821.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\TarC844.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\Local\Temp\QO5FEA9wo1.bat
| MD5 | 170a82a5bb39adbe1ac2764c30651f63 |
| SHA1 | db01d4c649c27fe55a7eaab6af694d42a47d384b |
| SHA256 | 099af29f60b6032649cf46f58dfa57b801cfa3a3f49a3f1f7a91147ea4e06080 |
| SHA512 | 56d6e931c15e00957b4105ef3363cd8b76bc688761c81178aa515b3d46f2b13e3244098c320d6bfd23079e5dfd19e897a0de8e0e057d3acfacd98b65b5207aa9 |
memory/644-152-0x0000000000240000-0x0000000000350000-memory.dmp
memory/644-153-0x00000000004D0000-0x00000000004E2000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e737ec274e0fc813619f9f3f19fd487f |
| SHA1 | de9dd67e2150d231694d5cc92a3f198dc400e1e7 |
| SHA256 | 88f201c5d2a02a2e9547afcbb30aaf65ed07c152adb934f200c6d2e57daf38a0 |
| SHA512 | 244ed3d36f49238ff3d0a822d0368d071ec66e3b07689729bf408bb354211ecda68c1b4de37bda974a8c91a10d819a6ff213ea38fcef998c7229c5d076696f4f |
C:\Users\Admin\AppData\Local\Temp\9avng9MHpa.bat
| MD5 | 49876d5728cbd550e42f3d8cd31c4cc8 |
| SHA1 | d820ee39833d865bbabbdd3c1830111b4d29b779 |
| SHA256 | f79f5315d3f394e9ec86215fa38a5879329c019d1f5b0bf78140d8fdfd52336b |
| SHA512 | 38fb133ba2e8d832296aadc3bd9fab1c6d619c50a0111dd41a9ca2aa950f9c3438c913ca4ce4d01a25da7e8cc009153eb5c52fc09d1cee4c84f845faf90e22be |
memory/2212-213-0x00000000003C0000-0x00000000004D0000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | edf352b24fc01befb7cf1c1770dafcb8 |
| SHA1 | 88556f5c31a90bff2f923d4ae3e43cd553d0ece6 |
| SHA256 | d1cf2c572692f84ab77511552dfc875d7fae6d16535d0d74f8dd9ff085c3f130 |
| SHA512 | 583035626ee09a069d482f5b3066c714757b1ba9e6ee8c7d7c7861586b5528eee64d1642915adefe87a3d9a18406934155c1ea1131ef78d17cb24e19f2951802 |
C:\Users\Admin\AppData\Local\Temp\x5nMQhEI33.bat
| MD5 | c21eab64699bc7ec0a70f7851786034e |
| SHA1 | c73b733794767b8086b69a648026bb54ff5782c4 |
| SHA256 | 56e1f2fe3b40d018491b55236cb0a00b0d8a05af3aac1a9d3e6422cce70fb42b |
| SHA512 | cc687fa10d8d72f921f94282e6fe5b56f7a56a102f42adfe2c70d4155acc3663925f0bb521008b325a0b302cc5e0719b4b678f519bd5fbd6543b9d565efbecd5 |
memory/3036-273-0x0000000001100000-0x0000000001210000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 78fa509f5b05dc4074668ac41bb44a2a |
| SHA1 | f9aafa763f69fbf21708af5b241f6159759aad8e |
| SHA256 | 30a6d630f60957a268f6a12b5247e6e7ef0bd2b7b88d096731d710a51aa1a426 |
| SHA512 | e2d10138a7ce82c367fcebabb595743b60fee6096859f43214d466d321d10d9ca061784aa39a9222a84bedc3289798790d22a0d1e39e45e98b5d71cf07e71f20 |
C:\Users\Admin\AppData\Local\Temp\VoHf0I0Wzs.bat
| MD5 | bf3b043f63b78ea6510a4900a97cf2b7 |
| SHA1 | 6fafa889f889d4e4491930419159dfd460899e2f |
| SHA256 | cabf7da8725f484fee4adab4534d92a94c8dbe623ff0883123969ef724ebe40c |
| SHA512 | c5422045413fede9efca4356ead5fa5014fbad0aa084fdaa89fe096d316af1967efc9dd42819fac0d1858c6ace6499901dcbee35796bb379fda60a068e4c073b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4892307fdf17080bae9b068f114aff9b |
| SHA1 | 113b4f90f10809ad2871126c0342e1b7471c8e87 |
| SHA256 | d1b744869d46c7b7ae8ddaa25e7bec42eb0b53eea00bf1fcff6f76ea78075a5a |
| SHA512 | 37c217d11fe1fc9f1b44ed6007647326b8bd79171c57a0827128250bd6a7ec0e1a571fb94d49f5713e2eab73637ccd90a38be65071277011cbf8603949e46912 |
C:\Users\Admin\AppData\Local\Temp\Wm5t4PlH1R.bat
| MD5 | 71bc2ae5a5fb7319f3e35d20207d4590 |
| SHA1 | f73b5bdb1f7e6346cf1f84e443bf64ceb0c1509b |
| SHA256 | 749c471ca39ccb7c7f6ce1f05255298f66df0ed98972b711842b62d863722ae9 |
