Analysis Overview
SHA256
5e218f93ff7c0f24a3d39b6ecb07d850d8b144f2ca610b2e543e0448c1993cf6
Threat Level: Known bad
The file JaffaCakes118_5e218f93ff7c0f24a3d39b6ecb07d850d8b144f2ca610b2e543e0448c1993cf6 was found to be: Known bad.
Malicious Activity Summary
Dcrat family
DCRat payload
DcRat
Process spawned unexpected child process
DCRat payload
Command and Scripting Interpreter: PowerShell
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Legitimate hosting services abused for malware hosting/C2
Drops file in System32 directory
Drops file in Windows directory
Drops file in Program Files directory
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Uses Task Scheduler COM API
Modifies registry class
Suspicious use of WriteProcessMemory
Scheduled Task/Job: Scheduled Task
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-12-30 17:17
Signatures
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Dcrat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-12-30 17:17
Reported
2024-12-30 17:20
Platform
win7-20241010-en
Max time kernel
145s
Max time network
145s
Command Line
Signatures
DcRat
Dcrat family
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\providercommon\DllCommonsvc.exe | N/A |
| N/A | N/A | C:\Windows\de-DE\DllCommonsvc.exe | N/A |
| N/A | N/A | C:\Windows\de-DE\DllCommonsvc.exe | N/A |
| N/A | N/A | C:\Windows\de-DE\DllCommonsvc.exe | N/A |
| N/A | N/A | C:\Windows\de-DE\DllCommonsvc.exe | N/A |
| N/A | N/A | C:\Windows\de-DE\DllCommonsvc.exe | N/A |
| N/A | N/A | C:\Windows\de-DE\DllCommonsvc.exe | N/A |
| N/A | N/A | C:\Windows\de-DE\DllCommonsvc.exe | N/A |
| N/A | N/A | C:\Windows\de-DE\DllCommonsvc.exe | N/A |
| N/A | N/A | C:\Windows\de-DE\DllCommonsvc.exe | N/A |
| N/A | N/A | C:\Windows\de-DE\DllCommonsvc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Microsoft.NET\RedistList\winlogon.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft.NET\RedistList\winlogon.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft.NET\RedistList\cc11b995f2a76d | C:\providercommon\DllCommonsvc.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\de-DE\DllCommonsvc.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\de-DE\a76d7bf15d8370 | C:\providercommon\DllCommonsvc.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5e218f93ff7c0f24a3d39b6ecb07d850d8b144f2ca610b2e543e0448c1993cf6.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\providercommon\DllCommonsvc.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\de-DE\DllCommonsvc.exe | N/A |
| N/A | N/A | C:\Windows\de-DE\DllCommonsvc.exe | N/A |
| N/A | N/A | C:\Windows\de-DE\DllCommonsvc.exe | N/A |
| N/A | N/A | C:\Windows\de-DE\DllCommonsvc.exe | N/A |
| N/A | N/A | C:\Windows\de-DE\DllCommonsvc.exe | N/A |
| N/A | N/A | C:\Windows\de-DE\DllCommonsvc.exe | N/A |
| N/A | N/A | C:\Windows\de-DE\DllCommonsvc.exe | N/A |
| N/A | N/A | C:\Windows\de-DE\DllCommonsvc.exe | N/A |
| N/A | N/A | C:\Windows\de-DE\DllCommonsvc.exe | N/A |
| N/A | N/A | C:\Windows\de-DE\DllCommonsvc.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5e218f93ff7c0f24a3d39b6ecb07d850d8b144f2ca610b2e543e0448c1993cf6.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5e218f93ff7c0f24a3d39b6ecb07d850d8b144f2ca610b2e543e0448c1993cf6.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\providercommon\1zu9dW.bat" "
C:\providercommon\DllCommonsvc.exe
"C:\providercommon\DllCommonsvc.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\winlogon.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Users\Default\csrss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\Default\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 5 /tr "'C:\Windows\de-DE\DllCommonsvc.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Windows\de-DE\DllCommonsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 14 /tr "'C:\Windows\de-DE\DllCommonsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\DllCommonsvc.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\DllCommonsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\DllCommonsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsass.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsass.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsass.exe'" /rl HIGHEST /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\RedistList\winlogon.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\csrss.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\de-DE\DllCommonsvc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\DllCommonsvc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsass.exe'
