Analysis Overview
SHA256
44b76170b873b45f65b0ea1e435ce6f8fa3ba8bcc2a6fbcf76b919f7845014ef
Threat Level: Known bad
The file JaffaCakes118_44b76170b873b45f65b0ea1e435ce6f8fa3ba8bcc2a6fbcf76b919f7845014ef was found to be: Known bad.
Malicious Activity Summary
Dcrat family
DCRat payload
Process spawned unexpected child process
DcRat
DCRat payload
Command and Scripting Interpreter: PowerShell
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Legitimate hosting services abused for malware hosting/C2
Drops file in Program Files directory
Unsigned PE
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies registry class
Uses Task Scheduler COM API
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-12-30 17:29
Signatures
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Dcrat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-12-30 17:29
Reported
2024-12-30 17:32
Platform
win7-20241010-en
Max time kernel
146s
Max time network
144s
Command Line
Signatures
DcRat
Dcrat family
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Windows Mail\56085415360792 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Windows Portable Devices\dllhost.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Windows Portable Devices\5940a34987c991 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Windows NT\Accessories\ja-JP\WmiPrvSE.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Windows NT\Accessories\ja-JP\24dbde2999530e | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Windows Media Player\ja-JP\cmd.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Windows Media Player\ja-JP\ebf1f9fa8afd6d | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Windows Mail\wininit.exe | C:\providercommon\DllCommonsvc.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_44b76170b873b45f65b0ea1e435ce6f8fa3ba8bcc2a6fbcf76b919f7845014ef.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_44b76170b873b45f65b0ea1e435ce6f8fa3ba8bcc2a6fbcf76b919f7845014ef.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_44b76170b873b45f65b0ea1e435ce6f8fa3ba8bcc2a6fbcf76b919f7845014ef.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\providercommon\1zu9dW.bat" "
C:\providercommon\DllCommonsvc.exe
"C:\providercommon\DllCommonsvc.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\wininit.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\wininit.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\wininit.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Portable Devices\dllhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Portable Devices\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows NT\Accessories\ja-JP\WmiPrvSE.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\ja-JP\WmiPrvSE.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows NT\Accessories\ja-JP\WmiPrvSE.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\conhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Media Player\ja-JP\cmd.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\ja-JP\cmd.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Media Player\ja-JP\cmd.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Libraries\audiodg.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Public\Libraries\audiodg.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Libraries\audiodg.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\WmiPrvSE.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\WmiPrvSE.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\WmiPrvSE.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Mail\wininit.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\wininit.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Mail\wininit.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\OSPPSVC.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\OSPPSVC.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\OSPPSVC.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Users\Default\OSPPSVC.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\Default\OSPPSVC.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Users\Default\OSPPSVC.