Analysis Overview
SHA256
b62e0fca57ddd6462df8161820b99ac2e0541a35c0260cf7f54eace3f88d0577
Threat Level: Known bad
The file JaffaCakes118_b62e0fca57ddd6462df8161820b99ac2e0541a35c0260cf7f54eace3f88d0577 was found to be: Known bad.
Malicious Activity Summary
Dcrat family
DCRat payload
Process spawned unexpected child process
DcRat
DCRat payload
Command and Scripting Interpreter: PowerShell
Loads dropped DLL
Checks computer location settings
Executes dropped EXE
Legitimate hosting services abused for malware hosting/C2
Drops file in Program Files directory
Enumerates physical storage devices
Unsigned PE
System Location Discovery: System Language Discovery
Uses Task Scheduler COM API
Scheduled Task/Job: Scheduled Task
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Modifies registry class
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-12-30 17:06
Signatures
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Dcrat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-12-30 17:06
Reported
2024-12-30 17:08
Platform
win10v2004-20241007-en
Max time kernel
146s
Max time network
142s
Command Line
Signatures
DcRat
Dcrat family
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\csrss.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\csrss.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b62e0fca57ddd6462df8161820b99ac2e0541a35c0260cf7f54eace3f88d0577.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\csrss.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\csrss.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\csrss.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\csrss.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\csrss.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\csrss.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\providercommon\DllCommonsvc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\csrss.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\csrss.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\csrss.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\csrss.exe | N/A |
Executes dropped EXE
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\csrss.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\886983d96e3d3e | C:\providercommon\DllCommonsvc.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b62e0fca57ddd6462df8161820b99ac2e0541a35c0260cf7f54eace3f88d0577.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings | C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\csrss.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings | C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\csrss.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings | C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\csrss.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings | C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\csrss.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings | C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\csrss.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings | C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\csrss.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings | C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\csrss.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings | C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\csrss.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b62e0fca57ddd6462df8161820b99ac2e0541a35c0260cf7f54eace3f88d0577.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings | C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\csrss.