C:\Windows\de-DE\DllCommonsvc.exe
"C:\Windows\de-DE\DllCommonsvc.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\z6HXYUNDfk.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\de-DE\DllCommonsvc.exe
"C:\Windows\de-DE\DllCommonsvc.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7bDnwPuEug.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\de-DE\DllCommonsvc.exe
"C:\Windows\de-DE\DllCommonsvc.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\b7oBPqXqtO.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\de-DE\DllCommonsvc.exe
"C:\Windows\de-DE\DllCommonsvc.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\veDg5wW3gS.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\de-DE\DllCommonsvc.exe
"C:\Windows\de-DE\DllCommonsvc.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\04VLARgLyy.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\de-DE\DllCommonsvc.exe
"C:\Windows\de-DE\DllCommonsvc.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3IH1xDWFpP.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\de-DE\DllCommonsvc.exe
"C:\Windows\de-DE\DllCommonsvc.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WtKWrLEt72.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\de-DE\DllCommonsvc.exe
"C:\Windows\de-DE\DllCommonsvc.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OMb46N11BK.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\de-DE\DllCommonsvc.exe
"C:\Windows\de-DE\DllCommonsvc.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\79RMekxjZd.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\de-DE\DllCommonsvc.exe
"C:\Windows\de-DE\DllCommonsvc.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
Files
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe
| MD5 | 8088241160261560a02c84025d107592 |
| SHA1 | 083121f7027557570994c9fc211df61730455bb5 |
| SHA256 | 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1 |
| SHA512 | 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478 |
C:\providercommon\1zu9dW.bat
| MD5 | 6783c3ee07c7d151ceac57f1f9c8bed7 |
| SHA1 | 17468f98f95bf504cc1f83c49e49a78526b3ea03 |
| SHA256 | 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322 |
| SHA512 | c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8 |
\providercommon\DllCommonsvc.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/2168-13-0x00000000009C0000-0x0000000000AD0000-memory.dmp
memory/2168-14-0x0000000000250000-0x0000000000262000-memory.dmp
memory/2168-15-0x0000000000260000-0x000000000026C000-memory.dmp
memory/2168-16-0x0000000000270000-0x000000000027C000-memory.dmp
memory/2168-17-0x0000000000400000-0x000000000040C000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\MPW6NPJZZ5M88GLQMFBG.temp
| MD5 | bce1fe5eb7840c591f8d14d6bec32751 |
| SHA1 | 082085f75e7eaa5c9b556d433faa1f5de47394ef |
| SHA256 | cf64a9d961c47efb2154817ff557ad965bd17f80d57ab645fe7d1f11995a3624 |
| SHA512 | f3e9d89641a7863c7e8ba91cfd570457f87516090ec835fc94ee205a6e7aa4e8a84b66570fd22e8bae6a2d2d38a3e01238dcac6ea1674fd9a1f107c5998e242a |
memory/1760-41-0x0000000000100000-0x0000000000210000-memory.dmp
memory/3036-42-0x000000001B2A0000-0x000000001B582000-memory.dmp
memory/3036-53-0x0000000002360000-0x0000000002368000-memory.dmp
memory/1760-60-0x0000000000540000-0x0000000000552000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CabE9F4.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\TarEA54.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\Local\Temp\z6HXYUNDfk.bat
| MD5 | e151e7b627b4a4590396442e06961da8 |
| SHA1 | ab5276336101f7f064eae9acfae1267063995d91 |
| SHA256 | f47455258422728dd131b5eafb6da2023de12174fba02d891ead21492db733f0 |
| SHA512 | 11969a9e77ad135d70293197005ab28e3b98bbfbd8aa86c7afcc2e28781f9f38565c6de6599892badc947e94d63efc56e25efa3562b903a6c547fb3122f59ffc |
memory/2964-119-0x00000000011E0000-0x00000000012F0000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ef4b77d7b4a0fbb3557177fad5a46e0b |