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Cookies\csrss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\Cookies\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Cookies\csrss.exe'" /rl HIGHEST /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\wininit.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\dllhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\Accessories\ja-JP\WmiPrvSE.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\conhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\ja-JP\cmd.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Libraries\audiodg.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\WmiPrvSE.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\wininit.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\OSPPSVC.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\OSPPSVC.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Cookies\csrss.exe'
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe
"C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fg7ffKrc0I.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe
"C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7ouYA2TrKB.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe
"C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iqKdioc4MG.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe
"C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QqrgVo7Q94.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe
"C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ezHXLeVHih.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe
"C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\R5wNYqVH5b.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe
"C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\v65NgynF79.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe
"C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\00pP7nIBMq.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe
"C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
Files
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe
| MD5 | 8088241160261560a02c84025d107592 |
| SHA1 | 083121f7027557570994c9fc211df61730455bb5 |
| SHA256 | 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1 |
| SHA512 | 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478 |
C:\providercommon\1zu9dW.bat
| MD5 | 6783c3ee07c7d151ceac57f1f9c8bed7 |
| SHA1 | 17468f98f95bf504cc1f83c49e49a78526b3ea03 |
| SHA256 | 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322 |
| SHA512 | c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8 |
\providercommon\DllCommonsvc.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/2852-13-0x0000000000C60000-0x0000000000D70000-memory.dmp
memory/2852-14-0x0000000000BC0000-0x0000000000BD2000-memory.dmp
memory/2852-15-0x0000000000C50000-0x0000000000C5C000-memory.dmp
memory/2852-16-0x000000001A5F0000-0x000000001A5FC000-memory.dmp
memory/2852-17-0x000000001A700000-0x000000001A70C000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | d9ab908dd0ea8222bf36bda08d38c06a |
| SHA1 | 69d54fb59cab5608d4f857d669cc2ddd3266519a |
| SHA256 | 9b79c6fe1f916342576574f417eec73f33888ff5db163a27ea09a069ccae4e53 |
| SHA512 | 1392367321698029833256b214441aaa55b8a57b96d2bff541402f0d9a6bb25c4482897560989e6d0c494849ea4612523c069db3796d58d2992082d556a89e69 |
memory/1044-87-0x0000000000AC0000-0x0000000000BD0000-memory.dmp
memory/2396-71-0x00000000020F0000-0x00000000020F8000-memory.dmp
memory/2396-70-0x000000001B6F0000-0x000000001B9D2000-memory.dmp
memory/1044-97-0x00000000002C0000-0x00000000002D2000-memory.dmp
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\Cab9F8C.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\Tar9FAE.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\Local\Temp\fg7ffKrc0I.bat
| MD5 | 59f29fe13512cf56fe2da1dce7040594 |
| SHA1 | 07c00e91c17114885e72e25afeb428c277616f30 |
| SHA256 | c08f26e65b3d08804029432c84f31c14ffec231bd526eb8a7e258e39c115b723 |
| SHA512 | bb34e5fe4643bbbcb28e46a09c25c2b869bc46ac95333d6e91bd18ab1deb1a997ce727740dfef2fe1c1d291b76df2932d411ce2a14e6954864bf662e5a89b0a6 |
memory/2620-183-0x0000000000340000-0x0000000000352000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b2613e69d782ddd46dfbe29064b12a57 |
| SHA1 | bfb2e4d9642252815f93b942a2e81b406ba51c23 |
| SHA256 | 81f08438215c41f5a2b09da9e475fbb81fc953ce422745380518984cab7b1cc7 |
