Analysis Overview
SHA256
91adb63135fe2e2165feef8f8a1a4971041d2efa716fbb1bd751da90221cba9f
Threat Level: Known bad
The file JaffaCakes118_91adb63135fe2e2165feef8f8a1a4971041d2efa716fbb1bd751da90221cba9f was found to be: Known bad.
Malicious Activity Summary
DcRat
Process spawned unexpected child process
Dcrat family
DCRat payload
DCRat payload
Command and Scripting Interpreter: PowerShell
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Legitimate hosting services abused for malware hosting/C2
Drops file in Windows directory
Drops file in Program Files directory
System Location Discovery: System Language Discovery
Unsigned PE
Enumerates physical storage devices
Modifies registry class
Uses Task Scheduler COM API
Suspicious use of AdjustPrivilegeToken
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-12-30 17:41
Signatures
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Dcrat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-12-30 17:41
Reported
2024-12-30 17:44
Platform
win7-20241010-en
Max time kernel
146s
Max time network
146s
Command Line
Signatures
DcRat
Dcrat family
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\providercommon\DllCommonsvc.exe | N/A |
| N/A | N/A | C:\Users\Public\conhost.exe | N/A |
| N/A | N/A | C:\Users\Public\conhost.exe | N/A |
| N/A | N/A | C:\Users\Public\conhost.exe | N/A |
| N/A | N/A | C:\Users\Public\conhost.exe | N/A |
| N/A | N/A | C:\Users\Public\conhost.exe | N/A |
| N/A | N/A | C:\Users\Public\conhost.exe | N/A |
| N/A | N/A | C:\Users\Public\conhost.exe | N/A |
| N/A | N/A | C:\Users\Public\conhost.exe | N/A |
| N/A | N/A | C:\Users\Public\conhost.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Java\jre7\lib\dwm.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\dwm.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Java\jre7\lib\6cb0b6c459d5d3 | C:\providercommon\DllCommonsvc.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_91adb63135fe2e2165feef8f8a1a4971041d2efa716fbb1bd751da90221cba9f.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\providercommon\DllCommonsvc.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Public\conhost.exe | N/A |
| N/A | N/A | C:\Users\Public\conhost.exe | N/A |
| N/A | N/A | C:\Users\Public\conhost.exe | N/A |
| N/A | N/A | C:\Users\Public\conhost.exe | N/A |
| N/A | N/A | C:\Users\Public\conhost.exe | N/A |
| N/A | N/A | C:\Users\Public\conhost.exe | N/A |
| N/A | N/A | C:\Users\Public\conhost.exe | N/A |
| N/A | N/A | C:\Users\Public\conhost.exe | N/A |
| N/A | N/A | C:\Users\Public\conhost.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_91adb63135fe2e2165feef8f8a1a4971041d2efa716fbb1bd751da90221cba9f.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_91adb63135fe2e2165feef8f8a1a4971041d2efa716fbb1bd751da90221cba9f.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\providercommon\1zu9dW.bat" "
C:\providercommon\DllCommonsvc.exe
"C:\providercommon\DllCommonsvc.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Java\jre7\lib\dwm.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Java\jre7\lib\dwm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Program Files\Java\jre7\lib\dwm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Users\Public\conhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Public\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Users\Public\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\providercommon\csrss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\jre7\lib\dwm.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\conhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OQU2DA9XHb.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Public\conhost.exe
"C:\Users\Public\conhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4rzlnKig63.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Public\conhost.exe
"C:\Users\Public\conhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7JTBpj7DN0.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Public\conhost.exe
