Analysis Overview
SHA256
3afdc1049eae3e0b40d944915e52d52d293b450e150b66b095fde82271501428
Threat Level: Known bad
The file JaffaCakes118_3afdc1049eae3e0b40d944915e52d52d293b450e150b66b095fde82271501428 was found to be: Known bad.
Malicious Activity Summary
Dcrat family
DcRat
DCRat payload
Process spawned unexpected child process
DCRat payload
Command and Scripting Interpreter: PowerShell
Executes dropped EXE
Checks computer location settings
Loads dropped DLL
Legitimate hosting services abused for malware hosting/C2
Drops file in Windows directory
Drops file in Program Files directory
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Scheduled Task/Job: Scheduled Task
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Uses Task Scheduler COM API
Suspicious behavior: EnumeratesProcesses
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-12-30 17:41
Signatures
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Dcrat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-12-30 17:41
Reported
2024-12-30 17:44
Platform
win7-20240903-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
DcRat
Dcrat family
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Microsoft Synchronization Services\cmd.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Synchronization Services\ebf1f9fa8afd6d | C:\providercommon\DllCommonsvc.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Resources\Themes\Aero\de-DE\taskhost.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\Resources\Themes\Aero\de-DE\b75386f1303e64 | C:\providercommon\DllCommonsvc.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3afdc1049eae3e0b40d944915e52d52d293b450e150b66b095fde82271501428.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3afdc1049eae3e0b40d944915e52d52d293b450e150b66b095fde82271501428.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3afdc1049eae3e0b40d944915e52d52d293b450e150b66b095fde82271501428.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\providercommon\1zu9dW.bat" "
C:\providercommon\DllCommonsvc.exe
"C:\providercommon\DllCommonsvc.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\csrss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\cmd.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\cmd.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\cmd.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\explorer.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Windows\Resources\Themes\Aero\de-DE\taskhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\Resources\Themes\Aero\de-DE\taskhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Windows\Resources\Themes\Aero\de-DE\taskhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\providercommon\Idle.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\csrss.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Synchronization Services\cmd.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\explorer.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\Aero\de-DE\taskhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\Idle.exe'
C:\Program Files (x86)\Microsoft Synchronization Services\cmd.exe
"C:\Program Files (x86)\Microsoft Synchronization Services\cmd.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DemtbJLPzJ.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files (x86)\Microsoft Synchronization Services\cmd.exe
"C:\Program Files (x86)\Microsoft Synchronization Services\cmd.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\d5cQTyHbvx.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files (x86)\Microsoft Synchronization Services\cmd.exe
"C:\Program Files (x86)\Microsoft Synchronization Services\cmd.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qwHeC7tSxv.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files (x86)\Microsoft Synchronization Services\cmd.exe
"C:\Program Files (x86)\Microsoft Synchronization Services\cmd.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tDjG3X7WPV.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files (x86)\Microsoft Synchronization Services\cmd.exe
"C:\Program Files (x86)\Microsoft Synchronization Services\cmd.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0xFiNVDkrN.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files (x86)\Microsoft Synchronization Services\cmd.exe