| SHA512 | 93c57f5e3c1cd73d2a0924b6e2541b2492a542c6f3ce2102069a0ba49495da1fe468b3df179ffda3fc51ae05df87659a9a521c71b0a9508bfebae257f3448cb3 |
C:\Users\Admin\AppData\Local\Temp\7ouYA2TrKB.bat
| MD5 | 2cfda50db47f47a0d2d56809acfa3bf6 |
| SHA1 | f2e32f5bc3cd7e9d52a9f737c87236a8a5acec82 |
| SHA256 | 538ecd667fe16a070936f699c62d4e13d1b379375b946bae7f7bc5e09bb21087 |
| SHA512 | 4fa18c315c065bad0db10d32ab15258e3cf5d1957067a974fa62a67e7ea36e31e30236706142ac8e66c01b48fe434d14442613bda5930230755440c0d9a5cee1 |
memory/828-243-0x0000000000340000-0x0000000000352000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 01b6960ddf80d59383e736cdfd4fb373 |
| SHA1 | aa589ce363c860d58e0020d18d88d1efad1d3d6b |
| SHA256 | 67a5795da382769ca9e9d733259d1a228a7bb9ddbce562f3f5e8a53fbced0a60 |
| SHA512 | 4c3c642ca38076b96bc48cd580aa4654c401e0476c912b8463569ccf2c09b32384793e96afce73d4086292f2445d85a2d314addda3f80723ac1936b20c8eb5c3 |
C:\Users\Admin\AppData\Local\Temp\iqKdioc4MG.bat
| MD5 | e0463372cc1f37e08ac45555288df396 |
| SHA1 | e88d0d848bce627a946078ba28a17e5122f58521 |
| SHA256 | 4eb74ef2fb43bd7ee365aa19623b69d2f83e2a77a397811b2b5a8e21c3260c94 |
| SHA512 | bd8d73999037e1af7358171c257a1a87512abb41259380a1b744d3c80a2c8b1f0cb7e43e0fc63e6ad2133c23755fce1bec1d1bd8a90ba7c104ba8b3f7e24f4ae |
memory/1520-303-0x0000000000B90000-0x0000000000CA0000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6d0933ea0a71c63e9952fbfed7bd5310 |
| SHA1 | 2568eac50114741a3a55d3121c2f2c938356eeeb |
| SHA256 | ce1fe9b679e99c821ff4a302d39a734134380d305ae6025c1c511bf16bcccdf3 |
| SHA512 | 4a161dc5eb5dec72a8060a40166f6c8c3a8deee64a1f0283c72de06cfd71b252057744f90cc3e7fa4f15e134ce9102bd2db341f6d7b9eebcffbc637705eeed41 |
C:\Users\Admin\AppData\Local\Temp\QqrgVo7Q94.bat
| MD5 | d0a78f548cea8818012c58b3ad71bf0d |
| SHA1 | 2a5d39c055d58f025f597d9865fb290d2b0a75f5 |
| SHA256 | f7a76b1fa16bc2ce8ea49e41c908281c4ed9616811b4772fc272a73b2ddbc605 |
| SHA512 | 8bad7f5dee398de3df8fc6e4203ca162a6820ee1d90ddafe088f5d64be0e272df410ab136a0a11ba4fcfdb6ef49c620ac0b8df4f31dd3c90292d24799d1500fe |
memory/3056-363-0x0000000000DF0000-0x0000000000F00000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1d24aecc4f81fa54e413b99d75756319 |
| SHA1 | b70864a2cca33d7d45e02c026ebeb69f8bf9be25 |
| SHA256 | 4db7d1bb6b120d7d040028712ae6662cd5504c1c22ad15b6f95ba2e87cbe6921 |
| SHA512 | c38219d1ef78be21927deaca1a6e96b2043d01bb19bdc06f76cb007adcc7146e1cb63a2d9723bfb6550c7bf8f4c9272bf52a2222a7a075f154fb722f5a17bbc7 |
C:\Users\Admin\AppData\Local\Temp\ezHXLeVHih.bat
| MD5 | 91afc21aba9ffe93c4b0bb704a75ddce |
| SHA1 | e58029158b39777d8e2e1d64dbfa414661335629 |
| SHA256 | 0822b93070ac2603b07d9d113809969b019f3a2b0c53c1eb43df97a87f28b5c8 |
| SHA512 | 04623831a8fa42a097aac4e74519865053a5a858624089daf0d4b7aacd7b4aa2a6a11e087c11a2d0c8724d95bf2eaa9fc0995c930d6c0a9b45d6f110a06d3cb7 |
memory/1944-423-0x0000000000110000-0x0000000000220000-memory.dmp
memory/1944-424-0x00000000004D0000-0x00000000004E2000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f7b873202ee07de638d874e85de330f4 |
| SHA1 | a659b8f57c228ca307b07f55686935a749c2353f |
| SHA256 | 70babfa5e9a5186b49738d56bb7ef0c0e6dcbac3cb98a80b5358b03d6e0a7929 |
| SHA512 | b9092b5298783b4ac486c4feed7dd23de2b7abf05c8e2e52c3db907bb0f1576db5aa149852af4cd025f0a31484f4873fdbc29457ba8b15dfa18321d2f518b772 |
C:\Users\Admin\AppData\Local\Temp\R5wNYqVH5b.bat
| MD5 | 149d885fb8b40642002e0a1a2a9ae978 |
| SHA1 | add8edb798cb6b21ade6390f9a117036eb8594ae |
| SHA256 | 850f1b0b007a69b4fa94423b619ceef67f14fd8eac0a6dff03e4c4a00a7463a3 |
| SHA512 | a2efd72cbb11ca3cd84099244cf0dc9873240b1f8e1aea495e878939047006bb9fffb5a71c7d9c31eb4ea3092d20c2957fc19351acded48ed79632031ffa5448 |
memory/1676-484-0x0000000000870000-0x0000000000980000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 251417e90e5cc9b6d691a607152b974c |
| SHA1 | 1a499878c9c3fae0369ce66c7459eee67c8ebd4e |
| SHA256 | 4a52466385ff7dc02bb0c8adeb47508251918e78bffaed98fcbf3f386c64b201 |
| SHA512 | 3db706ae554b551b6aa409b42da6643a4d50c62190ce7c6bc09271320638993ba3cfbaabeb6872e30e307c0d8963da8ef68c09150111310ebb13e382b6a93a20 |
C:\Users\Admin\AppData\Local\Temp\v65NgynF79.bat
| MD5 | 3453177817f5e48018e8c64235867bbb |