"C:\Users\Public\conhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iIDKKqsGny.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Public\conhost.exe
"C:\Users\Public\conhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CL2HVdYORd.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Public\conhost.exe
"C:\Users\Public\conhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iVu5YTRuDT.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Public\conhost.exe
"C:\Users\Public\conhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vhtd8auDHa.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Public\conhost.exe
"C:\Users\Public\conhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6qhkY4Aj1y.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Public\conhost.exe
"C:\Users\Public\conhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HKL0gj8mBn.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Public\conhost.exe
"C:\Users\Public\conhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\T3kbcxG26A.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
Files
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe
| MD5 | 8088241160261560a02c84025d107592 |
| SHA1 | 083121f7027557570994c9fc211df61730455bb5 |
| SHA256 | 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1 |
| SHA512 | 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478 |
C:\providercommon\1zu9dW.bat
| MD5 | 6783c3ee07c7d151ceac57f1f9c8bed7 |
| SHA1 | 17468f98f95bf504cc1f83c49e49a78526b3ea03 |
| SHA256 | 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322 |
| SHA512 | c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8 |
C:\providercommon\DllCommonsvc.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/2900-13-0x0000000000360000-0x0000000000470000-memory.dmp
memory/2900-14-0x0000000000340000-0x0000000000352000-memory.dmp
memory/2900-15-0x0000000000570000-0x000000000057C000-memory.dmp
memory/2900-16-0x0000000000350000-0x000000000035C000-memory.dmp
memory/2900-17-0x0000000000580000-0x000000000058C000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 88c3fbf3cf3155b53abd0df659725513 |
| SHA1 | 7e6fd35da35009a9c5abe9bce41284941df5e30f |
| SHA256 | f0eaea9352df2222d2a58c80d0490d1e73284317231a56957db4fd8de60e0380 |
| SHA512 | 1d70d97937bd22c30521ca3470eff929503fd944a6e7fad8ff28ccd91a23a8e0eca0877b20df77e361cda28c030b93643b0d23d41a18a0260ab1b9edb706e58e |
memory/1280-48-0x0000000001EF0000-0x0000000001EF8000-memory.dmp
memory/1280-47-0x000000001B6B0000-0x000000001B992000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\OQU2DA9XHb.bat
| MD5 | 1af63a59674c69077b54c2e9ba323b1b |
| SHA1 | 515dc133b7f3f25be4bf3412d3833aa80de81ddd |
| SHA256 | 9c4df6956c244c22dcadcfb20e3554b319cc1421b73407fc6d15988c18406a7a |
| SHA512 | 69e3bb163660e9a1f1b39a806bb5cd606b6cef4309710a29c7a05f0152274401263c33513cc4d36904208cd306be68cf2a0454211a8bce37723d12f6c047f441 |
memory/268-52-0x00000000010D0000-0x00000000011E0000-memory.dmp
memory/268-53-0x00000000004B0000-0x00000000004C2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab175A.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\Tar177C.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\Local\Temp\4rzlnKig63.bat
| MD5 | 0f524ac0f3a0c697432448ff7fec3586 |
| SHA1 | f7a338653d619117f36cd119c0be15273bffd990 |
| SHA256 | 52e6a829d139a7991a5b3f4d8daec1ba1fe7ed7b501c805d6a567ead09e00de0 |
| SHA512 | 1e0e94be6d2c872817b833080f30f6d340055e6dfc61e85c455f7effc7fe7b359d2c10d45902dff83b6478a659c9391db196515ba1f47156e0ba9a44199b3cbd |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b7bd80ab39c3f40ce1af13891e0d6d74 |
| SHA1 | a7a90cde4e69df8d22a4c345ec6c87a7442fe50e |
| SHA256 | 784615b9627f55d23728d8b2f4783e59863699c77b53fea192643ea99924a145 |
| SHA512 | abbf9b31ba076ea8dff3b23ccf298ffb9502e08c8a2ee95cabf3d8c066816b63bd0e7c012dd32ff62da93ca88119c8c0af33989023645be4b00b4066037871fb |
C:\Users\Admin\AppData\Local\Temp\7JTBpj7DN0.bat
| MD5 | bcde3c384bcb412c191dcfc4dd17a9ab |
| SHA1 | 0f84d41a8b40f8582c395da63a0afdf50a58089e |