| SHA512 | 331665613a671d24babe57bd61a89d985f275559ddcc86334a0d48090304b0e6d8edd89ad4d589ccac03acf6b7b54456ba4db74719b24f119fbbbd3614d19033 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 023563e23f7df9321cc96b2fc439f078 |
| SHA1 | 53d247dcec079edd32151f2662c24a57a2e462bc |
| SHA256 | 6e02527f5ca99bcf5e20a7b1af2acfc32baa527911266aa3eb1b5c710f41d1fd |
| SHA512 | 9920087d26fcf3ad2c2153799cd4d6d3e9ed7f606cda82c45cd777e1e39701b5351394ba153f0f2dcbbfc37def769e5bffeb7c9053b3e83599253fbd36426912 |
C:\Users\Admin\AppData\Local\Temp\F82V1kRox2.bat
| MD5 | 2ac3cf45b31a7e4d8001c0764a26c70f |
| SHA1 | a3c67f6a3430a46660159edb28465a0870448263 |
| SHA256 | e381e7443a760822eb438cd56e255b33f974f5a8deecbbc1a861aaeae77abe00 |
| SHA512 | d1f71d681aa0bd175fe96d4a7e8a5311375b374dfbfbff70df593db963a5b541d3156dfbb4e65c9d0cde1f4c8a0d9476ca4939d6cc26926c41fdd383f7f57db7 |
memory/2404-451-0x0000000001250000-0x0000000001360000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ba581b11d8d1752c0a62efc728ffa5e6 |
| SHA1 | 4475c060427cf100839579b5415260feb04e0750 |
| SHA256 | b0d80f0fa692d11c6c0b9c2cbd8c3934117e8a5712d14c078639977f03f75be0 |
| SHA512 | 6ca207598329120715bc276cfe3754d043c7e8e4733ab0120d293e209632a0ea5fcaa9b410b88109cb275d29695e619a4355ef094b18c6dd3ac844890914824b |
C:\Users\Admin\AppData\Local\Temp\b3FUfZROOv.bat
| MD5 | 30798499ffa0574f56c11f3244c455d7 |
| SHA1 | 1b97406987886ccd11f817b7acb2536186365136 |
| SHA256 | 25027e55acde40d4d928eec9feba1c644e005208abc720703561d151f9feaf3c |
| SHA512 | 40918b925644f529a15145fa272147405112ca465343367e7db8c25dc8807addb3e631ecdfc81827c975be1e1a4a8bd0abb3d791a8a5e510d64a40b6b3a48968 |
memory/2864-511-0x0000000001280000-0x0000000001390000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 081990756faeee74974483c1de9d879c |
| SHA1 | f2325164b304a8e9d29e5365e6a66dcd996d498c |
| SHA256 | 421035e96aa9d301c3481aa12d5102b7694a54af530234268e846f2f50ecc497 |
| SHA512 | b61f0607297eb9f2cbe0a1465a0effea6925d6b09e5d4bea471125dc9fb4ba4f23fedb61c22f1392e10615710054aa8eabb9aed35083ea3cf2d66a19d1742fba |
C:\Users\Admin\AppData\Local\Temp\IMpAoVHioU.bat
| MD5 | 99a5585668d66283836a468a5568cd73 |
| SHA1 | 2240f79fd8e681f710cf747c181024dfef9032ac |
| SHA256 | a892817e78d703b71a0a9fcfaaecc2c51e6ea7c8f50bbf078ae705f3a7409833 |
| SHA512 | 96333d84f83f66a46304c1b8446c271328baae20b3ae11e37dca4f105d1958deb0bef994680f984a0802d24861dc91f7a55d18ec60c0d9da9cfd1a935a66beba |
memory/1548-571-0x0000000001390000-0x00000000014A0000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | dcff8de5325fefd15ab1717b3d20a74a |
| SHA1 | aa9bcc53a5fcc8c306a5cf02cbab558436c79336 |
| SHA256 | 73aa90874d3984dc15e8fdb4905635f64f3d277e994be178cc5c222b3dba2397 |
| SHA512 | 677e65437276b5e98d5d2c2ca190759f1d2724b02f8d2b116672c8d45b17647549bf42ac89d6f22e165190a9d2ce0cc1a35c891814c72690fa368306090d61e1 |
C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat
| MD5 | fdd7362939aa4c354630b675f573d4f3 |
| SHA1 | d772af70dbadc0487b7ab229c1350acd23372b60 |
| SHA256 | eafea70d4c95fcdbb54b737fb7d7bb71526e4b65d2e38e251108390373bac56d |
| SHA512 | 39254543b2b0eeef7ad906722b8da8dd2cf530acf5f63e964770b6275809a9d8a2a650ca2a46079730afcc21c15693ceaee38afe06433a2664f65774421c91f6 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a18fcf88d1c70bb0f7d0a78f88594a7f |
| SHA1 | 0c71aed1925f269c66aeb5d52c9c75550ff01436 |
| SHA256 | 5110414b5e094d512185747680f22c1378576f89a8df39dbdb602e833ddec08e |