| SHA1 | ec72f7a2c6fb4db3d4b7866a8def207747aae1c6 |
| SHA256 | 91987b2df564265899e5cc435fbfbe64fd9d1a192cc1ef4255bcab6429ad123f |
| SHA512 | 5e535ee6206936b0d6ebf7f23456c830780451a99fa7cccac6e3c207b961e114ce323a650cc3f90afc16140cfdda8ffeb13a4a332399d8a0b73fefc11a356bc6 |
C:\Users\Admin\AppData\Local\Temp\7bDnwPuEug.bat
| MD5 | 71250a414375d8aad5ce02eef12f1a6b |
| SHA1 | 6f62255ec3c63aeb58bb3872cdac81404045973c |
| SHA256 | 7071c8e244db79d6db522f779bc95ec4770401d85b0c4a169601b876546d752f |
| SHA512 | f2d00a3d1b9326ad9aee893e284308b5c18c07cfbe918c4a78d64afc6ac9561dfafa6536ab84416ca9d8443c14eb1cb74b1a0268909c652b17ba51f608b93126 |
memory/580-179-0x0000000000110000-0x0000000000220000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b4f6e9eef4e00f77934fe5a737b33b9e |
| SHA1 | a721cf18ce926c06c743eaeee74246a8a126a20d |
| SHA256 | a0c871d646eea78491ddd7b842491f393fda34a73458b22680dcf3a92672626b |
| SHA512 | f03c4df280ecf134f6cf1209e9a0b7a4839aaa331fe2748f4bde7d7034567d74622d2e67fa14c39e24b96eb096ae1391db1528979bf2fbc31d8f23cd24cc367b |
C:\Users\Admin\AppData\Local\Temp\b7oBPqXqtO.bat
| MD5 | 6219e76f82f698f2b3233b63b3f9b432 |
| SHA1 | 7cc7abf33559d5b229f23866714c3fcda82ca2c7 |
| SHA256 | 009918ca092b609b1f1fa8e1043d389e2f552375273966f6b8474dbed0942c35 |
| SHA512 | fe4c894e6b2d5af5f85e1fa2d34a0b634d650d133a783567528a5e9c25bb65e578c5b7084860960d6765e62ec565ec2772ba811aca12b083cdbf896afe8a2903 |
memory/1064-239-0x0000000000F90000-0x00000000010A0000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 281656d1e7c83d3a0751f238172bf81b |
| SHA1 | 6c7e3b814dbc14946475b1d9a3a8d4c84220799f |
| SHA256 | 81e955fd1041ad5c0651623f20d0abd6e7ee14d514adeb4ec288bb2b4cb8affc |
| SHA512 | 7d6f80fb895ae85bfde4f7b3b2cea552870d81f9014e9c0ae7fd9eac10bd03a39a6e11ecee83dcda2cebf4f75febb4f0d381e1716766288316a8c9cc2c4d9aef |
C:\Users\Admin\AppData\Local\Temp\veDg5wW3gS.bat
| MD5 | acf3d8e9adcf7190cad74a83bbfb3fed |
| SHA1 | d679a73e302d651aef68b5ce6065183823256d65 |
| SHA256 | 6b5be23b828cf86a6f855514e059e324c8dfa967590eb2b44e1d6d447e382e0a |
| SHA512 | 112099007fdbf950c802f7b4e6c5dae52417ad3f540a5aa2fb5f906fadd277011a0e906927bc99784016330bb2fa5f86fa370859422555c139b12500593f410c |
memory/2384-299-0x00000000012E0000-0x00000000013F0000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 0fe65b79274db38d39948b4a0e37db3d |
| SHA1 | 51ae2a9827a8e1586aaeefa8e890eb246a2e3cc0 |
| SHA256 | c8563501830d1888822a85dcb619f53ea40cf63b72afef19c8d88a3efb7b62e4 |
| SHA512 | 83744e1476aa557a42c76120c76a303d6f0ec05decca60666fb020b5fa788fe657a6d616d9847f5c498b31ec3de0eed187fc3e42b1d8eddd1e91a1c10273055f |
C:\Users\Admin\AppData\Local\Temp\04VLARgLyy.bat
| MD5 | d6a80d87c156fbf531259ebb3accdcf5 |
| SHA1 | 51394a17d340ab6e9d038efba548ce29c156d462 |
| SHA256 | 2d093323e74bf9d9ad12896386f9a64a3fb0fe3c2ade73777d0808651648c7ad |
| SHA512 | c00c4eb57c8a55f7ed629136eccbdba73bf7f5930867fc23dfaa6cea2934bfa83761e87902139b61a92d53c6e46e32140f69f087c9b1f506d405d1c4957f338b |
memory/2152-359-0x0000000000340000-0x0000000000352000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4c83be95a7a212f9fe2902b8d4b2761a |
| SHA1 | 55b1e2248f87201aff3c30fb9891de984842bb3d |
| SHA256 | a4c14e32ba260133dc1e95b17e859bfcc2e18c2b13f4078ef8d3c69adfc0d279 |
| SHA512 | 379b041c71f020ffc56d2c9f64a0a5ca31c51167e03a4a8cb6fff13dc1c8f5295242fd922f3426ee5c6a5adfc2ff2609d13bc29ebc80456cb48c7b557050959c |
C:\Users\Admin\AppData\Local\Temp\3IH1xDWFpP.bat
| MD5 | f12ee1d219505a92c86ea24c5ef25aec |
| SHA1 | 6c73f511cb3322f32303aa4b4e83dd15a72354e7 |
| SHA256 | 6da6588635b5ad205c51aebc5c3fae2136e45b421c9263b62c088cba87da74ba |
| SHA512 | b6a2904e5be7394952516a0f46dd9197646db9c92677cea4850c47e286af61ad56885d7764b98dc414422e45479347adf77cac449dfebe1657f8512ed1759b85 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 404b51c3b37c8cbc9e9c1b3c1bae297e |
| SHA1 | 5b9f7be79ef436065c8e0580da2230229db9a2cb |
| SHA256 | 2a7793c0cad5957af7d0ee361f1067acff94ade1023f84f27119b4273d405636 |
| SHA512 | e40f212b3d7bc65e87e8a17e404d89f5722227ae3a7d4820cbdac36c5896e7b1126c856f5e6650568ddbdc6c9a1a5dee92807b62c7ba8631bea55a9ca4cffa9b |
C:\Users\Admin\AppData\Local\Temp\WtKWrLEt72.bat
| MD5 | b47c8916224dd9f638d475c0eae98579 |
| SHA1 | a96e6c42c037dc924c3546b2646ec96d6cc86310 |