"C:\Program Files (x86)\Microsoft Synchronization Services\cmd.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7aJ3FmDw0K.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files (x86)\Microsoft Synchronization Services\cmd.exe
"C:\Program Files (x86)\Microsoft Synchronization Services\cmd.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sodlpYYBfa.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files (x86)\Microsoft Synchronization Services\cmd.exe
"C:\Program Files (x86)\Microsoft Synchronization Services\cmd.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cYhs0sn2L6.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files (x86)\Microsoft Synchronization Services\cmd.exe
"C:\Program Files (x86)\Microsoft Synchronization Services\cmd.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UMVEid32eq.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files (x86)\Microsoft Synchronization Services\cmd.exe
"C:\Program Files (x86)\Microsoft Synchronization Services\cmd.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3Bw8qtkvcA.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files (x86)\Microsoft Synchronization Services\cmd.exe
"C:\Program Files (x86)\Microsoft Synchronization Services\cmd.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\esvfELjyVS.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files (x86)\Microsoft Synchronization Services\cmd.exe
"C:\Program Files (x86)\Microsoft Synchronization Services\cmd.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cnsnMHUbNI.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | udp | |
| GB | 2.23.210.83:80 | tcp |
Files
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe
| MD5 | 8088241160261560a02c84025d107592 |
| SHA1 | 083121f7027557570994c9fc211df61730455bb5 |
| SHA256 | 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1 |
| SHA512 | 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478 |
C:\providercommon\1zu9dW.bat
| MD5 | 6783c3ee07c7d151ceac57f1f9c8bed7 |
| SHA1 | 17468f98f95bf504cc1f83c49e49a78526b3ea03 |
| SHA256 | 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322 |
| SHA512 | c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8 |
C:\providercommon\DllCommonsvc.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/2120-13-0x0000000000870000-0x0000000000980000-memory.dmp
memory/2120-14-0x0000000000860000-0x0000000000872000-memory.dmp
memory/2120-15-0x0000000002190000-0x000000000219C000-memory.dmp
memory/2120-16-0x0000000001FF0000-0x0000000001FFC000-memory.dmp
memory/2120-17-0x00000000021A0000-0x00000000021AC000-memory.dmp
memory/1348-34-0x0000000001310000-0x0000000001420000-memory.dmp
memory/2224-50-0x0000000001DA0000-0x0000000001DA8000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 7f2005e51c1f1ed368db3fb572a6f4c1 |
| SHA1 | e7f98ac887403e15a22933c87a9002862c12a766 |
| SHA256 | c7055ebb087a1fe67b00cd29e5713b7e57c41f4bc604385a5ec9a19afa7f6b96 |
| SHA512 | 18de098852eb40e0540a144ac7c24f6538a92489bffea47a3561affc8aa8df0e90b1672911e41b950097d97f50b6693b1ab8f9fd08a4c66555f6d6f815931676 |
memory/2224-49-0x000000001B6B0000-0x000000001B992000-memory.dmp
memory/1348-66-0x0000000000A70000-0x0000000000A82000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab1316.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\Tar1338.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\Local\Temp\DemtbJLPzJ.bat
| MD5 | f98cc77d43e944298905671842cd3aae |
| SHA1 | 7ed0e8a3ea013fe259a1b19485971b1032efe3b9 |
| SHA256 | aed1a1d53d7b084342deec1374078383351b19aee1a01a423c8da718a8ea7f86 |
| SHA512 | 0b7a395914c4e658dfa7755d93da6b4ab8a6c3bb243548c15c18f0436a5be0c3e340f3e1f34889e657c448a5ca64a7f52e683d41feb6927719fbd637bf120c3f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 5a1407063ec0de021e6a9455b404f9ff |
| SHA1 | 8db0b1301f4b1f671845068b49bf1a2d9be49298 |
| SHA256 | a18a1435df6a61380701097b32d84adb7fef74e63cabb5c4e42d059ca704a73e |
| SHA512 | 399c1c5e2c7f3917ccd7fc521c079c44e1ce8256494e5a064ebcb2f4f866b4a5b2f586925f030bbb5877cce203a8b0ef8008e79c7177d830c595bff1160c514b |
C:\Users\Admin\AppData\Local\Temp\d5cQTyHbvx.bat
| MD5 | 128b776372294b7a596dd99ac90a2ce7 |
| SHA1 | 1df422041906d0f4cf8d25b7257b46142a651971 |
| SHA256 | 1f367ebe8d5a5dff3d98f37d869982c7a975e46b78800ce3a6f5af849a744546 |