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings | C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\csrss.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings | C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\csrss.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings | C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\csrss.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b62e0fca57ddd6462df8161820b99ac2e0541a35c0260cf7f54eace3f88d0577.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b62e0fca57ddd6462df8161820b99ac2e0541a35c0260cf7f54eace3f88d0577.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
C:\providercommon\DllCommonsvc.exe
"C:\providercommon\DllCommonsvc.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\dllhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\providercommon\fontdrvhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\providercommon\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\providercommon\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\csrss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\csrss.exe'" /rl HIGHEST /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\dllhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\fontdrvhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\csrss.exe'
C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\csrss.exe
"C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\csrss.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\moqrXfpsIj.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\csrss.exe
"C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\csrss.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0P1AeAAEDQ.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\csrss.exe
"C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\csrss.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oYNvu0ZNBR.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\csrss.exe
"C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\csrss.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Rn5V8mQYRH.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\csrss.exe
"C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\csrss.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Q3ZRkRg4YZ.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\csrss.exe
"C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\csrss.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\epFjAgKouK.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\csrss.exe
"C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\csrss.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\axBdnWD1Gl.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\csrss.exe
"C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\csrss.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wOqzmeZFfo.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\csrss.exe
"C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\csrss.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\L59TFxmxil.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\csrss.exe
"C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\csrss.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\L59TFxmxil.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\csrss.exe
"C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\csrss.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lcLsEvVTrf.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\csrss.exe
"C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\csrss.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IycQG8Pfyu.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\csrss.exe