| SHA256 | f2761518fdef1af599bcd5238971f697739ac6bb89186e04a50aeb4d01b0d846 |
| SHA512 | e4543af1fafbeab9c4b53fc17412928923d044b1b196d320045c9d36c9fc3ee8aec0ec0f6d18b2f7b87bf54d3501a34e6c6ae01a501217f534c7b18021955e42 |
memory/1036-171-0x00000000011C0000-0x00000000012D0000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ce7d1dcef286c5f24df9cf5fa33a5fa5 |
| SHA1 | c2761cead4b306f2893e35141528ae117e817f77 |
| SHA256 | c02c0c997975fb046efddace60edba906093ed4f131952bbd18f0e48615a30b8 |
| SHA512 | a72d92f0b3e633d9781f0db074ffbe7c1a8b150c7d7e5900f9f8a2c647992d698cfa685095b0249405abad2b6fbdf367fdec6175e4ef34521bd8bec462bfa1ac |
C:\Users\Admin\AppData\Local\Temp\iIDKKqsGny.bat
| MD5 | ee3bd24977de1a3c69023d9aa144960f |
| SHA1 | bfb718ef7b0f6770b0560e0a73e5a4b641e62ac1 |
| SHA256 | a8cbaa9ae0e3e6b93bff66102f079eca21ac12136146d4af98e0608ef7afc3a5 |
| SHA512 | 6641c41b67b80a6a8ee2826ebd2fbb45f7020e95690db745d54f1efce4817c3c7ce938eeb2d41163e54a50763ce8b38a3505459ffeb8ca84c3037d4aeaf86024 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | cf104165f6bfa2c19150fb7a769bdcd7 |
| SHA1 | 72eedf37b438aea62b54181229a2bc284f477e36 |
| SHA256 | ab1668ca15af6c14640ca05578dc656f248de1e326450f760d2694b914daa98b |
| SHA512 | f935dd5407994c354e544d01004b61df4446bb6d8fc06dbde5a2ccd658bbd5813781119c634327f6a78afab83cfe20f64b5dad0d1243ab249caae5ee03184fa8 |
C:\Users\Admin\AppData\Local\Temp\CL2HVdYORd.bat
| MD5 | dfa6335f98791e851c8697102f24e6c1 |
| SHA1 | 168a0a8f38b4add1a0decf7667d98ea4e50c0fc8 |
| SHA256 | 677a84165e17d53252d5ab00f86b3b2d8d5bca36914f03441c3d800a16878818 |
| SHA512 | 00cd606d9c28253189f98cdf1bbedf5802ae5ed115472b02360427b64b49c4023e2329bd9e5d1452b61e8118baddbd4e2eb2b6182ef0a66391badd159a699889 |
memory/448-290-0x00000000012F0000-0x0000000001400000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 53835cbd1484c80590001dc9bffb430a |
| SHA1 | c995f00c5a30a6fcc10fb6ecbf301ac6cdf48599 |
| SHA256 | 49b272c6cb672d9dce1cf394e5ede244c5b7b780d60140fdc4a3dd0ce483b772 |
| SHA512 | 47cafbc94617f78d02c0853094a5d426ba9e13272d50d8f8961cd8b3d14fe6ca87401dbcb3875c5a7cd7d266f27b0e3fda0e5137158803f8f57031d2305f0eb3 |
C:\Users\Admin\AppData\Local\Temp\iVu5YTRuDT.bat
| MD5 | 8a8baf893b85300b1e4d02b19291b71f |
| SHA1 | 8fcb80633569ac2bcc5b9ea2e9db5da53fe004d3 |
| SHA256 | da92fa876ed969839f20db79eec73bf5b828c12992ebf049eeaae3caba1f2e5b |
| SHA512 | 51c39ccea4b69832cfadb2859bfd7e22f26f7bb8851bbbe82a6b4284e460536e949d1767e07a6eee5085434cece4d7c48e29af932f199bc14578baa66da832e4 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2e4fd0dd72c66e9cefd7d46cb55f5b32 |
| SHA1 | 6c979d2cfd14d9eb64669acef39590f6382c20fc |
| SHA256 | 01cfd9d24cdfd0e4cfa2e233b382607ff1e7a1e3b4e26a487b6805e0ab8b2c60 |
| SHA512 | beb51b799b98d613f87ced53e0f7aef027abb68a37f7ce641feaf30da0b7db99de4e0f5d51606076cd0d8f102f574b0e722e7f52c6d0c158d7098aea13cdcd10 |
C:\Users\Admin\AppData\Local\Temp\vhtd8auDHa.bat
| MD5 | f6bd6ae0c40fedb64b6f3dcd8816cf69 |
| SHA1 | 2643c11c0d33a0925376c7742e5eac306de20d21 |
| SHA256 | 8064f73523cb886d74c2f564e14906c32838e3912fe58a7a10cfd903c9e16d1a |
| SHA512 | e58d98ddfd7ee05c493c99d16a17e3d7648aa2f29309a8c349ba71d2709ce97b883ad926c76a93d12cf5dbf7f3232ab8636e612fd0dd35f4183c1512698aa7cc |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | cf3438ad04b98698c067cd942f69369b |
| SHA1 | 98252c91f5a067bfe5a6cec7fa8391821e9a4f6d |
| SHA256 | 550efc932ecf982ae308f389d49c1b70fab78a3b1e1bec10073751dc5e233391 |
| SHA512 | ed13404530d62b861a57070ece6d1653722d449ced0b31ae8486db4e559c5ae3c695293fb0324409e193a3075c68f508f439e468ab8a80d78dd812deac316fb9 |
C:\Users\Admin\AppData\Local\Temp\6qhkY4Aj1y.bat
| MD5 | 8251d7504eb80f7ef21f46d22bbde465 |
| SHA1 | 236e5ab35f2f81df5cc0d1365d46821b66f4b0cc |
| SHA256 | 27619be3a4a7176bf0f70e0dde9d9451e1bfe3311b77d4b685936a7620229790 |
| SHA512 | 9c90e3c8d7a2ffcd4b30be81a76564c629188b2a47345969312eeb6995c7a13e7f2fc8019af5f5d9526fd004260c62654749d55b408558f1e045f11f9aad8ea0 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 96ac62e4f9c34824e5c776fdf09ba1f4 |