| SHA256 | 6bca8ae14ac187d78d42b8850c75883dbd0d87d6debe2a7beb4ffd5c4ccb07d6 |
| SHA512 | 01633d57604b02b2001bb711b002914234bf259ca3a8784140436756626f9b3d31892555066e183abaa35a45eb0a35ad036bf4fbda08a1f5f552b197054dd3ce |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3ec0739f690dd376de94f2215e03c2b2 |
| SHA1 | 6d4b585ad78346b3e8baa38382052e1eb8c158a1 |
| SHA256 | 6d9bc4d441e84a246e0175ac969efa1a9e0914046d8c7b93dec81a7d348d0d93 |
| SHA512 | 4802ff72e15aacc1a3b27c8f70b7ed69726efb2756fda363c1f94afa7738b8e3d08d512114df815b4fef81cf37b6a405dbc61adc07b5923cbcba1298994a0095 |
C:\Users\Admin\AppData\Local\Temp\OMb46N11BK.bat
| MD5 | e6b7a167dc5cab53bc478dffbee6f4b8 |
| SHA1 | 7f138d4ebbee1ac02d0c53011006a43818ab5982 |
| SHA256 | c0f776664d682ed67c39c716485f0c9c2a76f984db908a3d7e9173703cdb7c5c |
| SHA512 | d3863691ccfa8e602a2274e37916b481e6dcb77269a7968206269942669cfe836ac901fd89e0ba7caead194f2a482dfb81b43d03f5a2565251780db0995bec9c |
memory/1872-537-0x0000000000220000-0x0000000000330000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c3eccd6f76797b965de6e166d4173c4f |
| SHA1 | 7aa30efead8b3947e8b114cd3f9286be25af3fda |
| SHA256 | 8b82510983a714877304228edf1243dfd8358cd5dbec124bf2e6a288a937c3ed |
| SHA512 | edc1f7f4a3c4fab6d70847961d78a968b655bb4e2cfdbed6629269dd7f45b86ec90f1e7cc82480f389b4d24094701365b7e91851f5dab6a540b555222fbd6fad |
C:\Users\Admin\AppData\Local\Temp\79RMekxjZd.bat
| MD5 | b2f27bb4233cb34b23bde06e4b70ca56 |
| SHA1 | 764913fbc6142ddcf9c47c7e79ba5595732a3cdf |
| SHA256 | b3051efa26e6bd1cc8af49eeaa47065bf270bbfdc51e64fa9dc5fca26d4a0e5b |
| SHA512 | 28f1bb468c3091a3f26676643f8968beb829d194740b954a9dfa7dea32fe6a043f30d444d352dcc159f68a988148b467c7b8ce6fe57da273f391fd8f5398a8a6 |
memory/1164-597-0x0000000000950000-0x0000000000A60000-memory.dmp
memory/1164-598-0x0000000000140000-0x0000000000152000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-12-30 17:17
Reported
2024-12-30 17:20
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
156s
Command Line
Signatures
DcRat
Dcrat family
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5e218f93ff7c0f24a3d39b6ecb07d850d8b144f2ca610b2e543e0448c1993cf6.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\providercommon\DllCommonsvc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Recovery\WindowsRE\cmd.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Recovery\WindowsRE\cmd.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Recovery\WindowsRE\cmd.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Recovery\WindowsRE\cmd.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Recovery\WindowsRE\cmd.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Recovery\WindowsRE\cmd.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Recovery\WindowsRE\cmd.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Recovery\WindowsRE\cmd.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Recovery\WindowsRE\cmd.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Recovery\WindowsRE\cmd.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Recovery\WindowsRE\cmd.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Recovery\WindowsRE\cmd.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Recovery\WindowsRE\cmd.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Recovery\WindowsRE\cmd.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Recovery\WindowsRE\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\providercommon\DllCommonsvc.exe | N/A |
| N/A | N/A | C:\Recovery\WindowsRE\cmd.exe | N/A |
| N/A | N/A | C:\Recovery\WindowsRE\cmd.exe | N/A |
| N/A | N/A | C:\Recovery\WindowsRE\cmd.exe | N/A |
| N/A | N/A | C:\Recovery\WindowsRE\cmd.exe | N/A |
| N/A | N/A | C:\Recovery\WindowsRE\cmd.exe | N/A |
| N/A | N/A | C:\Recovery\WindowsRE\cmd.exe | N/A |
| N/A | N/A | C:\Recovery\WindowsRE\cmd.exe | N/A |
| N/A | N/A | C:\Recovery\WindowsRE\cmd.exe | N/A |
| N/A | N/A | C:\Recovery\WindowsRE\cmd.exe | N/A |
| N/A | N/A | C:\Recovery\WindowsRE\cmd.exe | N/A |
| N/A | N/A | C:\Recovery\WindowsRE\cmd.exe | N/A |
| N/A | N/A | C:\Recovery\WindowsRE\cmd.exe | N/A |
| N/A | N/A | C:\Recovery\WindowsRE\cmd.exe | N/A |
| N/A | N/A | C:\Recovery\WindowsRE\cmd.exe | N/A |