| SHA512 | 0368cd2c4980234cac36b0ea67930e7c7498302bdf77418b8d7ad566c20baab2c2f2e9de31b24e579836af208233820d7fa9263488052086f25709f72d747d03 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7b599626f82ca9546b022cbcf73191c9 |
| SHA1 | d2f85cce36b8ec32bdcda46a1a8775735172c0bd |
| SHA256 | 2e5ca2761447a7b001dc8d6d61d0bb09754d4fdd58c57b12eec92ce6b7f26f82 |
| SHA512 | eb99ee93e0aa3d54917b16696c8cacbb84afef3c7b0191b9eb925107aa6090f6bc4d288dae9d2a6d43bc5aa7cb5def57f1b997cb448e42988eb13eabaa2d87fe |
C:\Users\Admin\AppData\Local\Temp\qwHeC7tSxv.bat
| MD5 | 86a5a014fad43883a202787d08297e81 |
| SHA1 | 3293915eac6a576b90b912fd16167e8b846eed49 |
| SHA256 | 9cd5c2bae0efd4109a5839921913fb6fe55de4718b205840aed870b881de1157 |
| SHA512 | a55e52003ef651a4de777ca777ab586f3eb737e3592d3c3ca4c765a88755be17c0ae5bb654c80a93a71cbc4d1ab9f1d80e78f7ea16f0f18909daf6e921057efd |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 37f594162a112ea6485f710d8274bc29 |
| SHA1 | 151c2c966e8e2e926b384a414b7f7e5910085f18 |
| SHA256 | c7eeecc1efa3804dff1ec2fad9824ba5732926a7fdc36574ea4a31bc7b845570 |
| SHA512 | 41f6ec88398c340119a11937792de62839da3f1f32dbc631f963d998126c606504336d6c06e3fed40900b310715572371c6ddfe0df5861a928289c3d9a92dcdc |
C:\Users\Admin\AppData\Local\Temp\tDjG3X7WPV.bat
| MD5 | fb9a31c36587be633c38aba900c0ffac |
| SHA1 | eaf52598288e707c96f532888c46e142203d87c5 |
| SHA256 | 92668e07db0e86beafbd6e98d565aad133bbc7cff2e5381a18c683f2e4fc49b6 |
| SHA512 | bf108b451ef453c8340390a9d38217850ee899c5707c9dd35c922625038296d95e4c51e85268405262271f55fa6c19972fa4d9a1e1c84a60847674ca766ea3a1 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6d6e656ef3607def7ddf43dbec07c858 |
| SHA1 | 216c72e8cfb1ec4ce4c2fcf632e9d84ad3ce14c1 |
| SHA256 | a48bb8ad6823eee86143443cadeb9bf8cb940378b4d3e49fd0e8a13c52970a35 |
| SHA512 | 1c10779a976c060d37984290e713f88f925bd698c604095b63240ad4f40242e14225a499504f56c9fb2fb526ad968a766bc3348e916d4c3ae86c1f76c3c7669a |
C:\Users\Admin\AppData\Local\Temp\0xFiNVDkrN.bat
| MD5 | a0214f29ef3616157d3e25eda943c819 |
| SHA1 | 4ddb9b1722f95bfd66893a32f0cea6b5fdfff6fc |
| SHA256 | 2964571069d63e9765423a08ffba0a69de000d704b79e66da018cf7dad03b375 |
| SHA512 | c65ba97dabfb552f6ac321f527e251715a7ff942733ee4eb8dbc828206eb7850d2fbac422432c31163e29b12d3f58487a27abbbbe0ebb0f160c684b1497edc89 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2b41523d23d56844a50b308120ebe144 |
| SHA1 | 88faa072397ca3bd4c32b26ce17ed4ed5adbdf72 |
| SHA256 | 71fca53d32fc3ce660d73e97ff202a3564be99f275b0ec407050cc0bae4f00de |
| SHA512 | 76cbcfb4c219a772a30f4dc4a25268089f8927efb366dda7584104c53ff676e9682337cb12815fb798a55f6bb491db0a9fa960bb2ff3516ae71dd34d55f8d646 |
C:\Users\Admin\AppData\Local\Temp\7aJ3FmDw0K.bat
| MD5 | 327754998a8827a357c71e9a118880c9 |
| SHA1 | a8b97f62d04f3dba324653fdc30930bbf901d068 |
| SHA256 | 1b16b5c9f85984553735dac8f65eb6549ceab04ca21f6836355dde30e04b0f52 |
| SHA512 | 7ae9f795fa95e6f22577ae62bee47b2b00835569340a1fff5707efd6e73adce89753031a8c64526cdb5b8f841857f50a8117b9fa345f9207d690187eedea661c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3642486b1ac5bceb45a36ff105b4d515 |
| SHA1 | 59d2296b61472f4e1f78a9e07015267caf1e4fc3 |
| SHA256 | b7278e28075c13a0a3729983d15a2560a4af00869499a9ed8d50c71efb00d55d |
| SHA512 | 6ca297b7297f51f5fe64de1cebaeec13f79a0a0b2ad42643db2ea03b153c1621ca10bb543026aa9c3a2102c7587b35e33988f3605c31a73a43cbf9e041eee538 |
C:\Users\Admin\AppData\Local\Temp\sodlpYYBfa.bat
| MD5 | 4bb63c3dc01fa472a179bd80df51d655 |
| SHA1 | 272e3bc836ee2f9395155074924877f065029e38 |
| SHA256 | c7dd7e679c9f6daada9bcec2caaa487e334423c3e537d0f0c556cbc7885c21db |
| SHA512 | 49198b21dfc6cc1d0a22003a70c28fbec9a3beb8719fab934128249868d16a1dbddbf69c4ee13d8ed1af265054b862147e379c542afc9d4b7e42a808ca020f03 |
memory/1156-479-0x0000000000250000-0x0000000000262000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d92bff48237708a2f8c044b21fb8f00c |
| SHA1 | 9009a0f34f4e676f947253826d39e5733bb82e26 |
| SHA256 | 5b3d347b94cdf52b119ec5da1b2d91fef2c98e6b213ff843d9f3e73cf1a84d93 |
| SHA512 | 73a33284111f4312ad9c21f537f2996400278825dac0e3fcb1898110b8a591f935f47e2e726a779a490dd61aefc156378342017c174c96909453d69b511d660d |
C:\Users\Admin\AppData\Local\Temp\cYhs0sn2L6.bat
| MD5 | 734bcf136c8c3da9d92044e75014b193 |
| SHA1 | aa35459215c19171349a473bf1c27011160d8a08 |
| SHA256 | 4318d76adb747a98517a86e4eec3ab090a1a3708a597dd3a58d5edc1b59506f7 |