"C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\csrss.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.111.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 181.129.81.91.in-addr.arpa | udp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
Files
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe
| MD5 | 8088241160261560a02c84025d107592 |
| SHA1 | 083121f7027557570994c9fc211df61730455bb5 |
| SHA256 | 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1 |
| SHA512 | 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478 |
C:\providercommon\1zu9dW.bat
| MD5 | 6783c3ee07c7d151ceac57f1f9c8bed7 |
| SHA1 | 17468f98f95bf504cc1f83c49e49a78526b3ea03 |
| SHA256 | 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322 |
| SHA512 | c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8 |
C:\providercommon\DllCommonsvc.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/3536-12-0x00007FFF3D7E3000-0x00007FFF3D7E5000-memory.dmp
memory/3536-13-0x0000000000C80000-0x0000000000D90000-memory.dmp
memory/3536-14-0x000000001B880000-0x000000001B892000-memory.dmp
memory/3536-15-0x000000001B890000-0x000000001B89C000-memory.dmp
memory/3536-16-0x000000001B9B0000-0x000000001B9BC000-memory.dmp
memory/3536-17-0x000000001B9C0000-0x000000001B9CC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_eg12lzmz.kvy.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4004-41-0x000001F6F3FD0000-0x000001F6F3FF2000-memory.dmp
memory/5096-72-0x000000001AFF0000-0x000000001B002000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 6d3e9c29fe44e90aae6ed30ccf799ca8 |
| SHA1 | c7974ef72264bbdf13a2793ccf1aed11bc565dce |
| SHA256 | 2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d |
| SHA512 | 60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d28a889fd956d5cb3accfbaf1143eb6f |
| SHA1 | 157ba54b365341f8ff06707d996b3635da8446f7 |
| SHA256 | 21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45 |
| SHA512 | 0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c |
C:\Users\Admin\AppData\Local\Temp\moqrXfpsIj.bat
| MD5 | fd6e3c0dfbf8ef5180b4dd5df57f6ea6 |
| SHA1 | fa749be1e052279a5e286993c0bdf4dcf2308cc0 |
| SHA256 | 54d83fb0b1336dc74922a380287a37f7e9a4d006869b3ea06908330dedefa92e |
| SHA512 | d3a4824e3107149f1ab4e54a1e8e6c9ae3feffd476815b1bc0e55987b454b8911f4255c5b8e1f60d5bdc862fdf6d397b43c39e3d8404f20a5002a90d085da47e |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\csrss.exe.log
| MD5 | baf55b95da4a601229647f25dad12878 |
| SHA1 | abc16954ebfd213733c4493fc1910164d825cac8 |
| SHA256 | ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924 |
| SHA512 | 24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545 |
C:\Users\Admin\AppData\Local\Temp\0P1AeAAEDQ.bat
| MD5 | 78af1bb258f802233815c6679a0024a5 |
| SHA1 | 6df59bf5ef76b38ad1045721bea75e999d0e576e |
| SHA256 | f124df10f55393b7cc5f9ac3cced9ac46b32828c6ecc06c31fafe45112b11b35 |
| SHA512 | d67c0e30e8fef235dff5264606dd3daee17e67138205e16ffd78195019ab139a2a68ea86e5101bc46fc4f00c87a42984048f5d06f583d5ab6d02b82ec52bf76f |
C:\Users\Admin\AppData\Local\Temp\oYNvu0ZNBR.bat
| MD5 | c2d0de25a385313fc71614b3acf5e4eb |
| SHA1 | ff516b23171054ea4d9e8f538399975063cb3ddf |
| SHA256 | 8a47681c3a8e40a7917d1fce067923d31e0503d516d799947860e9bace72467e |
| SHA512 | aa5fff96e110ab18947e45c7d676b035e59690a6caad9d183e7975bdaa955da697b987c2ce5ba014d6c82cac586cf6225cf8527338a88affce87972bc9f67030 |
C:\Users\Admin\AppData\Local\Temp\Rn5V8mQYRH.bat
| MD5 | 04ed9b16b8e6d0372749bb8a2eba2ba4 |
| SHA1 | 51818fede7eb7234d552ba44d21eb77bedd54111 |
| SHA256 | 39533e53c915d281b3222b92fc36954ee5f45cc7a6adacf7d9bf0353bc5508d9 |