| SHA1 | 5b214bf61a0b8f7ffa5677a03b486a5671b60139 |
| SHA256 | 6c80f65959edbbedb0ab006e09527fc00bc8aa3c4fc6348b8cf1f81ffdc8017d |
| SHA512 | 9ee8018b90bf622443ab99d12d61d072265d8fb97951545f9cd6f268610da33e8404fdb72d3b88a054d62b972650b96e50a9f2502cbf717dcdde3eb2018ed9f2 |
memory/2468-544-0x0000000000980000-0x0000000000A90000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b514929dcea8020e4e8a5acc83db88af |
| SHA1 | 80851821dd128b24a722de1a739c523be5ff4fc7 |
| SHA256 | 211e84f70c988e922e863b3d81917bf873c056932cf6177751664635b62d0a24 |
| SHA512 | 83a8a46a23a0a344deccf002c29158185c8c8e6aacde627f00e8031d2a20485c44c24529d924356a0f70f9c3c17832bacc4f4454de321af50fcfb145cd63dc7d |
C:\Users\Admin\AppData\Local\Temp\00pP7nIBMq.bat
| MD5 | 8f262c3afd07b732356a44508cc60ff7 |
| SHA1 | 7542704dbbaccd3909a3627d9c4b808169b2be55 |
| SHA256 | cb37de1ea77e4e2ab1db26021d145df27c8168ecdd5127e3702eaefe2780710f |
| SHA512 | 70caf8c64bc9c680731f1c23b900f77e43b98c946dbd8baffd37247a6ade2dccd63c04f717da217c1e5b2a3faab3518571e21e3b3f738a98fe82ec97ee9995bd |
memory/1820-604-0x0000000000060000-0x0000000000170000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-12-30 17:29
Reported
2024-12-30 17:32
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
154s
Command Line
Signatures
DcRat
Dcrat family
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\providercommon\DllCommonsvc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_44b76170b873b45f65b0ea1e435ce6f8fa3ba8bcc2a6fbcf76b919f7845014ef.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe | N/A |
Executes dropped EXE
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Windows Sidebar\Gadgets\unsecapp.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Windows Sidebar\Gadgets\29c1c3cc0f7685 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\SppExtComObj.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File opened for modification | C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\SppExtComObj.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\e1ef82546f0b02 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Windows Portable Devices\e6c9b481da804f | C:\providercommon\DllCommonsvc.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_44b76170b873b45f65b0ea1e435ce6f8fa3ba8bcc2a6fbcf76b919f7845014ef.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings | C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings | C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings | C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_44b76170b873b45f65b0ea1e435ce6f8fa3ba8bcc2a6fbcf76b919f7845014ef.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings | C:\providercommon\DllCommonsvc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings | C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings | C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings | C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings | C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings | C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings | C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings | C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings | C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_44b76170b873b45f65b0ea1e435ce6f8fa3ba8bcc2a6fbcf76b919f7845014ef.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_44b76170b873b45f65b0ea1e435ce6f8fa3ba8bcc2a6fbcf76b919f7845014ef.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
C:\providercommon\DllCommonsvc.exe
"C:\providercommon\DllCommonsvc.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 6 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\SppExtComObj.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\SppExtComObj.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 9 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\SppExtComObj.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\providercommon\StartMenuExperienceHost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\providercommon\StartMenuExperienceHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 11 /tr "'C:\providercommon\StartMenuExperienceHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\unsecapp.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\unsecapp.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\unsecapp.exe'" /rl HIGHEST /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\SppExtComObj.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\StartMenuExperienceHost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\Gadgets\unsecapp.exe'