| SHA512 | 870b6890f6ad1fe9b21c38c29aa5201a8ed2d0b1a1977e4c8d81ba2535b17234b5769c91cbd2694b3db00a128cbed9b0fb09355bcf3779850d9d19d007ad52a3 |
memory/2936-539-0x00000000013D0000-0x00000000014E0000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 755d93ce0c124222ec4cc7c74c2083f4 |
| SHA1 | 454fba3d5f09d7b390a246a53e8befc43a9a9930 |
| SHA256 | 8ed95a67ca1893415c780b36a8c874cfb21002342ef34a0a554333307ea4841c |
| SHA512 | 30bc45b7e6b1c38a63e24202e81fa2f08861885773fa423e2e6d99a0fcf5ee5a56e1760475191f784cd06ba8606e0bfcea7a4657e370e0f5cec9cad9190d1c6f |
C:\Users\Admin\AppData\Local\Temp\UMVEid32eq.bat
| MD5 | 37287b541cd39b73b2e0d065971ec117 |
| SHA1 | c37f49020cb71c51339f0832e1a7a18d813d7fb4 |
| SHA256 | 24cd5ce1207d0c39fa3ba9d405b1fd64ce708c3c7899955e81ff721916cb233c |
| SHA512 | 3a323bd810eb06495971140a398210453a4906a90c00bba2ee98b63b3e0d59313ab3492ba8c833790c6971c13667f2d57c582f7b37b95ea23fa68892c019b351 |
memory/1732-599-0x00000000003F0000-0x0000000000500000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ed30325591fae2b3b33980cdcb1290db |
| SHA1 | 5da12e4a8f59da2efdc3dc3de9bfd21cc0b2fb4d |
| SHA256 | 4fe6e6239f2864b413cee9a3593592db39dff7be6fb2c30111c96425ce495cab |
| SHA512 | 064bdbfb260bf5cf211c9078f66433f392612853a3b17b7f51ff47cc58d410549642bf7809d5c33b8ebaeddb650db9b6c3b1423f7270967754eaad3b4374d89b |
C:\Users\Admin\AppData\Local\Temp\3Bw8qtkvcA.bat
| MD5 | b40e2e46c790af66c9072ac21eb4a82f |
| SHA1 | ed565e532ab2839003f364fec629249066f8c46f |
| SHA256 | 64fc0b7217294cdc2a90642b709ee69fdca8b4cf2f8f87647d797b3d7dd53911 |
| SHA512 | e2118dd920376f4f570eb7f9e4857b400fd95e7f7cd031d72590030fa2d31d2bc7c3492b23e83f815437f515672b707aea48bc50c6b050b75c15ac69c750bf94 |
memory/1780-659-0x0000000000CF0000-0x0000000000E00000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 97a6d513b83fc4eb554a21c0fecaddbd |
| SHA1 | 9832d307399a1e7a386b1123e28fe94b47822088 |
| SHA256 | c35de92a59e5b7e42a42de7b5c23b6b6aa810c9b7353b8e49adfac4c57d5e790 |
| SHA512 | f08284f89be3b99ca20800bc999d5afc12cb306a47365a12f603d1d57c614869fd6c7947bc6e59ca9dc0c484743cee93bd634931887a588197a36836736f4e0c |
C:\Users\Admin\AppData\Local\Temp\esvfELjyVS.bat
| MD5 | 0593da88a9183e103afbb6b9c99ef819 |
| SHA1 | 0eeebe08ede5c09fb17686599871499f85946e2a |
| SHA256 | 60b16dfd2f0c7dab7fa40ee58b3c4bf9747e099224aef4e0a30360c617141921 |
| SHA512 | 8d23a26e0c7cc6a0fb94518d324a3e0c6a70cdbf7bc0892f78aa5e247dfc28c0c178da92b9618a0557ff5e8b7de0560d9f4c9b16de5bae80649cbe5db2ab40f9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 5a47b11a1969b8e0af4e5162a03237fe |
| SHA1 | 0196368cbe608b72395bdf563d6d32c1eb3c1e7e |
| SHA256 | ba1981b82f964ea8fbf53ce72b9fd332484397dfe77bdcf9ec9a0ccf09cb73e8 |
| SHA512 | 62c916a29ba85a1fa6f591e53be1f5936a89cf8ab2ab58f1970051be3311dc5dc709e498810964cc8a460984d88ac3a0e93d2f65f52f09f00ae92b5f64b1433e |
C:\Users\Admin\AppData\Local\Temp\cnsnMHUbNI.bat
| MD5 | e7702b15729dbff83341adfe61e47806 |
| SHA1 | 08895ccce096dcd9258cc6b9659d7df2160eff8a |
| SHA256 | 865f8c34edb59ec1625cef1ae791141879674a68b24b9245443e53a3b8e98f12 |
| SHA512 | 94d70dfab8c1703d2f360d61436e2a4be6bd3d111422984d9d0332d06a0773548075ce84c1b6baa344195354e39404e4b814eadcb44e646bd24230010e39bd15 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-12-30 17:41
Reported
2024-12-30 17:44
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
DcRat
Dcrat family
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Windows\Setup\State\sihost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Windows\Setup\State\sihost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Windows\Setup\State\sihost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\providercommon\DllCommonsvc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Windows\Setup\State\sihost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Windows\Setup\State\sihost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Windows\Setup\State\sihost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Windows\Setup\State\sihost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Windows\Setup\State\sihost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Windows\Setup\State\sihost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Windows\Setup\State\sihost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3afdc1049eae3e0b40d944915e52d52d293b450e150b66b095fde82271501428.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Windows\Setup\State\sihost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Windows\Setup\State\sihost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Windows\Setup\State\sihost.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\providercommon\DllCommonsvc.exe | N/A |