| SHA512 | 7942c23d06a4f5339edbee51e02bccfcf7d6f6e2f1228afa0af0c6e7f1789ca7e9d9b950e217a0f0e21d401a8aae368ca29deb5d07aad2f04d44635b9fc607af |
C:\Users\Admin\AppData\Local\Temp\Q3ZRkRg4YZ.bat
| MD5 | b547efbc34c516865dde496172b98b31 |
| SHA1 | a3f5337a6c530058f25f3b8d80805177f9581915 |
| SHA256 | 6e6b9dd4214ceeca551a87c5b625ebb0c902d2622abd65f00ee521f0f307a7ed |
| SHA512 | 638b2102a089df01dc8f6a4e756fa7d19fccd8d9f59f1087b021660422845b5092467512839559c5ca4cda6a76fe36833ae1daa56d39e5e6c539879ee6457384 |
C:\Users\Admin\AppData\Local\Temp\epFjAgKouK.bat
| MD5 | c5a101d6e048ce900e8061d32d8c4f29 |
| SHA1 | 22edf73efedb8b5d645493106400e2afeb618a05 |
| SHA256 | a4eb74da0ad0a64c1750e132ff37315a2dc560137e87cc5330149974ff5d3e76 |
| SHA512 | 485892450cca18d8a8c70372d4b180eb577b2259e0ed76d58f2a4badb584d98a36e114f95dafd696c3ccfc5854ee57154d1355c36a5a62116f9d9a59d172362a |
C:\Users\Admin\AppData\Local\Temp\axBdnWD1Gl.bat
| MD5 | 1fa3fc83b523241427704f82acfc1b87 |
| SHA1 | 990422044a22deae0517ab388fad3145d6783b99 |
| SHA256 | cec612b16b3606a8963fdb90d5a1d6b3417ddf103cb199a806fcf33c70fa8432 |
| SHA512 | bf5d05248c00e1cf3f3946edabf03a62170fcd16823ca73576fc74becba78842973235a82b693e7ff7d498946245275888f5ad69e5be234baa32426b909b4413 |
C:\Users\Admin\AppData\Local\Temp\wOqzmeZFfo.bat
| MD5 | a53bff33c6b3ec2a3320140e6a98b710 |
| SHA1 | 4245afc1006641eba946eaaf3a6d7445c86f1fb5 |
| SHA256 | 4d3343f18ff52402b7c3196c4a8f7dbe09e44e4e4c0175c64bea582059e049ea |
| SHA512 | 8fa2264797d8bfcd51152bd1e28e9a42fa3d97732a0447f5c63870a883cd0379bb6091bac2a0ea591f7180ff84e1b9bf68898c6130aaff432f8accc724192458 |
memory/1052-132-0x000000001AFF0000-0x000000001B002000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\L59TFxmxil.bat
| MD5 | 320b34b9ad132a35b3534f3f03aee4a4 |
| SHA1 | 74b04c4fbd71ef6f2721f6c6a0bd24a490c4602e |
| SHA256 | 0f27466c7e1b7a3a5bdc403d2ec191115012d7caf82effa30fcf465de31e78ad |
| SHA512 | b6505ab7c7c367b36c2e206cf30d0fd6da928b541305a903d2dc47a0329b403c8f8cf637c2fd2e714cf40783dd8a057a3d43f2c7c091cfb5cc0187fcd7f02e6f |
C:\Users\Admin\AppData\Local\Temp\lcLsEvVTrf.bat
| MD5 | 3be704829ce79a23081224674c75f432 |
| SHA1 | 937e5c029a8e412341c199d57f86a1dc9650a068 |
| SHA256 | c07e74ea0a974009aab56d483bd1a578c47e37ffa133ae5b9cfa3641cbef61fc |
| SHA512 | 5296740216fdfe566efa831bc812b5bbf24219dd263923280e105e0ea369868a72bbd4416aa94a772cd181a3fe7a5d55a5b550abdbd40ac934342250e3801760 |
memory/3788-151-0x000000001BDF0000-0x000000001BE02000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IycQG8Pfyu.bat
| MD5 | d61693abc3a3ddcce05e1701f6423a82 |
| SHA1 | 956d7412870db40664b77991dd83c71d1d6c719b |
| SHA256 | 381bb9369548979ff5977fccba91dd776921b07aa2b96edd6ce9431f92453e3f |
| SHA512 | d01f030da58372c4c99d1264d63ab61eec9dd19bb0dd4c0285b3b7036026343e6749ec76af931deed49c59f5c96a69e9519c0f47641bcd19e1657358a23d2ff4 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-12-30 17:06
Reported
2024-12-30 17:08
Platform
win7-20240903-en
Max time kernel
146s
Max time network
147s
Command Line
Signatures
DcRat
Dcrat family
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\providercommon\DllCommonsvc.exe | N/A |
| N/A | N/A | C:\providercommon\dllhost.exe | N/A |
| N/A | N/A | C:\providercommon\dllhost.exe | N/A |
| N/A | N/A | C:\providercommon\dllhost.exe | N/A |
| N/A | N/A | C:\providercommon\dllhost.exe | N/A |
| N/A | N/A | C:\providercommon\dllhost.exe | N/A |
| N/A | N/A | C:\providercommon\dllhost.exe | N/A |
| N/A | N/A | C:\providercommon\dllhost.exe | N/A |
| N/A | N/A | C:\providercommon\dllhost.exe | N/A |
| N/A | N/A | C:\providercommon\dllhost.exe | N/A |
| N/A | N/A | C:\providercommon\dllhost.exe | N/A |