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SsaJZj7IEG.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe
"C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iVopF68B7o.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe
"C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Rn5V8mQYRH.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe
"C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\B4BP5ZSgoJ.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe
"C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\biigBqxW9T.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe
"C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\19YD2Vui68.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe
"C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\biigBqxW9T.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe
"C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XkJigN4PJf.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe
"C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fjtq3MYUh4.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe
"C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZgKlNS7JdR.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe
"C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cnsnMHUbNI.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe
"C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Yvohz7Nokj.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 92.12.20.2.in-addr.arpa | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 22.49.80.91.in-addr.arpa | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
Files
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe
| MD5 | 8088241160261560a02c84025d107592 |
| SHA1 | 083121f7027557570994c9fc211df61730455bb5 |
| SHA256 | 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1 |
| SHA512 | 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478 |
C:\providercommon\1zu9dW.bat
| MD5 | 6783c3ee07c7d151ceac57f1f9c8bed7 |
| SHA1 | 17468f98f95bf504cc1f83c49e49a78526b3ea03 |
| SHA256 | 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322 |
| SHA512 | c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8 |
C:\providercommon\DllCommonsvc.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/4536-12-0x00007FFC76913000-0x00007FFC76915000-memory.dmp
memory/4536-13-0x0000000000DD0000-0x0000000000EE0000-memory.dmp
memory/4536-14-0x00000000014A0000-0x00000000014B2000-memory.dmp
memory/4536-15-0x0000000001750000-0x000000000175C000-memory.dmp
memory/4536-16-0x0000000001740000-0x000000000174C000-memory.dmp
memory/4536-17-0x0000000001770000-0x000000000177C000-memory.dmp
memory/3676-40-0x000001C4087C0000-0x000001C4087E2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xjnmympm.3yb.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Admin\AppData\Local\Temp\SsaJZj7IEG.bat
| MD5 | 8baf283453a5b11d0f1230fcc13e0dc0 |
| SHA1 | e33133500760e6da281107673acabd157beb8ae3 |
| SHA256 | b8477593fbfa861153437ee2316b6c78772c3c1641909579751399f1e5a4b10a |
| SHA512 | 43617af56ffefb2c4d6f399b5536c90c5e4dac248cb5deb0f810e572762e0ef2be350ea05d63a159a1e733147c018017e99ed54890a9f4e59741d73f7e342748 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 62623d22bd9e037191765d5083ce16a3 |
| SHA1 | 4a07da6872672f715a4780513d95ed8ddeefd259 |
| SHA256 | 95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010 |
| SHA512 | 9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 2e907f77659a6601fcc408274894da2e |
| SHA1 | 9f5b72abef1cd7145bf37547cdb1b9254b4efe9d |
| SHA256 | 385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233 |
| SHA512 | 34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721 |
memory/3052-92-0x00000000023D0000-0x00000000023E2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\iVopF68B7o.bat
| MD5 | dbdc017aa85470794d577c1bc8b174dd |
| SHA1 | dbc9e9357fc53e0acdc8f660779ed5063215ea49 |