| SHA512 | e11341ac2a675268de3df7908676f6eb2f9d0f0fffb1830cb847a88776fa1c62776b914eb9984087225bfe71754ee2f13b659e5c79defd58aa1653544e5a6391 |
C:\Users\Admin\AppData\Local\Temp\epFjAgKouK.bat
| MD5 | 47259aaf2a5ba9e6d6a05ef242f7c7d0 |
| SHA1 | 67a6b1b84853538cd15a8a4105797302a6893ade |
| SHA256 | a4cea47b640ef2a328c4457dc3a169d132ead3aa38a52fdb911017fda684b375 |
| SHA512 | e37964f0e2f2b410e1f126d00240b6b512f3262487031303089afcef7bef148e3cc6a80e32dac6a56155cf4a28364ef79dfcf7a155aa863e6a4e23119e0f0f88 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-12-30 02:31
Reported
2024-12-30 02:34
Platform
win10v2004-20241007-en
Max time kernel
147s
Max time network
153s
Command Line
Signatures
DcRat
Dcrat family
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation | C:\providercommon\DllCommonsvc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation | C:\providercommon\spoolsv.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation | C:\providercommon\spoolsv.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation | C:\providercommon\spoolsv.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation | C:\providercommon\spoolsv.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation | C:\providercommon\spoolsv.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation | C:\providercommon\spoolsv.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation | C:\providercommon\spoolsv.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation | C:\providercommon\spoolsv.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_71f09cd837628dea19f731b255aa669853a37c378192429d86d71bbd554bd0a3.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation | C:\providercommon\spoolsv.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation | C:\providercommon\spoolsv.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation | C:\providercommon\spoolsv.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation | C:\providercommon\spoolsv.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation | C:\providercommon\spoolsv.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\providercommon\DllCommonsvc.exe | N/A |
| N/A | N/A | C:\providercommon\spoolsv.exe | N/A |
| N/A | N/A | C:\providercommon\spoolsv.exe | N/A |
| N/A | N/A | C:\providercommon\spoolsv.exe | N/A |
| N/A | N/A | C:\providercommon\spoolsv.exe | N/A |
| N/A | N/A | C:\providercommon\spoolsv.exe | N/A |
| N/A | N/A | C:\providercommon\spoolsv.exe | N/A |
| N/A | N/A | C:\providercommon\spoolsv.exe | N/A |
| N/A | N/A | C:\providercommon\spoolsv.exe | N/A |
| N/A | N/A | C:\providercommon\spoolsv.exe | N/A |
| N/A | N/A | C:\providercommon\spoolsv.exe | N/A |
| N/A | N/A | C:\providercommon\spoolsv.exe | N/A |
| N/A | N/A | C:\providercommon\spoolsv.exe | N/A |
| N/A | N/A | C:\providercommon\spoolsv.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\StartMenuExperienceHost.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft\Edge\Application\sppsvc.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft\Edge\Application\0a1fd5f707cd16 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Windows Sidebar\StartMenuExperienceHost.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\DllCommonsvc.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\a76d7bf15d8370 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft.NET\RedistList\886983d96e3d3e | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Windows Sidebar\55b276f4edf653 | C:\providercommon\DllCommonsvc.