| N/A | N/A | C:\providercommon\dllhost.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b62e0fca57ddd6462df8161820b99ac2e0541a35c0260cf7f54eace3f88d0577.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\providercommon\DllCommonsvc.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\providercommon\dllhost.exe | N/A |
| N/A | N/A | C:\providercommon\dllhost.exe | N/A |
| N/A | N/A | C:\providercommon\dllhost.exe | N/A |
| N/A | N/A | C:\providercommon\dllhost.exe | N/A |
| N/A | N/A | C:\providercommon\dllhost.exe | N/A |
| N/A | N/A | C:\providercommon\dllhost.exe | N/A |
| N/A | N/A | C:\providercommon\dllhost.exe | N/A |
| N/A | N/A | C:\providercommon\dllhost.exe | N/A |
| N/A | N/A | C:\providercommon\dllhost.exe | N/A |
| N/A | N/A | C:\providercommon\dllhost.exe | N/A |
| N/A | N/A | C:\providercommon\dllhost.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\providercommon\DllCommonsvc.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\providercommon\dllhost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\providercommon\dllhost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\providercommon\dllhost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\providercommon\dllhost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\providercommon\dllhost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\providercommon\dllhost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\providercommon\dllhost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\providercommon\dllhost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\providercommon\dllhost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\providercommon\dllhost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\providercommon\dllhost.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b62e0fca57ddd6462df8161820b99ac2e0541a35c0260cf7f54eace3f88d0577.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b62e0fca57ddd6462df8161820b99ac2e0541a35c0260cf7f54eace3f88d0577.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\providercommon\1zu9dW.bat" "
C:\providercommon\DllCommonsvc.exe
"C:\providercommon\DllCommonsvc.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\providercommon\dllhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\lsass.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\lsass.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\lsass.exe'" /rl HIGHEST /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dllhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\lsass.exe'
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7RhMOLbPK5.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\dllhost.exe
"C:\providercommon\dllhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JeZnuB4iL9.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\dllhost.exe
"C:\providercommon\dllhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Mv8e4zbUuN.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\dllhost.exe
"C:\providercommon\dllhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mv5UKbIUPK.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\dllhost.exe
"C:\providercommon\dllhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Iu2jWrKESR.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\dllhost.exe
"C:\providercommon\dllhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2wrSnsL5gc.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\dllhost.exe
"C:\providercommon\dllhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pnRbx2xD7z.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\dllhost.exe
"C:\providercommon\dllhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\g1eT93LUFj.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\dllhost.exe