| N/A | N/A | C:\Recovery\WindowsRE\cmd.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\it\Registry.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\SysWOW64\it\ee2ad38f3d4382 | C:\providercommon\DllCommonsvc.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Windows Media Player\uk-UA\cmd.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Windows Media Player\uk-UA\ebf1f9fa8afd6d | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Windows Security\csrss.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Windows Security\886983d96e3d3e | C:\providercommon\DllCommonsvc.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\TAPI\27d1bcfc3c54e0 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\OCR\fr-fr\smss.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\Migration\WTR\dllhost.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\Migration\WTR\5940a34987c991 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\TAPI\System.exe | C:\providercommon\DllCommonsvc.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5e218f93ff7c0f24a3d39b6ecb07d850d8b144f2ca610b2e543e0448c1993cf6.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings | C:\Recovery\WindowsRE\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings | C:\Recovery\WindowsRE\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings | C:\Recovery\WindowsRE\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings | C:\Recovery\WindowsRE\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings | C:\Recovery\WindowsRE\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings | C:\Recovery\WindowsRE\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings | C:\Recovery\WindowsRE\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings | C:\Recovery\WindowsRE\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings | C:\Recovery\WindowsRE\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings | C:\Recovery\WindowsRE\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings | C:\Recovery\WindowsRE\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5e218f93ff7c0f24a3d39b6ecb07d850d8b144f2ca610b2e543e0448c1993cf6.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings | C:\Recovery\WindowsRE\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings | C:\Recovery\WindowsRE\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings | C:\Recovery\WindowsRE\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings | C:\Recovery\WindowsRE\cmd.exe | N/A |
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5e218f93ff7c0f24a3d39b6ecb07d850d8b144f2ca610b2e543e0448c1993cf6.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5e218f93ff7c0f24a3d39b6ecb07d850d8b144f2ca610b2e543e0448c1993cf6.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
C:\providercommon\DllCommonsvc.exe
"C:\providercommon\DllCommonsvc.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\providercommon\RuntimeBroker.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\providercommon\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\providercommon\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\cmd.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\cmd.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\cmd.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Windows\TAPI\System.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\TAPI\System.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Windows\TAPI\System.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 13 /tr "'C:\Windows\SysWOW64\it\Registry.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Windows\SysWOW64\it\Registry.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 12 /tr "'C:\Windows\SysWOW64\it\Registry.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Media Player\uk-UA\cmd.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\uk-UA\cmd.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Media Player\uk-UA\cmd.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Security\csrss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Security\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Security\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Recent\WaaSMedicAgent.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\Users\Default\Recent\WaaSMedicAgent.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Recent\WaaSMedicAgent.