| N/A | N/A | C:\Windows\Setup\State\sihost.exe | N/A |
| N/A | N/A | C:\Windows\Setup\State\sihost.exe | N/A |
| N/A | N/A | C:\Windows\Setup\State\sihost.exe | N/A |
| N/A | N/A | C:\Windows\Setup\State\sihost.exe | N/A |
| N/A | N/A | C:\Windows\Setup\State\sihost.exe | N/A |
| N/A | N/A | C:\Windows\Setup\State\sihost.exe | N/A |
| N/A | N/A | C:\Windows\Setup\State\sihost.exe | N/A |
| N/A | N/A | C:\Windows\Setup\State\sihost.exe | N/A |
| N/A | N/A | C:\Windows\Setup\State\sihost.exe | N/A |
| N/A | N/A | C:\Windows\Setup\State\sihost.exe | N/A |
| N/A | N/A | C:\Windows\Setup\State\sihost.exe | N/A |
| N/A | N/A | C:\Windows\Setup\State\sihost.exe | N/A |
| N/A | N/A | C:\Windows\Setup\State\sihost.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Windows Media Player\Icons\fontdrvhost.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Microsoft Office\Updates\Registry.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Microsoft Office\Updates\ee2ad38f3d4382 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Windows Photo Viewer\fr-FR\winlogon.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Photo Viewer\fr-FR\winlogon.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Windows Photo Viewer\fr-FR\cc11b995f2a76d | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Windows Media Player\Skins\System.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Windows Media Player\Skins\27d1bcfc3c54e0 | C:\providercommon\DllCommonsvc.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Setup\State\sihost.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\Setup\State\66fc9ff0ee96c2 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\es-ES\explorer.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\es-ES\7a0fd90576e088 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\Panther\sihost.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\Panther\66fc9ff0ee96c2 | C:\providercommon\DllCommonsvc.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3afdc1049eae3e0b40d944915e52d52d293b450e150b66b095fde82271501428.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings | C:\Windows\Setup\State\sihost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings | C:\Windows\Setup\State\sihost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings | C:\Windows\Setup\State\sihost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings | C:\Windows\Setup\State\sihost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings | C:\Windows\Setup\State\sihost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings | C:\Windows\Setup\State\sihost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings | C:\Windows\Setup\State\sihost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings | C:\Windows\Setup\State\sihost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings | C:\Windows\Setup\State\sihost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3afdc1049eae3e0b40d944915e52d52d293b450e150b66b095fde82271501428.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings | C:\Windows\Setup\State\sihost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings | C:\Windows\Setup\State\sihost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings | C:\Windows\Setup\State\sihost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings | C:\Windows\Setup\State\sihost.exe | N/A |
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3afdc1049eae3e0b40d944915e52d52d293b450e150b66b095fde82271501428.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3afdc1049eae3e0b40d944915e52d52d293b450e150b66b095fde82271501428.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
C:\providercommon\DllCommonsvc.exe