"C:\providercommon\dllhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sWmtPUST1G.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\dllhost.exe
"C:\providercommon\dllhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CSN9cxKiet.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\dllhost.exe
"C:\providercommon\dllhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zKs2Tjd9zb.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\dllhost.exe
"C:\providercommon\dllhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dCyIaH4v8D.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
Files
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe
| MD5 | 8088241160261560a02c84025d107592 |
| SHA1 | 083121f7027557570994c9fc211df61730455bb5 |
| SHA256 | 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1 |
| SHA512 | 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478 |
C:\providercommon\1zu9dW.bat
| MD5 | 6783c3ee07c7d151ceac57f1f9c8bed7 |
| SHA1 | 17468f98f95bf504cc1f83c49e49a78526b3ea03 |
| SHA256 | 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322 |
| SHA512 | c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8 |
\providercommon\DllCommonsvc.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/2760-13-0x00000000008A0000-0x00000000009B0000-memory.dmp
memory/2760-14-0x00000000001C0000-0x00000000001D2000-memory.dmp
memory/2760-15-0x00000000001D0000-0x00000000001DC000-memory.dmp
memory/2760-16-0x00000000001E0000-0x00000000001EC000-memory.dmp
memory/2760-17-0x0000000000460000-0x000000000046C000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\3NPCSZXMDUH6859ZHF52.temp
| MD5 | d781c3748c1fa2e590bf2dfd96ad9124 |
| SHA1 | cfff52e02b59b897d7c8260a54accdfc9e8852cf |
| SHA256 | db3409f5e448e79ea9bce1d218b9219de406227b53f9d1dd50b60c7190634094 |
| SHA512 | f1222fee062169283809bc03064bc6622df6465861027f76bb1f547208a35ccd1f48141d9ed31a8a1a1f3e5cb1b64325de41b1d5c12e106c011c4dbad24699da |
memory/2592-40-0x000000001B670000-0x000000001B952000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7RhMOLbPK5.bat
| MD5 | f4669af324b46570fbf4d83ca4acea83 |
| SHA1 | 10b96f2e90b138cf7ae781aeb33e132ca55ae8eb |
| SHA256 | 681c93a05048ecc79e152d9d9bdfd27669920deb987c289bee25295a7d893cfd |
| SHA512 | 01272b64109c5b58c34cc24b39aad629f7f9f413764de802a03e189cd70a1f6295dbc61350b81e85c090785ce79c562e5029310393fd380806de040fb12373d8 |
memory/1156-41-0x00000000028A0000-0x00000000028A8000-memory.dmp
memory/1796-45-0x0000000000390000-0x00000000004A0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CabF5E.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\TarF80.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\Local\Temp\JeZnuB4iL9.bat
| MD5 | 6909fd3ad88facd0a040488022c6b489 |
| SHA1 | 2c7971a95979f0fec874c6779f3cce79b4827a6e |
| SHA256 | 90fecf89432a0ad89f11e3debc404f83e49570f6e020451068e12bcafc7b2d59 |
| SHA512 | 9aaf4810527c796a5817fc1f6dc3f6f600c03f480d10405799c3b4e05e4ddd16c2b9929f60de3104f5c7dfafaafd3fe9dc3c1dba482c558d094368cb06f5bfe9 |
memory/2296-104-0x0000000000200000-0x0000000000310000-memory.dmp
memory/2296-105-0x0000000000670000-0x0000000000682000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 380e7c8a2e1c2d3916ccf5bb64fa51b4 |
| SHA1 | 187df585e3fdff3b3b6a5bb73f85217c2d72ef51 |
| SHA256 | 44d93f534adcfdbd89b9d2f0b334aebb1cc1ac7a3407ed404256ac0a3003f926 |
| SHA512 | 5aaa8ef51c564443ed769d34af90e577dcc93343f97a6ab1dff901dec223896e69e95f81525cdde59f488b562cfb971c17086bdc7066f5ec9af594644eafa109 |
C:\Users\Admin\AppData\Local\Temp\Mv8e4zbUuN.bat
| MD5 | 9368ca6c02fc9feea1f9377b8c5bf7de |
| SHA1 | a6f386a6b93896dc033829dcdab08f18b7bb3de9 |