| SHA1 | 7ea24703ed9ca4354426c1a92255bd34a774d2e6 |
| SHA256 | 60f807d8ee1af55159af7769b6ebf5e9a56b9d1e9b9ea6bb66130b9161e4f84a |
| SHA512 | 65554d04da1a43f6ba56ea3aade9eecf576bbcf7c1e677d92bc9f9d4411b258560ae65f6d99bb48b28a8721b6a9310235eb528dcd3f35ce0c547501700347702 |
C:\Users\Admin\AppData\Local\Temp\HKL0gj8mBn.bat
| MD5 | a71f6ad1c633718cf50743d8ac8540e6 |
| SHA1 | 77fbc5d402215993f26c07016663bb6e2031b208 |
| SHA256 | eb72cfec116de201e48b83a65f375bb0950405e45d86f95fea25185c43c903c7 |
| SHA512 | 48fc6e19d809ba7cb93e89d27aa3b50cbde345487417715c89a81232372cba1d173073b97d9062ff0360610eb7667cca110418cab79cc10c860215dd83c9823d |
memory/2856-527-0x0000000000630000-0x0000000000642000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f4f76cb8622c9979f6212e6509cce804 |
| SHA1 | c975d749780362edb56d4f21c7a79e84f74e88db |
| SHA256 | 3fa7674e0cb730b0e5bcabbbf5b41faf11a8a300447c2b221aaccd2f162c2aff |
| SHA512 | 8a8d3602a8986b338f93cb26da2f1322faead6ef58a8b2c21f397200fe9615d52cf3b51d5f57fbe7cdaf63b6a9650e52cda132146ee847b723eec8ca40857772 |
C:\Users\Admin\AppData\Local\Temp\T3kbcxG26A.bat
| MD5 | 413198e4275aa9e8c822e3c6556f2cc5 |
| SHA1 | 60918ce2779aa2b4eef30721de88500660090333 |
| SHA256 | e4d660f6b61fb9facd01f5220be31981d15076bcc4a89d5decd0004371a79796 |
| SHA512 | b6a7796e75b8d517087d738643297d9a696d4f651ddcd96911c832555662217d19fb9a2161c59351c230f24db0b5e26fc6343b93d35472ca4c36f084481b3636 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-12-30 17:41
Reported
2024-12-30 17:44
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
153s
Command Line
Signatures
DcRat
Dcrat family
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Default\Documents\My Videos\cmd.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Default\Documents\My Videos\cmd.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Default\Documents\My Videos\cmd.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Default\Documents\My Videos\cmd.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Default\Documents\My Videos\cmd.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_91adb63135fe2e2165feef8f8a1a4971041d2efa716fbb1bd751da90221cba9f.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\providercommon\DllCommonsvc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Default\Documents\My Videos\cmd.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Default\Documents\My Videos\cmd.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Default\Documents\My Videos\cmd.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Default\Documents\My Videos\cmd.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Default\Documents\My Videos\cmd.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Default\Documents\My Videos\cmd.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Default\Documents\My Videos\cmd.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Default\Documents\My Videos\cmd.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Default\Documents\My Videos\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\providercommon\DllCommonsvc.exe | N/A |
| N/A | N/A | C:\Users\Default\Documents\My Videos\cmd.exe | N/A |
| N/A | N/A | C:\Users\Default\Documents\My Videos\cmd.exe | N/A |
| N/A | N/A | C:\Users\Default\Documents\My Videos\cmd.exe | N/A |
| N/A | N/A | C:\Users\Default\Documents\My Videos\cmd.exe | N/A |
| N/A | N/A | C:\Users\Default\Documents\My Videos\cmd.exe | N/A |
| N/A | N/A | C:\Users\Default\Documents\My Videos\cmd.exe | N/A |
| N/A | N/A | C:\Users\Default\Documents\My Videos\cmd.exe | N/A |
| N/A | N/A | C:\Users\Default\Documents\My Videos\cmd.exe | N/A |
| N/A | N/A | C:\Users\Default\Documents\My Videos\cmd.exe | N/A |
| N/A | N/A | C:\Users\Default\Documents\My Videos\cmd.exe | N/A |
| N/A | N/A | C:\Users\Default\Documents\My Videos\cmd.exe | N/A |
| N/A | N/A | C:\Users\Default\Documents\My Videos\cmd.exe | N/A |
| N/A | N/A | C:\Users\Default\Documents\My Videos\cmd.exe | N/A |