"C:\providercommon\DllCommonsvc.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\winlogon.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 8 /tr "'C:\Windows\Panther\sihost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\Panther\sihost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 8 /tr "'C:\Windows\Panther\sihost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\providercommon\smss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Templates\System.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Default\Templates\System.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Templates\System.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\providercommon\Idle.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\SearchApp.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Users\Default User\SearchApp.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\SearchApp.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\Windows\Setup\State\sihost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\Setup\State\sihost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Windows\Setup\State\sihost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Media Player\Skins\System.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\Skins\System.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Media Player\Skins\System.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Windows\es-ES\explorer.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\es-ES\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Windows\es-ES\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Office\Updates\Registry.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Updates\Registry.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office\Updates\Registry.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\smss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\winlogon.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Panther\sihost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\smss.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Templates\System.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\Idle.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\RuntimeBroker.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\SearchApp.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Setup\State\sihost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\Skins\System.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\es-ES\explorer.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\wininit.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\Updates\Registry.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\smss.exe'
C:\Windows\Setup\State\sihost.exe
"C:\Windows\Setup\State\sihost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WtQmBjXbDh.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\Setup\State\sihost.exe
"C:\Windows\Setup\State\sihost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NjKeWzk8OD.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\Setup\State\sihost.exe
"C:\Windows\Setup\State\sihost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bbMo3XBCxD.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\Setup\State\sihost.exe
"C:\Windows\Setup\State\sihost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eXOrkcF5G0.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\Setup\State\sihost.exe
"C:\Windows\Setup\State\sihost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\F4MZx53eLu.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\Setup\State\sihost.exe
"C:\Windows\Setup\State\sihost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yMeEqlK1gO.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\Setup\State\sihost.exe
"C:\Windows\Setup\State\sihost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NjKeWzk8OD.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\Setup\State\sihost.exe
"C:\Windows\Setup\State\sihost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TdlfhXh7Yo.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\Setup\State\sihost.exe
"C:\Windows\Setup\State\sihost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0IgHXqOu0A.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\Setup\State\sihost.exe
"C:\Windows\Setup\State\sihost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gTQuRhIyam.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\Setup\State\sihost.exe
"C:\Windows\Setup\State\sihost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uVa8TbDE3p.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\Setup\State\sihost.exe
"C:\Windows\Setup\State\sihost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZgKlNS7JdR.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\Setup\State\sihost.exe