| SHA256 | d76450d9ffddc0211d4347101c007aa8b2a83e9e1dc3dc9ccc5a414143b09ae1 |
| SHA512 | afb098827bebaa761cc33353b50a3732741ee8975ab287f6178b8ecf36cf32007f0ec0ce598190f4f5c803e92b43a3d19e0d8c376e386f912fbfd8e3acb04eba |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\OfficeClickToRun.exe.log
| MD5 | baf55b95da4a601229647f25dad12878 |
| SHA1 | abc16954ebfd213733c4493fc1910164d825cac8 |
| SHA256 | ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924 |
| SHA512 | 24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545 |
C:\Users\Admin\AppData\Local\Temp\Rn5V8mQYRH.bat
| MD5 | 0eaba81a9c0e99d5166ca78067b3aec9 |
| SHA1 | e945af8d6d135d13b7df074b63e41124cce8ab7d |
| SHA256 | c8e698886fe0a6a695af7b0da56a1e71e4c01c7e85b507cb8be07df1518bc6a1 |
| SHA512 | ebbc22bdea2b8eaf7396a839aa5f8ecc621655b94455fe965275b4dfc6d5d249e6d31a8602ce2a4b53ab2c03e79e50b45d1edf4888e76a2f8d8ab509f3931625 |
C:\Users\Admin\AppData\Local\Temp\B4BP5ZSgoJ.bat
| MD5 | 12cf7b9b91a52b8744dc5fc9c892c6ad |
| SHA1 | 43a00ae5d2fa9391e0f46e5e2e32cef7318f8b61 |
| SHA256 | 0e90640fc158d8da1008a7c70b10baa1032cd6db48a48cf31df9485c847764ae |
| SHA512 | 254cb6ef8ba4ba91784dafc47ba64bd5f761470487363d9a5a9b5fc16d0a65e1a53b481d1aa9ef245d2bcff661295ab84982655239362d9afd371f3ca9c07d09 |
C:\Users\Admin\AppData\Local\Temp\biigBqxW9T.bat
| MD5 | 8c1095b0ad5eb3dbb01347be5957b8c1 |
| SHA1 | ce9e451c18ed9215c4ceee01a77155c8baa02b0d |
| SHA256 | a5adc59727ec30c99a4ddb69e2468120f745e34f8961d5c364f94dd29929ac90 |
| SHA512 | 4cb0534a77279379c7d598ed8ad8e74438d82c8e2593779a9950fa30c94d3bf3d0ce5dd246e63f5da66e75ef1268399a11594ef76b8d8727decbdbbf3ea3255a |
memory/2660-119-0x0000000001540000-0x0000000001552000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\19YD2Vui68.bat
| MD5 | 896c05a7644f5bd576ac18075206349d |
| SHA1 | 1067a50708ddabe8b6550ec11b4b8cdeb1195c61 |
| SHA256 | 354e13ce8b276481f5e514bad74b817422c6822f7bb290ccf768e5171a30cb0a |
| SHA512 | ee8c652345e03a840dc966189cc414ea8eab3f1bb0b0f3beb0ca73ff37d38a5ec15767053a516243c16ce05a3e3559fe66b8a5df9134584fbbfde4fb63077df0 |
memory/3276-126-0x0000000002940000-0x0000000002952000-memory.dmp
memory/4232-133-0x0000000001620000-0x0000000001632000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\XkJigN4PJf.bat
| MD5 | a582e622f98afc38e4a61f75e0afa5eb |
| SHA1 | 4b0a44f122e11c91d12f82f195ec75fedb473bba |
| SHA256 | 0552a3924fa3d42a14d0255fed5d695a2ab0816f05029723a7f3a5f8d93b59f9 |
| SHA512 | a9a2557d4459010038135de2fba755d91602d6abe3b51adb253ba37526d1c43b95e78fbdd660720ed2eac360b4c54605accd923e82271595596f7d0b9559eb02 |
memory/3916-140-0x0000000002980000-0x0000000002992000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\fjtq3MYUh4.bat
| MD5 | bc07d8cf8cd6955ca6ddc29071d66bd7 |
| SHA1 | 6b4e360bf0e549df7d48c69ca500a95887df6989 |
| SHA256 | ff4f83dce7895ca7f02467d6f805aea91faf6e063c4d0bf9baed9db1ea5e95c2 |
| SHA512 | 409c90f03ffd4ed2197b374e13ab891eedec4abfd84647d7337261477e986e37de76941c913d81570e3973354a64cf7641e2efb6709c7604b990b3fef68574f8 |
memory/2308-147-0x0000000002EC0000-0x0000000002ED2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ZgKlNS7JdR.bat
| MD5 | 9a4252935cda676dae7d8bf7763fdc6b |
| SHA1 | 2794e0ad8d678e427b95f0107053d54fbfba4a8c |
| SHA256 | 0f973a29b95ce05a6b6b80e4ff6ced23c27797f6b755950b00b86b3df7a3df9d |
| SHA512 | b4f3beb6cc24ca9c2efc407edfcb6fa1000f1155accdb55e5f14c5b8486cb27300df459c6117a2125bb5d024d21b36bdf2371183855db869d78bbfbc2050ae46 |
C:\Users\Admin\AppData\Local\Temp\cnsnMHUbNI.bat
| MD5 | 9ed72d03e3c5f44af2be40831c71b945 |
| SHA1 | 0f0eb7958fb3ce6fc5de09db8b1220679e351430 |
| SHA256 | cac8c48268f2b3d37e15a42dbf45e708547f794a6f37bd167ef88449b1d6e679 |
| SHA512 | bee8d56f7fcda4e57715c7fd27d58097a886adb6b492f3072c0c64c7f5b706221c8c7a3766811873414ae1710841e12fca9b4ff2b3b3d2f9f0ac5a8581ab6e07 |
memory/1820-160-0x0000000002C10000-0x0000000002C22000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Yvohz7Nokj.bat
| MD5 | 9e1975190d1c4c8058f3e9fcf8984f09 |
| SHA1 | fbdc89c9e4c324de13f82063ea8127e7fb8f02ee |
| SHA256 | f99247ab55c3bc7fb6ae6c89b9148b693b84edbd2394353cf29a35e737595a47 |
| SHA512 | a04bf7bb47b7f0216060d8c18c7cfe18dd8092802c5fdbe111e7cd7d8b5436e4dc0402625e2ea4edf2b32c565db1575540013af31bcc9149fda286b07a3d05d5 |