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\providercommon\RuntimeBroker.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\providercommon\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\providercommon\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\providercommon\RuntimeBroker.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\providercommon\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\providercommon\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Windows\Migration\WTR\dllhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Windows\Migration\WTR\dllhost.exe'" /rl HIGHEST /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\SearchApp.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\RuntimeBroker.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\cmd.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\TAPI\System.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SysWOW64\it\Registry.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\uk-UA\cmd.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Security\csrss.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Recent\WaaSMedicAgent.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\RuntimeBroker.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\RuntimeBroker.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Migration\WTR\dllhost.exe'
C:\Recovery\WindowsRE\cmd.exe
"C:\Recovery\WindowsRE\cmd.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kNGCBu7dv8.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Recovery\WindowsRE\cmd.exe
"C:\Recovery\WindowsRE\cmd.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\s2EHkno7yQ.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Recovery\WindowsRE\cmd.exe
"C:\Recovery\WindowsRE\cmd.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BmKXfVMxAz.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Recovery\WindowsRE\cmd.exe
"C:\Recovery\WindowsRE\cmd.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cOf3pucYXi.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Recovery\WindowsRE\cmd.exe
"C:\Recovery\WindowsRE\cmd.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RdAvGBYmjZ.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Recovery\WindowsRE\cmd.exe
"C:\Recovery\WindowsRE\cmd.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eKh6VzgSrU.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Recovery\WindowsRE\cmd.exe
"C:\Recovery\WindowsRE\cmd.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YXbxSkVmu9.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Recovery\WindowsRE\cmd.exe
"C:\Recovery\WindowsRE\cmd.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\00pP7nIBMq.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Recovery\WindowsRE\cmd.exe
"C:\Recovery\WindowsRE\cmd.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ph8sa6VtQm.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Recovery\WindowsRE\cmd.exe
"C:\Recovery\WindowsRE\cmd.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DiMaLaQqUm.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Recovery\WindowsRE\cmd.exe
"C:\Recovery\WindowsRE\cmd.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xEvQv3iUx6.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Recovery\WindowsRE\cmd.exe
"C:\Recovery\WindowsRE\cmd.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CrTeqwt2Oo.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Recovery\WindowsRE\cmd.exe
"C:\Recovery\WindowsRE\cmd.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eKh6VzgSrU.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Recovery\WindowsRE\cmd.exe
"C:\Recovery\WindowsRE\cmd.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\D2zd9hDRps.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Recovery\WindowsRE\cmd.exe
"C:\Recovery\WindowsRE\cmd.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4stVUxPy0P.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.111.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 92.12.20.2.in-addr.arpa | udp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
Files
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe
| MD5 | 8088241160261560a02c84025d107592 |
| SHA1 | 083121f7027557570994c9fc211df61730455bb5 |