| SHA256 | cac2b179d01731094b0635a3bc6189cf9a90e9605c209d94b282dd150446b9f8 |
| SHA512 | 6e83bed9116f1e63ef6f88289ceb4022aa0876d63f619b428e4ba36d2cea7cbe5eb5cc5e00e053cbfada2ac97505645555cea57ca1e25f2c2cea15655c229a82 |
memory/2964-165-0x00000000003A0000-0x00000000004B0000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | daeb8d2c256366090fb2f6ab596c4fe7 |
| SHA1 | 6bce85dcc4fc932343ee9f279e75ac991e972f9f |
| SHA256 | da5c221dafc1311602263be3f905684fc8d7cffff5fafc918e4011b6e6a597f4 |
| SHA512 | 672a4678bba8f2cf92bfb487fe7826b2a4582df143b08f47f3cab64178007f8d3951db11cfc730679650f9c4f1b524b63fb0685128f4953fc6dbfdd4ce5d1782 |
C:\Users\Admin\AppData\Local\Temp\mv5UKbIUPK.bat
| MD5 | 818052ac468fbd2a5959d2099f4635d3 |
| SHA1 | 4ad8d71aa2894e8e0a1c5b8f37674efc681ca7cf |
| SHA256 | 9b151544bb09b298ac48f081a68d9a759365c06e3d617226e97b467bf7c4ca5e |
| SHA512 | c0414b8da8e94c84b55ecaf4c2678b74e09c52937b74c58187339ceb9f2dbec00f614a732f6c3f3a5638bfd4731341bdf1fd269c1945edc052aaeeda00f976f6 |
memory/1228-225-0x00000000000B0000-0x00000000001C0000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e81e3e43a3410b0f4d29bc7a65743405 |
| SHA1 | 170959420764d17494c2b813b87aa684bc961c36 |
| SHA256 | 4ca84328093c4560b0d1c6da4f585330d92e84e22e96e6875d0df2ce3504c726 |
| SHA512 | fa0f2aa3ad0c88ec4136fa83af841cc07a47005a459da317d3a7885ead524c8a5883d618a29e431a6d538b1b424ae6568e0443af528caa229970e182e43ec4ac |
C:\Users\Admin\AppData\Local\Temp\Iu2jWrKESR.bat
| MD5 | 237505ee427447c48ef7788a27837c57 |
| SHA1 | c5351cecac2bb2b5b3660ccea19e809d964724da |
| SHA256 | ea97983a980afee53c970dcb7b9e94870378b113665732dd16a4362c3d5c29c9 |
| SHA512 | 108e9150949abfce767037c6b8c463b0f3bfc99b05c15a61753fa3031c5946437151895daa480364544d7fed7102b5283a736c87e86b55df9a14fab67b75fedd |
memory/836-285-0x0000000000BB0000-0x0000000000CC0000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | fc312818e48cc6787766f3618f6d2c54 |
| SHA1 | 8ff94b088a80dbef56c1358885c6b29f567764f4 |
| SHA256 | 9fce3aeffd0c308b8d52ca7f4096445aa73cd8f6dd7aa8a187d5906f203de637 |
| SHA512 | 5beb9ef863c4b2983aa10ec17e4249340a701ed277c488a2176200129257e00fef5b6692ef04c4bd5e2db29e8f99e113a270e3b5ad4c444a8246463b097fee4f |
C:\Users\Admin\AppData\Local\Temp\2wrSnsL5gc.bat
| MD5 | 9ba52b9cae1c97f2c482ba4dbfcf7165 |
| SHA1 | bce88b8a2ccbf160979047a41145ba8f922c8e7b |
| SHA256 | 842c3f838c938f3e5127a0f6e83fbbe445c88c64a52cbf5d2f078528495ca52f |
| SHA512 | 18e1f36e5259d41f2b9b377c5cbb96a3d4a3f82c197fc5c9c80d3524f93535628a5610ef311e86f37a9684df7e8b250a633a9153078684b031698a6d1bf22887 |
memory/2908-345-0x0000000000EA0000-0x0000000000FB0000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4a8f38274e7ce1639d3a2327ca0a9e00 |
| SHA1 | 7adc699c5666ae580cecd081c48d0be62e1fe23d |
| SHA256 | 8ec528660f3700e997fa2cdf05135e3bf8209dac45306f707031ffc8cc975294 |
| SHA512 | b06ebd67bd5424cdeb185dd40d6df064a256989311b2ac2244d2dae6cff007534a127c886d8d88329c9df9aebd632d63bb018d212d60081e956441af22811cf2 |
C:\Users\Admin\AppData\Local\Temp\pnRbx2xD7z.bat
| MD5 | bcb37bf350988450f6897edd268431e2 |
| SHA1 | c9277b5f430b0e65d3cd68ba5082e6e33a4dd3b0 |
| SHA256 | 1507a3b5c4d501aa4bc4d9d9c3d523ef05aa75d8fb641cd7816baddf36a75778 |
| SHA512 | 14360d32f26f28509ce3029223e0823f32c5d7c5c47070931beb79e85834b8f219c152ed3d38f062a622dad36e21103d6f54bf83c27c9a092d68c1f1b0836204 |
memory/2640-405-0x0000000000210000-0x0000000000320000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a84608d8c9502d94299aab1533da8e47 |
| SHA1 | c621844d5ba232d5cf366d202586e4411e88d472 |
| SHA256 | 51bd2fe2e290a1953676a87d9d71af77cb7a3eb2856e5a313c6db4432d9cca0e |