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\TAPI\spoolsv.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\TAPI\f3b6ecef712a24 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\Containers\serviced\smss.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\Containers\serviced\69ddcba757bf72 | C:\providercommon\DllCommonsvc.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_71f09cd837628dea19f731b255aa669853a37c378192429d86d71bbd554bd0a3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings | C:\providercommon\spoolsv.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings | C:\providercommon\spoolsv.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings | C:\providercommon\spoolsv.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings | C:\providercommon\spoolsv.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings | C:\providercommon\spoolsv.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_71f09cd837628dea19f731b255aa669853a37c378192429d86d71bbd554bd0a3.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings | C:\providercommon\spoolsv.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings | C:\providercommon\spoolsv.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings | C:\providercommon\spoolsv.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings | C:\providercommon\spoolsv.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings | C:\providercommon\spoolsv.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings | C:\providercommon\spoolsv.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings | C:\providercommon\spoolsv.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings | C:\providercommon\spoolsv.exe | N/A |
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_71f09cd837628dea19f731b255aa669853a37c378192429d86d71bbd554bd0a3.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_71f09cd837628dea19f731b255aa669853a37c378192429d86d71bbd554bd0a3.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
C:\providercommon\DllCommonsvc.exe
"C:\providercommon\DllCommonsvc.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Sidebar\StartMenuExperienceHost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\StartMenuExperienceHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Sidebar\StartMenuExperienceHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\DllCommonsvc.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\DllCommonsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\DllCommonsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\providercommon\spoolsv.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Windows\TAPI\spoolsv.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\TAPI\spoolsv.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Windows\TAPI\spoolsv.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Application Data\services.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Default\Application Data\services.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Application Data\services.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\lsass.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Admin\lsass.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\lsass.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Windows\Containers\serviced\smss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\Containers\serviced\smss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Windows\Containers\serviced\smss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\sppsvc.