| SHA256 | 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1 |
| SHA512 | 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478 |
C:\providercommon\1zu9dW.bat
| MD5 | 6783c3ee07c7d151ceac57f1f9c8bed7 |
| SHA1 | 17468f98f95bf504cc1f83c49e49a78526b3ea03 |
| SHA256 | 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322 |
| SHA512 | c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8 |
C:\providercommon\DllCommonsvc.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/2296-12-0x00007FFA810A3000-0x00007FFA810A5000-memory.dmp
memory/2296-13-0x0000000000330000-0x0000000000440000-memory.dmp
memory/2296-14-0x0000000000C20000-0x0000000000C32000-memory.dmp
memory/2296-15-0x0000000000C30000-0x0000000000C3C000-memory.dmp
memory/2296-16-0x000000001AF10000-0x000000001AF1C000-memory.dmp
memory/2296-17-0x000000001AF20000-0x000000001AF2C000-memory.dmp
memory/3500-60-0x0000020F6DE90000-0x0000020F6DEB2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zjepdwuv.the.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 6d3e9c29fe44e90aae6ed30ccf799ca8 |
| SHA1 | c7974ef72264bbdf13a2793ccf1aed11bc565dce |
| SHA256 | 2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d |
| SHA512 | 60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 6d42b6da621e8df5674e26b799c8e2aa |
| SHA1 | ab3ce1327ea1eeedb987ec823d5e0cb146bafa48 |
| SHA256 | 5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c |
| SHA512 | 53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | bd5940f08d0be56e65e5f2aaf47c538e |
| SHA1 | d7e31b87866e5e383ab5499da64aba50f03e8443 |
| SHA256 | 2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6 |
| SHA512 | c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 59d97011e091004eaffb9816aa0b9abd |
| SHA1 | 1602a56b01dd4b7c577ca27d3117e4bcc1aa657b |
| SHA256 | 18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d |
| SHA512 | d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | e243a38635ff9a06c87c2a61a2200656 |
| SHA1 | ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc |
| SHA256 | af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f |
| SHA512 | 4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | e448fe0d240184c6597a31d3be2ced58 |
| SHA1 | 372b8d8c19246d3e38cd3ba123cc0f56070f03cd |
| SHA256 | c660f0db85a1e7f0f68db19868979bf50bd541531babf77a701e1b1ce5e6a391 |
| SHA512 | 0b7f7eae7700d32b18eee3677cb7f89b46ace717fa7e6b501d6c47d54f15dff7e12b49f5a7d36a6ffe4c16165c7d55162db4f3621db545b6af638035752beab4 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | cadef9abd087803c630df65264a6c81c |
| SHA1 | babbf3636c347c8727c35f3eef2ee643dbcc4bd2 |
| SHA256 | cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438 |
| SHA512 | 7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085 |
C:\Users\Admin\AppData\Local\Temp\kNGCBu7dv8.bat
| MD5 | 1fa423c44409afa90a3ccb4c7c28fc8a |
| SHA1 | e8526dc8592caeef002beecdbaee61e4d9bf67bc |
| SHA256 | 4ab03da2386cbac5d9f43b3520ced889fa2cfe8d35b87aad3e059dbd71b42b42 |
| SHA512 | 68ba924239346c7a701dad0efac2374a98ffcd2b1c812acb6b28621fb8c24e49bb1f05de70d031f1ece6c3083d58f609fe56e851e97d4144ac600f3b0173b40b |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\cmd.exe.log
| MD5 | baf55b95da4a601229647f25dad12878 |
| SHA1 | abc16954ebfd213733c4493fc1910164d825cac8 |
| SHA256 | ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924 |
| SHA512 | 24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545 |
C:\Users\Admin\AppData\Local\Temp\s2EHkno7yQ.bat
| MD5 | f58c839638a3d919bcc4b39612967d08 |
| SHA1 | 8fdef2fa91c36bb91d21e6f127dac24bbce61e66 |
| SHA256 | b6f1bd6b13e87b7fc13286cf661b507d735d4d4d07fa93651756ccc5b2e2c6cc |
| SHA512 | a887bad2bfe468fc45231a82c079988fd0f8ce9f9069c84ad9268f3152fb9b0cbfceaebc0e4acb83146d1b868333c044610902f0df9de1f010c91704e1cb9abf |
memory/4548-197-0x000000001C280000-0x000000001C429000-memory.dmp
memory/820-204-0x000000001C7E0000-0x000000001C989000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BmKXfVMxAz.bat
| MD5 | c7157d71c1dc4fcc7a79f9b82d5f6d07 |
| SHA1 | 4516066ed7a59ea0ac9cc50723200ec1d46aa78a |
| SHA256 | d02f0530c1c252f8d3ed132d8b581c364a27b3d0ab319ad897c678d14d1854b3 |
| SHA512 | 19b4eb0ad76e17e334c93322ec55baa4769b4f00d67d0b4a34c2df81850cccbf6297edba98e5f4f943b28d6d17c718746be34577821e15e4ff4836ad2a233cb7 |