| N/A | N/A | C:\Users\Default\Documents\My Videos\cmd.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Windows NT\Accessories\en-US\sppsvc.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows NT\Accessories\en-US\sppsvc.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Windows NT\Accessories\en-US\0a1fd5f707cd16 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\MSBuild\Microsoft\StartMenuExperienceHost.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\MSBuild\Microsoft\55b276f4edf653 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft.NET\RedistList\cmd.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft.NET\RedistList\ebf1f9fa8afd6d | C:\providercommon\DllCommonsvc.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Registration\CRMLog\sihost.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\Registration\CRMLog\66fc9ff0ee96c2 | C:\providercommon\DllCommonsvc.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_91adb63135fe2e2165feef8f8a1a4971041d2efa716fbb1bd751da90221cba9f.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_91adb63135fe2e2165feef8f8a1a4971041d2efa716fbb1bd751da90221cba9f.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings | C:\Users\Default\Documents\My Videos\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings | C:\Users\Default\Documents\My Videos\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings | C:\Users\Default\Documents\My Videos\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings | C:\Users\Default\Documents\My Videos\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings | C:\Users\Default\Documents\My Videos\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings | C:\Users\Default\Documents\My Videos\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings | C:\Users\Default\Documents\My Videos\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings | C:\Users\Default\Documents\My Videos\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings | C:\Users\Default\Documents\My Videos\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings | C:\Users\Default\Documents\My Videos\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings | C:\Users\Default\Documents\My Videos\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings | C:\Users\Default\Documents\My Videos\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings | C:\Users\Default\Documents\My Videos\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings | C:\Users\Default\Documents\My Videos\cmd.exe | N/A |
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_91adb63135fe2e2165feef8f8a1a4971041d2efa716fbb1bd751da90221cba9f.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_91adb63135fe2e2165feef8f8a1a4971041d2efa716fbb1bd751da90221cba9f.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
C:\providercommon\DllCommonsvc.exe
"C:\providercommon\DllCommonsvc.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\sppsvc.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\sppsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\sppsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\Program Files\MSBuild\Microsoft\StartMenuExperienceHost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\StartMenuExperienceHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 9 /tr "'C:\Program Files\MSBuild\Microsoft\StartMenuExperienceHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Users\Default\wininit.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default\wininit.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Users\Default\wininit.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\providercommon\dllhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\cmd.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\cmd.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\cmd.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 10 /tr "'C:\Windows\Registration\CRMLog\sihost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\Registration\CRMLog\sihost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\Windows\Registration\CRMLog\sihost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Documents\My Videos\cmd.