| SHA512 | 1025f401005d3dcd1dfff44e8ce99e48f3af24c0bd74e75651f4acde61c1b14b073af1f15ee172d0f4003354a5f9a8ccecba6b2d5f0ccab9dd7d1031dbea8bf5 |
C:\Users\Admin\AppData\Local\Temp\g1eT93LUFj.bat
| MD5 | a2e8374a69a9d8251450270df48fb531 |
| SHA1 | 77b834e98f04467e9fad97dadf44a42628fb435b |
| SHA256 | a6f2c47a2c331921eff49759158af80bd68ab1a690251ac4e1872e41ab2e4f1e |
| SHA512 | 4bf26cb73e9e0fb4f42b413190f04bbe11263a627e6199a2ea2b8475bd8dfe9fbf4c4cb01f11d9b741b1d361d77aea7e7e8b7bd18da0fa66b15bfc2d8560e3f5 |
memory/1904-465-0x0000000000D00000-0x0000000000E10000-memory.dmp
memory/1904-466-0x00000000003C0000-0x00000000003D2000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8a407918bb6e1f7dbe1c4de6d36964f1 |
| SHA1 | 0d4a30896692b452167d1ac778dd0253acb2f25e |
| SHA256 | 53704f34a19d23ee0302ca502e24fa41c5a7e9ab145c6b2d8855f55b05a5a42a |
| SHA512 | f4979dd55911d3906d694311c83b52feae0ddb692a146ed3c977a07040ad58f45db2679aed1f61ca94978f68100ebf63fb700af8f45d5f8e9c0e24858e357ccb |
C:\Users\Admin\AppData\Local\Temp\sWmtPUST1G.bat
| MD5 | 75cbfc4e53811814bc43d3baa562f24f |
| SHA1 | 396856c09669aed0bafbd7886b1d41aab85c3b8c |
| SHA256 | b9bba37ff0f67e9adbc49eb22dbc561e6d71644b72d92409857d2f5886a2f2d6 |
| SHA512 | 86f7a0dd7a76ff58f6a59a4c5c68f4f7588c2d2abdfa657fdbbed6fb2661d4ed9d2e0cc4dc181082c276b3970ebf1f58010b8a4d168050000c48ba699cb925b1 |
memory/2344-526-0x0000000000440000-0x0000000000452000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3ecbdb5c935b502fd0868acfec152193 |
| SHA1 | d5ade03e4f6fd5f5c4769955bfcf783e19708ca8 |
| SHA256 | 4056b43f9e6a9ea91024c70b2ba359e65fe9925f71ca382154ed6a25cd67938b |
| SHA512 | 0344822abc72bde498bacddc1ff721c599abcc2a8739656b985b15a2a6ac84f37140b94db6e82b0938f3c36eeb161d8af9f3c37f6bd48351a71bd0a80587d9cc |
C:\Users\Admin\AppData\Local\Temp\CSN9cxKiet.bat
| MD5 | 60acf73141b7a45a5237deeae9ad2090 |
| SHA1 | 42af7a7caca4dfd04342d2c7b6212818f8c5769d |
| SHA256 | e3aaaa350d9d3e82d81c501d8b5d469afcfd7d164c08a0c5376dd0f3e1c12b74 |
| SHA512 | 0d46da4269db422a46d9d12fd2b932ba0ce428e8dc82762abef6b92a92806248b6b0cc0d1eaf1a8a3c5573627d85a205b379b3e9fd568fe8af97825104ac5621 |
memory/2668-586-0x0000000000310000-0x0000000000322000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c94ca66715929b5b3d3e387092ac253c |
| SHA1 | 3a1fd0765b920d38cbb940fd2708425ec4fcd572 |
| SHA256 | 66afae6c933058a9caec575931a10ed3c1aa64bab580567ba5c5b76f7a38c0e4 |
| SHA512 | 69fdcebbecbb801a5433788f10ef4e400179b95a7d3ef535a962598d146b99e07c1e42bcee32d344b3765515189036b922445ea5ddfa16f1c32f602e56c115e5 |
C:\Users\Admin\AppData\Local\Temp\zKs2Tjd9zb.bat
| MD5 | 04b6782edfc0a61138e06951e219fe95 |
| SHA1 | cac07720c7c189b944f07aec772fe42dabda2251 |
| SHA256 | 8fd2ce08056351c1ef9d948eaf444ea2c6baddee8c23398887b72d8a768d8f63 |
| SHA512 | e2c6be29919ee380325559ecbbcb13e40712e1160c0eca402dc53bbf191e11adc4e7631d77c21d972e8f107760345cafaa62a1dc2fff4121d204a54668dead2f |
memory/2968-646-0x00000000002C0000-0x00000000003D0000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c5d0c463c2773ddba4d730ece2fb7edb |
| SHA1 | 64c78255542ddbd1f0dcd713fd045beefd2a1988 |
| SHA256 | 306beb8190e512b9b2efd52d0ed5223c3af14779ae758598a91ad10422fb468e |
| SHA512 | e140ec172f58e6518738466639704548afc6acc5d2a933ccc887d4439b2c93a83551126bc8835ff371bd676a895046f7ae132928288cb81c06d94f333196a33d |
C:\Users\Admin\AppData\Local\Temp\dCyIaH4v8D.bat
| MD5 | 645e2cc8a55831ae1dc70a7c44282e14 |
| SHA1 | 086c1217f45b0087a3a9719339afc8146955c48e |
| SHA256 | 6347b69a4ca897bb0ddd528ad48873f6d00f95ae40b23b787094e6fb53db20e6 |
| SHA512 | e7d053e10b558e871c232f62ffafd8669d9236e9b7868cd0b5962408006c606c2283119cdf7bd7f67ce89e2ee582b3c36427be2b0b28908456b2104259e38d5f |