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\sppsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\sppsvc.exe'" /rl HIGHEST /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\StartMenuExperienceHost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\DllCommonsvc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\spoolsv.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\TAPI\spoolsv.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Application Data\services.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\lsass.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Containers\serviced\smss.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\RuntimeBroker.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\RuntimeBroker.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft\Edge\Application\sppsvc.exe'
C:\providercommon\spoolsv.exe
"C:\providercommon\spoolsv.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ys2Wc5gw2w.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\spoolsv.exe
"C:\providercommon\spoolsv.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2Odt5WJZ2f.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\spoolsv.exe
"C:\providercommon\spoolsv.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rmFq19iy8Y.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\spoolsv.exe
"C:\providercommon\spoolsv.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\U1yQEvZAPO.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\spoolsv.exe
"C:\providercommon\spoolsv.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5eI0Zh92hY.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\spoolsv.exe
"C:\providercommon\spoolsv.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2XkxZsmkwh.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\spoolsv.exe
"C:\providercommon\spoolsv.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8RCzlRjk6I.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\spoolsv.exe
"C:\providercommon\spoolsv.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OI2OM6vZgr.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\spoolsv.exe
"C:\providercommon\spoolsv.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ys2Wc5gw2w.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\spoolsv.exe
"C:\providercommon\spoolsv.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FFH8oguQ3d.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\spoolsv.exe
"C:\providercommon\spoolsv.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JFTIgCVObE.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\spoolsv.exe
"C:\providercommon\spoolsv.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7aJ3FmDw0K.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\spoolsv.exe
"C:\providercommon\spoolsv.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oqEnL4f5pl.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.111.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
Files
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe
| MD5 | 8088241160261560a02c84025d107592 |
| SHA1 | 083121f7027557570994c9fc211df61730455bb5 |
| SHA256 | 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1 |
| SHA512 | 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478 |
C:\providercommon\1zu9dW.bat
| MD5 | 6783c3ee07c7d151ceac57f1f9c8bed7 |
| SHA1 | 17468f98f95bf504cc1f83c49e49a78526b3ea03 |