C:\Users\Admin\AppData\Local\Temp\cOf3pucYXi.bat
| MD5 | 54ba6891d45b018029268fd67221a0e4 |
| SHA1 | 154f75764baabbb47cd4559f4e3370268713c6aa |
| SHA256 | 1c4156ef1d208b0a48ebccfb4fbd6c63455e8720e726deee466163d1c02a8468 |
| SHA512 | fe32398a04d12fdb53dd93a9ada60bf2a75388feab8604ba7948841a11c812ff3cb8f039eb9fb91fdd32a3e21c03e378a860ac1d51826f9eea16c4f646ca2e6b |
memory/1788-213-0x0000000000E40000-0x0000000000E52000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RdAvGBYmjZ.bat
| MD5 | 8ca17e0f3555817fac25ab19561c3ac7 |
| SHA1 | 8c038b63337eb9c8b14c1cbf2eecee4a073be029 |
| SHA256 | 274b2f89d77bcf101f45c6a16f3f485f2cdff1dc82ba7e62319e739679a5adae |
| SHA512 | 980e26e4c9f5ee043bdd614f6ec4c6732a862c479534b7f47063d9b56484ba3eb1307e729dcf059daa2e92d2983b8e5bd161317dc5a067e70ff908a48684a3b9 |
C:\Users\Admin\AppData\Local\Temp\eKh6VzgSrU.bat
| MD5 | d0ae55d63c1ea4a8a46aa4ff5974291f |
| SHA1 | 8da49d60831afec25e94c9d68e9d08d45c7056e2 |
| SHA256 | 27a3032255878227d9cc84efed35eefcb9fc2b9d614bc7b22027c4e3f7bbed79 |
| SHA512 | 0a9730cc2154d29c5134fcdf4237e8c4e3f15014bf5b0d3a117aa16b9b45029d10a085e04c4fa338e6cb3523897c800d9b25a9435286de19e00cc0c096b1a86c |
C:\Users\Admin\AppData\Local\Temp\YXbxSkVmu9.bat
| MD5 | 653e20146c89631d63a403cc6b6dc1d0 |
| SHA1 | d912fb445b31b024bb73aeec345aa1e3015b994c |
| SHA256 | f6bb44df548225087e9868987fcb4bbfd05c62db3ace6efbfc54e651f987966c |
| SHA512 | 52e52794dc58d8454420e899536708a8e9c6a2d1ee4ac44f06569eb68ff88b275ad90dabee0cee93e629736b2906705007d852e4a1c545c8bbb3a714eda14fcf |
C:\Users\Admin\AppData\Local\Temp\00pP7nIBMq.bat
| MD5 | 905ac9b6e6adce34e432e0b669d021d0 |
| SHA1 | 70d1095c383fa052a8e2d3695cfb6bf5ecf1a418 |
| SHA256 | f40777327a957f9f4428229843aec194cdf9e3df8131692ad7b8696f96b6b1ac |
| SHA512 | 0eb612508b3af7d7cd253e3e097e6fbc259fe7087a6511bed31e90596d3c2231156ebb3db2b16da6bd85b711a676b1a99746bd96ca3de662443e2ba90adea9a2 |
memory/3720-238-0x0000000003150000-0x0000000003162000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Ph8sa6VtQm.bat
| MD5 | 33bcb36ec8a6ce6dae33697f855077c2 |
| SHA1 | e8bf3ff9d1c0742db76e8059e31e0730f8a5120d |
| SHA256 | 436e0bffca9880b1813977859192b1ef2d8ecb391a603bff405069f665f46712 |
| SHA512 | 1b5ea08b7de9aa0f4930585f662a7da6f72dc85d399d5f9ffafe5c12622d4113df0778e060bad720020aaf77abe197a5ecc8e628df6dc8c9eabca2f01ccf5412 |
C:\Users\Admin\AppData\Local\Temp\DiMaLaQqUm.bat
| MD5 | 13d92f0b3193ba6bc71f77f6fc131559 |
| SHA1 | 42f657e6857835690608e271bec50ee0885958f1 |
| SHA256 | 27b246dd8242bf8492839d1a21dddea46564d2fa9091e1c07c16a2335753098f |
| SHA512 | 3831ed88d0428f67b81d4f752636d497affa8097203161b181607a2436d1618b7db3db5a22915740d8f32f3ff3aeb5e39e746ea25a991071d03a927f459de398 |
C:\Users\Admin\AppData\Local\Temp\xEvQv3iUx6.bat
| MD5 | eb9150005065f61e851da5f465adafb9 |
| SHA1 | 023726fa70e6f595bec98fe4df28353632475b9f |
| SHA256 | 9512f43de0b919dedb15337233a2e1e88ce6da75232e4bdda57b91b95c19be56 |
| SHA512 | 9207d57585684736efa8b2751790466fa828dbbfc1280385b5f3782b9019fce50d26dd911f212f822b6122a50ab52a3ec0e1c84cb969007eb783b562d7a08116 |
memory/3420-257-0x000000001BA40000-0x000000001BA52000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CrTeqwt2Oo.bat
| MD5 | 7f44837ea3234a8b47c2b8e44e886f67 |
| SHA1 | 7308ad46560732d99de815a715cdc75e5b354924 |
| SHA256 | 16f19cd094d0897642188e0e02aa38ef0870f99ab2b8dfb39ea87babea56a56b |
| SHA512 | 1c95619ff50b31457a49dada1a28edbd48efed6ad6165a293c778700969ce25cb35f4c4705aee53149df72dbcc7a58d6bd2cdd5dc0b193dbf7300160bca8108b |
C:\Users\Admin\AppData\Local\Temp\D2zd9hDRps.bat
| MD5 | ca40583628f3b36eb7ab33010e6002ab |
| SHA1 | cac93f9e6475ba2de18dfa07b4f3bd0b331454bc |
| SHA256 | 0213551b846a281f0cc31535bb46a88d56ca8cc16cf1fa8477bd6ac37b022ec5 |
| SHA512 | 98d9bd0b58d27bc8b2bd21a71c4e883e8618e557dce04efd26ec8479e9d52b9c965300b76333af5d3b53edb23475cee94fbae95f78a58cfd6e87a5c87a9f08eb |
C:\Users\Admin\AppData\Local\Temp\4stVUxPy0P.bat
| MD5 | 2fa01fa5cb3ff55559baf87b47130685 |
| SHA1 | d6d09e2a26e0f80d19172f3ed8a5778d12d02701 |
| SHA256 | 40724291df025ddc1877563bedbac617b4b62281418fbb40ac8dbec921dd3029 |
| SHA512 | f5455419caf85046750d76e6c231be73e1c921a9da17b7a1f1fd3e71806f71c3f4e28bfd49336f6aa21a96cfe6eae8bedd27010a9616f11863258d9d4284f137 |