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\Default\Documents\My Videos\cmd.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Documents\My Videos\cmd.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\conhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Admin\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\Accessories\en-US\sppsvc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\StartMenuExperienceHost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\wininit.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dllhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\RedistList\cmd.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Registration\CRMLog\sihost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Documents\My Videos\cmd.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\conhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\unsecapp.exe'
C:\Users\Default\Documents\My Videos\cmd.exe
"C:\Users\Default\Documents\My Videos\cmd.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\o0FbW2pZd9.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default\Documents\My Videos\cmd.exe
"C:\Users\Default\Documents\My Videos\cmd.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KRs2fZV4we.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default\Documents\My Videos\cmd.exe
"C:\Users\Default\Documents\My Videos\cmd.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3dopRv074r.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default\Documents\My Videos\cmd.exe
"C:\Users\Default\Documents\My Videos\cmd.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uugdhbmYnk.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default\Documents\My Videos\cmd.exe
"C:\Users\Default\Documents\My Videos\cmd.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\l4DYpxlgJN.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default\Documents\My Videos\cmd.exe
"C:\Users\Default\Documents\My Videos\cmd.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rm9ahlPG2t.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default\Documents\My Videos\cmd.exe
"C:\Users\Default\Documents\My Videos\cmd.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QO5FEA9wo1.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default\Documents\My Videos\cmd.exe
"C:\Users\Default\Documents\My Videos\cmd.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ixgWq8OOYW.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default\Documents\My Videos\cmd.exe
"C:\Users\Default\Documents\My Videos\cmd.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4oJokgKWVw.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default\Documents\My Videos\cmd.exe
"C:\Users\Default\Documents\My Videos\cmd.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Y23Kn3rQqK.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default\Documents\My Videos\cmd.exe
"C:\Users\Default\Documents\My Videos\cmd.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SK7IuFDp7o.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default\Documents\My Videos\cmd.exe
"C:\Users\Default\Documents\My Videos\cmd.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uugdhbmYnk.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default\Documents\My Videos\cmd.exe
"C:\Users\Default\Documents\My Videos\cmd.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PJw82jcrZC.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default\Documents\My Videos\cmd.exe
"C:\Users\Default\Documents\My Videos\cmd.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\c0TJHXkWh8.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 92.12.20.2.in-addr.arpa | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 182.129.81.91.in-addr.arpa | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 22.49.80.91.in-addr.arpa | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