| SHA256 | 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322 |
| SHA512 | c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8 |
C:\providercommon\DllCommonsvc.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/432-12-0x00007FF94B2D3000-0x00007FF94B2D5000-memory.dmp
memory/432-13-0x0000000000DD0000-0x0000000000EE0000-memory.dmp
memory/432-14-0x0000000001720000-0x0000000001732000-memory.dmp
memory/432-15-0x0000000001730000-0x000000000173C000-memory.dmp
memory/432-16-0x000000001BB10000-0x000000001BB1C000-memory.dmp
memory/432-17-0x000000001BB20000-0x000000001BB2C000-memory.dmp
memory/1916-68-0x00000220A41D0000-0x00000220A41F2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_egwb3t3n.qcg.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/536-142-0x0000000002940000-0x0000000002952000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | bd5940f08d0be56e65e5f2aaf47c538e |
| SHA1 | d7e31b87866e5e383ab5499da64aba50f03e8443 |
| SHA256 | 2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6 |
| SHA512 | c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | a8e8360d573a4ff072dcc6f09d992c88 |
| SHA1 | 3446774433ceaf0b400073914facab11b98b6807 |
| SHA256 | bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b |
| SHA512 | 4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | ecceac16628651c18879d836acfcb062 |
| SHA1 | 420502b3e5220a01586c59504e94aa1ee11982c9 |
| SHA256 | 58238de09a8817ed9f894ed8e5bf06a897fd08e0b0bd77e508d37b2598edd2a9 |
| SHA512 | be3c7cb529cafb00f58790a6f8b35c4ff6db9f7f43a507d2218fd80cebc88413e46f71b1bc35b8afcc36b68f9409c946470d1e74a4fe225400eeb6f3f898f5b3 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 28d4235aa2e6d782751f980ceb6e5021 |
| SHA1 | f5d82d56acd642b9fc4b963f684fd6b78f25a140 |
| SHA256 | 8c66720f953e82cfbd8f00543c42c0cf77c3d97787ec09cb3e1e2ba5819bd638 |
| SHA512 | dba1bd6600f5affcfdc33a59e7ac853ee5fdfafb8d1407a1768728bd4f66ef6b49437214716b7e33e3de91d7ce95709050a3dab4354dd62acaf1de28107017a2 |
C:\Users\Admin\AppData\Local\Temp\Ys2Wc5gw2w.bat
| MD5 | 4fc313004c17174f010723f2cff9c8ca |
| SHA1 | fd22af0a37e9a885bb8fd254e75aa570767643bb |
| SHA256 | 6778e34f666b151861b7ed4a381d04a6f737efcf4689074279b6763548731f47 |
| SHA512 | 3bec0f7689ed4b68957f11e0cb83fcb55a9c0609520b534755958d17b42c08d6018e0a6aff5abaa4435c79dfad13a454cfb7623e059ca7e89e021b8bda012149 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\spoolsv.exe.log
| MD5 | baf55b95da4a601229647f25dad12878 |
| SHA1 | abc16954ebfd213733c4493fc1910164d825cac8 |
| SHA256 | ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924 |
| SHA512 | 24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545 |
C:\Users\Admin\AppData\Local\Temp\2Odt5WJZ2f.bat
| MD5 | 742af4a3f8089b6d95a760cdb57bcc2b |
| SHA1 | 0e0e6d0ea6d8a5048b5aed7e63bce731ff460f9d |
| SHA256 | 761c42a2cca6f56dd31c85c1df88ca4e7883ace819588eca36465c3c06d72c04 |
| SHA512 | 68b5d025d08178d127fd520750ddadc02a49f7c66c9e9a25865161ce84b723f8ce8beac055cdede073865ca39d82e53f71fdc6e0f626297ba6f394b875da96e6 |
memory/5036-198-0x00000000025B0000-0x00000000025C2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\rmFq19iy8Y.bat
| MD5 | 8060da6d2d56701b9a73313c9abf62b0 |
| SHA1 | 1a0400b307717a04d0062ea795aa9bef19c41b1d |
| SHA256 | eacd84331823c751cce56f971eb643e7de4d7b8a8e7d6f878245092b79d043ca |
| SHA512 | 72ee78cfe35a9e1fa6ab826ef62f138dedb23e84661b3553e3e82521aabec61d8330f820c94b4df8b9c1c7620b1db25b58ce6d789d2b980b6a05db5fe894bb2a |