"C:\Windows\Setup\State\sihost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8xeM6k5O3T.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.111.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.12.20.2.in-addr.arpa | udp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 181.129.81.91.in-addr.arpa | udp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.130.81.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
Files
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe
| MD5 | 8088241160261560a02c84025d107592 |
| SHA1 | 083121f7027557570994c9fc211df61730455bb5 |
| SHA256 | 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1 |
| SHA512 | 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478 |
C:\providercommon\1zu9dW.bat
| MD5 | 6783c3ee07c7d151ceac57f1f9c8bed7 |
| SHA1 | 17468f98f95bf504cc1f83c49e49a78526b3ea03 |
| SHA256 | 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322 |
| SHA512 | c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8 |
C:\providercommon\DllCommonsvc.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/464-12-0x00007FFC9DC63000-0x00007FFC9DC65000-memory.dmp
memory/464-13-0x00000000008A0000-0x00000000009B0000-memory.dmp
memory/464-14-0x0000000002AD0000-0x0000000002AE2000-memory.dmp
memory/464-15-0x0000000002B00000-0x0000000002B0C000-memory.dmp
memory/464-16-0x0000000002AE0000-0x0000000002AEC000-memory.dmp
memory/464-17-0x0000000002AF0000-0x0000000002AFC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vhzdxmtc.mvo.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3808-71-0x000002502D360000-0x000002502D382000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | a43e653ffb5ab07940f4bdd9cc8fade4 |
| SHA1 | af43d04e3427f111b22dc891c5c7ee8a10ac4123 |
| SHA256 | c4c53abb13e99475aebfbe9fec7a8fead81c14c80d9dcc2b81375304f3a683fe |
| SHA512 | 62a97e95e1f19a8d4302847110dae44f469877eed6aa8ea22345c6eb25ee220e7d310fa0b7ec5df42356815421c0af7c46a0f1fee8933cc446641800eda6cd1b |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 19e3446e5131ffc8654c075ae8beda24 |
| SHA1 | bc85831fdbfdf20f74929bbad25aeaddf8d1dfb1 |
| SHA256 | 1b407adb428381b328c00a5dc3f2817cfa6a88f8d7566aea0ef2638ad05f611d |
| SHA512 | 6a190badc5d0f1b16a4b428336cf33d75a1169c526a3682611265b7f1d577632bbbd869db34f421cfb73a380dbabd539d41365921bec658746f58799bf323fc2 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 3a6bad9528f8e23fb5c77fbd81fa28e8 |
| SHA1 | f127317c3bc6407f536c0f0600dcbcf1aabfba36 |
| SHA256 | 986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05 |
| SHA512 | 846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d28a889fd956d5cb3accfbaf1143eb6f |
| SHA1 | 157ba54b365341f8ff06707d996b3635da8446f7 |
| SHA256 | 21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45 |
| SHA512 | 0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 59d97011e091004eaffb9816aa0b9abd |
| SHA1 | 1602a56b01dd4b7c577ca27d3117e4bcc1aa657b |
| SHA256 | 18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d |
| SHA512 | d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | ecceac16628651c18879d836acfcb062 |
| SHA1 | 420502b3e5220a01586c59504e94aa1ee11982c9 |
| SHA256 | 58238de09a8817ed9f894ed8e5bf06a897fd08e0b0bd77e508d37b2598edd2a9 |
| SHA512 | be3c7cb529cafb00f58790a6f8b35c4ff6db9f7f43a507d2218fd80cebc88413e46f71b1bc35b8afcc36b68f9409c946470d1e74a4fe225400eeb6f3f898f5b3 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 8a40d348bf315972a387714e9e0bd0be |
| SHA1 | 34bbd64f14781e2498ebd7504f82e92cc4f5193d |
| SHA256 | 22c7b5a70e0d24a779732e5144ad2689c8ae8770082b074704e5dedbc0f64b97 |
| SHA512 | 2d0dd1fcfc82a9a5ed33a38223841194dbff9e1c8b427bca9a6ea37f739abbe735daffb6588d041d78a71cf08314516b818f874b8e0995fe81b7061c116be56a |
C:\Users\Admin\AppData\Local\Temp\WtQmBjXbDh.bat
| MD5 | 3efe2183c00a7c31809e991efa9e2be6 |
| SHA1 | 044aca37d65e0d23f0b7758c337e419d939f9858 |
| SHA256 | 8ba09f6c0518e9040097652091415096c6f940cc113c6dcd2c8fe0fde04049f2 |
| SHA512 | 25076f0658284ab703ffe18a37e1d22ce641c1580d7dceac691fe0020b6ae139aa23fe58da7ef5e239df4736cc781520b681e4fe009d4252af96c122665e77c4 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\sihost.exe.log
| MD5 | baf55b95da4a601229647f25dad12878 |
| SHA1 | abc16954ebfd213733c4493fc1910164d825cac8 |