Files
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe
| MD5 | 8088241160261560a02c84025d107592 |
| SHA1 | 083121f7027557570994c9fc211df61730455bb5 |
| SHA256 | 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1 |
| SHA512 | 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478 |
C:\providercommon\1zu9dW.bat
| MD5 | 6783c3ee07c7d151ceac57f1f9c8bed7 |
| SHA1 | 17468f98f95bf504cc1f83c49e49a78526b3ea03 |
| SHA256 | 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322 |
| SHA512 | c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8 |
C:\providercommon\DllCommonsvc.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/1748-12-0x00007FFC5A1D3000-0x00007FFC5A1D5000-memory.dmp
memory/1748-13-0x0000000000300000-0x0000000000410000-memory.dmp
memory/1748-14-0x000000001B000000-0x000000001B012000-memory.dmp
memory/1748-15-0x000000001B140000-0x000000001B14C000-memory.dmp
memory/1748-16-0x000000001B120000-0x000000001B12C000-memory.dmp
memory/1748-17-0x000000001B130000-0x000000001B13C000-memory.dmp
memory/4900-48-0x0000027627FD0000-0x0000027627FF2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tlhugpsf.igw.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4368-139-0x0000000003170000-0x0000000003182000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | bd5940f08d0be56e65e5f2aaf47c538e |
| SHA1 | d7e31b87866e5e383ab5499da64aba50f03e8443 |
| SHA256 | 2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6 |
| SHA512 | c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | cadef9abd087803c630df65264a6c81c |
| SHA1 | babbf3636c347c8727c35f3eef2ee643dbcc4bd2 |
| SHA256 | cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438 |
| SHA512 | 7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 2e907f77659a6601fcc408274894da2e |
| SHA1 | 9f5b72abef1cd7145bf37547cdb1b9254b4efe9d |
| SHA256 | 385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233 |
| SHA512 | 34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | e243a38635ff9a06c87c2a61a2200656 |
| SHA1 | ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc |
| SHA256 | af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f |
| SHA512 | 4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4 |
C:\Users\Admin\AppData\Local\Temp\o0FbW2pZd9.bat
| MD5 | f25b976ac68cfeca921719c326186be1 |
| SHA1 | 17b772a61d3417e15705742db668e13fc56f778e |
| SHA256 | 7fa777efd57b02bb6b4dded1c70d7541af0376e0a945369575a95481d1fd677f |
| SHA512 | 09f18c11b1136432ec0c331d9292bb2815870dd1695e3b0476d15abb9f92598fb1df87d586009962b5cd7208e522529e83cceea07421bd5edfd746e7662fd56f |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\cmd.exe.log
| MD5 | baf55b95da4a601229647f25dad12878 |
| SHA1 | abc16954ebfd213733c4493fc1910164d825cac8 |
| SHA256 | ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924 |
| SHA512 | 24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545 |
memory/3764-169-0x000000001BAB0000-0x000000001BAC2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\KRs2fZV4we.bat
| MD5 | e7c8c16b7e363c6e93ddb2acb6334dfe |
| SHA1 | a8f5f3c32bd090c04067e89794f2615e98b2f04b |
| SHA256 | 638838b323f0f225b0cea7d3357b9c9cccea276dee2a8035433d77506fc9ecf1 |
| SHA512 | 95e9e5aa6518baa689896125e6ba50fffc64ec2190c3919abd0b10716e30ab01430aa6401f2572cff6a1017acfcedcb77cdc27f1da37b0fb3cb24d62fdac29d5 |
memory/2732-176-0x0000000002530000-0x0000000002542000-memory.dmp
memory/2732-181-0x000000001B8C0000-0x000000001B9C2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\3dopRv074r.bat
| MD5 | a70b4c1188cb3e8174c2a501fc925636 |
| SHA1 | 668bd3766da7019b1bf9f45109f6fbb66c4677dc |
| SHA256 | ce997816ca15a30ae636c63401c90ded3cf65b1206f5b58d1f7a23fe0e4b1fb9 |
| SHA512 | 1ecc4d091e717371bc36b9ab89b14ae59b82d82bb7b65e617742f0816e0f83a8c004c78c403a2b058bc203d091e2cf1c98ade68f835a9ae5d994a351393f0071 |
memory/2084-188-0x000000001C1E0000-0x000000001C2E2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\uugdhbmYnk.bat
| MD5 | 3b6245a62a38f75e888c49e323d3ba82 |