memory/3588-205-0x00000000015F0000-0x0000000001602000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\U1yQEvZAPO.bat
| MD5 | 9fbbed690fb00c589c2041ebec0e4111 |
| SHA1 | 5320bf6b44daa9f7fc647ad2393ad65abbcd48e9 |
| SHA256 | 7261885a81acf1264101319934362dad1c4e40d9fb40834cfdab0f72afc0f5f2 |
| SHA512 | 28523fbe56493484a9fafacb174e6fb6cef6c1787e460974bdeaac71b7d6a7b7fef5d70dcfb858c0c93844f1516c6c92f34babffd8547f263d25b280231fff8f |
memory/2548-212-0x0000000001770000-0x0000000001782000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\5eI0Zh92hY.bat
| MD5 | 0c11da476e2a13eaaedcb0de59f6afea |
| SHA1 | 0d0a129a5523d6143bb763b613efccd28748f12c |
| SHA256 | 21559c3be7d3191c57a44ff5baaae7fbc40a6e0ee261a12c47771bafb947d18d |
| SHA512 | 15a4b5e96125cac7e6353ab41e7be39989f3374fe3db16e9dd21cb3401090525be244191e2138ae768adfa248c9ee8d5921c2096802ea1e6f7ff7ea025ebd47f |
C:\Users\Admin\AppData\Local\Temp\2XkxZsmkwh.bat
| MD5 | 982ef46df5f773ad796c7a4fa5ef9c62 |
| SHA1 | 2b01194a27f1752d7845bd6e576cd41cd704c409 |
| SHA256 | fd3a85bc0810d72a42d1b5a2325552234885509f2dff207d8b07eadb388a6af0 |
| SHA512 | c0c3ac320d97890cbaa37cac199ffc79ee86f9dd84f6b0d067ead3540d92c9d25309348f3a5ccdb40646a5fc42b984aaa3b8c937a7e42331cfaa95c18af51c95 |
C:\Users\Admin\AppData\Local\Temp\8RCzlRjk6I.bat
| MD5 | 1922ffd5f95f3ab38a5f07222617b2f9 |
| SHA1 | 19845b0a22d47030404f300913b9a6cbc260a1f7 |
| SHA256 | cc418e1ccaefc01a2ba5210b8fa9d6040ce1766763391738b0ecd00fded17881 |
| SHA512 | c4fe9c38ce9bf5d488aeb587092c4c8a83e984ea4d5e7fc081eb7d1d45d69489e381d6903d4215ec6f11547405e960ff69e653af4841879f3e73e33120ee5b24 |
C:\Users\Admin\AppData\Local\Temp\OI2OM6vZgr.bat
| MD5 | 57a884d8985c3d28bca36ee6dec8d2c0 |
| SHA1 | 717ce06b76c97c390c77e72f3ed788361348c0dc |
| SHA256 | d003e9c57f3557d97ba2a51dcecc1bcc2d6429e632e43241bf1ed60fd93dd051 |
| SHA512 | c96938d5a97b53d01d1bc0fe7a976c860d58eab735da3863dbb3768698f2e739c3166d4e42b76c28566e56bfd0b282d45d0cbd077481c06cd429754c1cb70bf8 |
C:\Users\Admin\AppData\Local\Temp\FFH8oguQ3d.bat
| MD5 | f9c9ab5617280c80243b3c223ae505c7 |
| SHA1 | 766dc634656b196bfa73b8970f420446a1b9d2ad |
| SHA256 | 8768afd38a2acfd0b335b17918e8c8fe9313feb23ed967f21123e58484d45d16 |
| SHA512 | 6a355f8ea8bd8c0c8a5194b967cf519603c3e8527dab0ac6db3b9355235ec9fe6e934dc973b3e9a4fd3b7d917874d372cba6794022c335da54e84004a505fdb6 |
memory/3552-249-0x00000000016E0000-0x00000000016F2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\JFTIgCVObE.bat
| MD5 | 300e434b28d5ed67c3418b30f5641afc |
| SHA1 | 6fa1e4964c5ea5d9c33c43eebccedee48def6e94 |
| SHA256 | a79023484c0c0c6c5f1c627be7a8042384977e3844ec58fd9fecc5ea45fbe95c |
| SHA512 | 37713f50a02765ce4ea51d74edf27d4a1c30f8670dd6ea99a0193e8e7915dd917c265393fc6bf469891ba95e89c915900d2c0e63f4345198bcdec4ae96d34c51 |
C:\Users\Admin\AppData\Local\Temp\7aJ3FmDw0K.bat
| MD5 | 8443ac11273ed11b29509539d0928cc1 |
| SHA1 | 494012bc0a727d4ca1bec1bd9532784ab3e13481 |
| SHA256 | e84450072712ceb1517881bb03d05346f16eb6b9559e3fa104584b82e4111338 |
| SHA512 | 1830e310d6160516eed58abeb8a716768e1877a3c0216f55010b032331ea45486a4000d816f9184139ffd40ad3a3b47793f5949cddd693677065c07131edccd6 |
C:\Users\Admin\AppData\Local\Temp\oqEnL4f5pl.bat
| MD5 | 2c6dd729642027ae6b9a7b8eaa978b64 |
| SHA1 | 38181cda539a36f6aa936a5545c9a80b20206fcd |
| SHA256 | 8730a6486bf1d5b23216da307fab7693d767f904c82fac270238a1689753099d |
| SHA512 | a799ba321201db2ec0ebdfca66e49b8a971c8e836564d52036f0718f9e6f1c1ef0e40f4a74cbd5e07fe7e47861747b38bd944bec6d048c4eb7426e12caf4f312 |