| SHA256 | ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924 |
| SHA512 | 24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545 |
C:\Users\Admin\AppData\Local\Temp\NjKeWzk8OD.bat
| MD5 | 110e23735d7f41c8127870e64c7c4088 |
| SHA1 | 72d1b351e307d88dd64eb5eb3e0943f4c1a7114c |
| SHA256 | f87071e146aa58a875f827e73111d2314f6c3f7e2a4de71fbae5ff431556dbaf |
| SHA512 | 06f9112598a4902c926254fcb7054af07f9d9e12e7631f8fe43fc4b965d6501c23f95fbaf6eef378ccbcf4e9188c497d1888dc938ef206375c4604f88ea35da4 |
C:\Users\Admin\AppData\Local\Temp\bbMo3XBCxD.bat
| MD5 | 3cb30be8b19df501f4b3038a3b9336de |
| SHA1 | 7429d63e734e0500e401d95996a6319ccabad41f |
| SHA256 | 5d293d7305afbdedaf8006f4bf2f7c68f1a262d058e5c55482e1159b14ccc69b |
| SHA512 | 6140702ac86d059064eb5dd704eb835ef88bd101b0a81c1cebc80e9e6a7b828ef2afac829f380f3467a40f9f297832629046050bf6924a59752e74639fe85cda |
memory/4864-231-0x0000000000C00000-0x0000000000C12000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\eXOrkcF5G0.bat
| MD5 | 7fa4264c40af24019c39002264cb59fe |
| SHA1 | 5facd98b37ee7b63ab7417503170f89d982cf320 |
| SHA256 | 16e00bf647871769747cacf25633f02eaf0e716ebc8a89f8b81e3d664eba5dbb |
| SHA512 | 1a6cdf307dfce7875f1c9a2d236dec874ccf6cd857a5ad80ae7eeff5428fb540b17779fd08b955618aca225ccb9cea6d4bb4415ec2e9381e34718ad268cd82f4 |
C:\Users\Admin\AppData\Local\Temp\F4MZx53eLu.bat
| MD5 | e057a94232b3e40d80f44624503aaa67 |
| SHA1 | ecc70b8193b1f88bd928d363efac37910ac798d1 |
| SHA256 | 18f5cb4418007e4f49f62c4a62d82742b4d74d79f1bcdbc506f742a219f59255 |
| SHA512 | a0f19f46e67ed173d6f1873466ffa402e4881a2ba7b848d55132a09b076ae5aa572c291525829a05cccc7c5867e56201f24ab108ad4eb3c1dfe4780f0c842ee3 |
C:\Users\Admin\AppData\Local\Temp\yMeEqlK1gO.bat
| MD5 | ae47780bb1d07d615304610d621e794a |
| SHA1 | 74161d585509d5694fd3f96b3df34a0a08a4aa9a |
| SHA256 | 9d6c213e04b8d1f0d0864546d3b709c63ca3c6dc767166d7ccc105ce3fc62648 |
| SHA512 | 451e720680a10fd62d51d57291689c741b0eab0beb925bff5c2294862396b7f4df2c4ba78b021cd18e56d40c702a50f8d8ea615a462cb900c00768b3f342df9a |
C:\Users\Admin\AppData\Local\Temp\TdlfhXh7Yo.bat
| MD5 | f2d522ebfdf9def2221980e4147b8768 |
| SHA1 | 124b1eef293a2eaba0ce40cd5fed8b3023a02517 |
| SHA256 | 2a83a8c201be85aa60df3542859ad40b4b43cae11bca4af93e3a910b15a76e69 |
| SHA512 | c6a2de077dfbad510ad36a5b4a8977c66134862598e37e93a91d4574894d453823679f804988013152b562536c3720112cc10e6875aa0662218967d84346dee1 |
memory/5072-262-0x00000000011D0000-0x00000000011E2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\0IgHXqOu0A.bat
| MD5 | a43066e89e489d5c179e0d85185fd5de |
| SHA1 | be6d54e78ebda89e830c45b798d86c04f04458da |
| SHA256 | 6dfaac4a979fae3b0db0c23122fc9e1643061c126c51105461ebfffeb84307ee |
| SHA512 | 7b17023d3477446fe33f7aeb04e9346b29248ef84ee0e73df7aae78121d6b9aa2370fa779d45bff2b9fa5e8de919682bbee8abe8a7058f10fd68198a8d1c7e72 |
C:\Users\Admin\AppData\Local\Temp\gTQuRhIyam.bat
| MD5 | 6d271438af242016dcf3502dfbe2747c |
| SHA1 | 5f243ecdfdedb7bb043e402badc23cb2f1d61494 |
| SHA256 | cd52723adf0a9c4e6ffb5921b6869b374f8205c1ae84b3c2911638aec7be2028 |
| SHA512 | 6625a9c45885fb0377de8f3c3a4f5ef6c78ddd96a40f264cda9152e15a3274f41ac6f2efd544fa453fd4a769ad6fcdc517f2c0560a2acf88d293c940b75e4f6c |
C:\Users\Admin\AppData\Local\Temp\uVa8TbDE3p.bat
| MD5 | eca9c4c1466a045ca24ff1600a80401a |
| SHA1 | b8ccbaefaeeea4bb4bb13676c276a67b1e81ea5f |
| SHA256 | 64c570a1747a38b148697e4e6c2ff5ef5b5c2cc2a6f094b45b1481a261ce1633 |
| SHA512 | 3d84f2641ed4a8d8a454bfce409ca1b452f098ac966af17093890df70db0fc6ae0c0ce15b4812f74bfba1f3b56af86293d2812c60fa321e7840ed1da2e3de18e |
memory/4632-281-0x0000000002440000-0x0000000002452000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ZgKlNS7JdR.bat
| MD5 | 219f4bacd8a5c004ff42673394293e0f |
| SHA1 | 3f4560633b21b904023018d63f313dacd473de91 |
| SHA256 | d1bd11cb8755fb34a4683c492bae2dc9b513c397b192f9f276d1d7b6b651269b |
| SHA512 | added2d1cbef969b9b83b1be979e78fed4f9f12e81747ef18061c5e6a028e326528000ec5ebd2958128dd8a1c0c039c118fd2c8d345364a39bb64fdddb90fa7d |
C:\Users\Admin\AppData\Local\Temp\8xeM6k5O3T.bat
| MD5 | 5db1b7791ebe6d75891c58916fcc8180 |
| SHA1 | b9f6d79df2d66fa289fb68023c6c019bcd119767 |
| SHA256 | fff0697b780035b7a680824119ec495ced6ffc5ffded3d159efc712236450517 |
| SHA512 | 9fc80088a4269f26c28f009ec976d811de0f130c270e66a11758c07a1cf3eba6333af0ee1c1fbfd92cc6cfc7825e1fbb75cb5a7d569a893895ff6c2dcf2c6da1 |