| SHA1 | 519c25aa1212e12bbef870cea5668855502791db |
| SHA256 | 2fe24dcccfd3c961d0f03b1e89065bf63f3f967edbde0c70ef163960e9e6942e |
| SHA512 | 134e9f1567faf03ef37597458e23f1f31da2bcb6eaf112ff7b86e88279b1ac6bad17820e64e7c7903c0a942daba4092a929ff0fbce9d2525e2d5bee59829c856 |
memory/3500-191-0x0000000001440000-0x0000000001452000-memory.dmp
memory/3500-196-0x000000001C2B0000-0x000000001C3B2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\l4DYpxlgJN.bat
| MD5 | da2dff7279d5118e58540b644111d642 |
| SHA1 | 9d85b9ac5bf84ed887924f2e2d8ddf73fecc0cc7 |
| SHA256 | 20d77629e931019e576b261be53b9f3c16113f47fb0a619d65c417cd06f92af4 |
| SHA512 | c1e9876a2c6187eb0472edb7e9bec3a0a9769f64e672b8e5edfc9f1a4d01c73a4b0fbdade300e97353d30aadff1d73df68a3b1ca6007ec315b6a5556060cd917 |
memory/1048-203-0x000000001BB00000-0x000000001BC02000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\rm9ahlPG2t.bat
| MD5 | 3badf7ab622429c4d5bec60e0ead82da |
| SHA1 | a0b3bbff39ee17aaae0d3252fc472e6f322597d3 |
| SHA256 | 02c40bd3cfc92cf5f31fb6db70fef7571e1106dd4536cde5a31d76b5e8b68082 |
| SHA512 | f76c185fcab4d04d336ef5fed1c4d3b4699b90b5453be66450790d21fcd3b263c445e84589238e0c6f396f1384f89b536e847ca9277bec20b78ce4706e38a9c5 |
memory/1728-206-0x0000000001530000-0x0000000001542000-memory.dmp
memory/1728-211-0x000000001C1A0000-0x000000001C2A2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\QO5FEA9wo1.bat
| MD5 | a044669517dea07dcef55748b394355d |
| SHA1 | 90996fa7be272f307b926016bdecc1b161b156fb |
| SHA256 | ff75718391b22ab9bf54fa8d2d01dabd924f73d21cbdc29ba3ba560c98172abd |
| SHA512 | 712c664e6d9a964346c8965531eaf2cc17bbe9893c79fe4f64942641189d92875df97c687a2c1ff901403dd5a5cc00f147315d7ac140b62a0ae3a0862034b4ce |
C:\Users\Admin\AppData\Local\Temp\ixgWq8OOYW.bat
| MD5 | c24bfbc266228c31608d09e5aaa1b2b8 |
| SHA1 | fa33639b9e07729a283f4ee452b1b9fbf16c7ff2 |
| SHA256 | 30e543fd94aebbd865148913859d89e2afe81c1446cd0d12ae91805c82f4fa45 |
| SHA512 | 89c1a5874c49c55c68e2a85fc925a62da787992a68bda28805833a888ad71cfa97b81cd463862305ba62aa9bb294eaec9b85f8e8b72a1e04a517362b0b59c437 |
C:\Users\Admin\AppData\Local\Temp\4oJokgKWVw.bat
| MD5 | 49deed557c1315590d5cd05a80090546 |
| SHA1 | 7a6c6dc56fab946a94a883a2eda0ba7e36d2f4c0 |
| SHA256 | e23bb47cb34b6c8888b3f0d6b5eb1eabef5dc94ce7ddee5bef3ef2468acc584d |
| SHA512 | 078404b2ce099da79b78a66f9967db4ddbf77dad7c1c75c6083c34b8449eafe9aec9f14489c380ca839b93954ac481f4834946f031e76908b1cc465b4e2450ae |
C:\Users\Admin\AppData\Local\Temp\Y23Kn3rQqK.bat
| MD5 | 1b284bf2b4ebd640f966815efba3d621 |
| SHA1 | 44cd46fa40daab12f41d9539faf10015c63a7070 |
| SHA256 | fa3a3e703a32d0c3a3ad3563eecf316ce39b7e93e6dd6750478f8531e9cbcc2a |
| SHA512 | c197ce549efd72c9ac7f7730367f87b2054116d3d92dabd3975939b617e54f715c3e54aee4cd4e013e53212317a6edef979c47e3c49d483aa35e37be0f2e682b |
C:\Users\Admin\AppData\Local\Temp\SK7IuFDp7o.bat
| MD5 | 97bb59281d36475a43b4b64bbeaae3d6 |
| SHA1 | a2f107fe9c995bec143286d67f3c3dff1a4bba18 |
| SHA256 | edfb547c70c160684128802d47f1f660484695e0910c81cbb8771158a82f3188 |
| SHA512 | e2b05f1e2ce64a161ea560b03f29f656f82c9493352dab382f0821cfa6b035bd261bf46035b467daeba9a96cb3683d7bc420427d4c38cfc93302c856a04ce6c1 |
memory/768-238-0x0000000002A90000-0x0000000002AA2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\PJw82jcrZC.bat
| MD5 | abc1a467416810212b726f1be7bd6aaa |
| SHA1 | 98750c60ae91d84d4a8116f8e634fda0c8dbb3cf |
| SHA256 | de2585ab8b3c9294b4ada06ee913c55b6359758630c3d2f73f0484938a65e791 |
| SHA512 | d93c9d6912eaf3f03735829d797d6b8068c5dac9a3601bd1737fc1bc6801e88ce7372f6c2f8a548854be549f1217b953edc1656e3df8465b65726ba06e787a84 |
memory/2900-251-0x0000000002AD0000-0x0000000002AE2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\c0TJHXkWh8.bat
| MD5 | e0b11e9ef9e04eb45acaf683668d96fc |
| SHA1 | cf39822d09d4a0d6605d06975a2bd40d648edf40 |
| SHA256 | a6975e5c046670262915710d6b9fe73efb63ce6ce825397f3cff3ca1971ca258 |
| SHA512 | 5e47399734e0c41478fe8830b103b3bdf23afe61db2837298e7fce5ec2941ba5377cf279ab403bd415f8f687829eaa949d45c4d5161af08721830eb781dbe4d6 |