Analysis Overview
SHA256
20bb14fded0029e7840c9ced7efb17e0293f6069ea6d8d387b8c033eb0c97177
Threat Level: Known bad
The file JaffaCakes118_20bb14fded0029e7840c9ced7efb17e0293f6069ea6d8d387b8c033eb0c97177 was found to be: Known bad.
Malicious Activity Summary
Process spawned unexpected child process
DcRat
DCRat payload
Dcrat family
DCRat payload
Command and Scripting Interpreter: PowerShell
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Legitimate hosting services abused for malware hosting/C2
Drops file in Windows directory
Drops file in Program Files directory
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Scheduled Task/Job: Scheduled Task
Uses Task Scheduler COM API
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-12-30 17:18
Signatures
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Dcrat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-12-30 17:18
Reported
2024-12-30 17:21
Platform
win7-20240729-en
Max time kernel
148s
Max time network
144s
Command Line
Signatures
DcRat
Dcrat family
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\providercommon\DllCommonsvc.exe | N/A |
| N/A | N/A | C:\Windows\Web\Idle.exe | N/A |
| N/A | N/A | C:\Windows\Web\Idle.exe | N/A |
| N/A | N/A | C:\Windows\Web\Idle.exe | N/A |
| N/A | N/A | C:\Windows\Web\Idle.exe | N/A |
| N/A | N/A | C:\Windows\Web\Idle.exe | N/A |
| N/A | N/A | C:\Windows\Web\Idle.exe | N/A |
| N/A | N/A | C:\Windows\Web\Idle.exe | N/A |
| N/A | N/A | C:\Windows\Web\Idle.exe | N/A |
| N/A | N/A | C:\Windows\Web\Idle.exe | N/A |
| N/A | N/A | C:\Windows\Web\Idle.exe | N/A |
| N/A | N/A | C:\Windows\Web\Idle.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\winlogon.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\cc11b995f2a76d | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Google\Temp\explorer.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Google\Temp\7a0fd90576e088 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Internet Explorer\en-US\audiodg.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Internet Explorer\en-US\42af1c969fbb7b | C:\providercommon\DllCommonsvc.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Web\Idle.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\Web\6ccacd8608530f | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\tracing\services.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\tracing\c5b4cb5e9653cc | C:\providercommon\DllCommonsvc.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_20bb14fded0029e7840c9ced7efb17e0293f6069ea6d8d387b8c033eb0c97177.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_20bb14fded0029e7840c9ced7efb17e0293f6069ea6d8d387b8c033eb0c97177.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_20bb14fded0029e7840c9ced7efb17e0293f6069ea6d8d387b8c033eb0c97177.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\providercommon\1zu9dW.bat" "
C:\providercommon\DllCommonsvc.exe
"C:\providercommon\DllCommonsvc.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Desktop\System.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Public\Desktop\System.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Desktop\System.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Windows\Web\Idle.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\Web\Idle.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Windows\Web\Idle.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Windows\tracing\services.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\tracing\services.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Windows\tracing\services.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\spoolsv.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\spoolsv.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\spoolsv.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\winlogon.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Google\Temp\explorer.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Temp\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Google\Temp\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Program Files\Internet Explorer\en-US\audiodg.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\en-US\audiodg.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Program Files\Internet Explorer\en-US\audiodg.exe'" /rl HIGHEST /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Desktop\System.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Web\Idle.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\tracing\services.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\spoolsv.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\winlogon.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\Temp\explorer.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\en-US\audiodg.exe'
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UbyABZCdRu.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\Web\Idle.exe
"C:\Windows\Web\Idle.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qwBPskakqG.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\Web\Idle.exe
"C:\Windows\Web\Idle.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Pkopelt31u.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\Web\Idle.exe
"C:\Windows\Web\Idle.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6VGBOjzZtA.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\Web\Idle.exe
"C:\Windows\Web\Idle.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Bf5uratM3O.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\Web\Idle.exe
"C:\Windows\Web\Idle.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\Web\Idle.exe
"C:\Windows\Web\Idle.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cRRFCwJQFV.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\Web\Idle.exe
"C:\Windows\Web\Idle.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6xwNL0dL8Y.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\Web\Idle.exe
"C:\Windows\Web\Idle.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iMm147yiIR.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\Web\Idle.exe
"C:\Windows\Web\Idle.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WYuyh03jyF.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\Web\Idle.exe
"C:\Windows\Web\Idle.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SaOkt9ru2m.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\Web\Idle.exe
"C:\Windows\Web\Idle.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
Files
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe
| MD5 | 8088241160261560a02c84025d107592 |
| SHA1 | 083121f7027557570994c9fc211df61730455bb5 |
| SHA256 | 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1 |
| SHA512 | 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478 |
C:\providercommon\1zu9dW.bat
| MD5 | 6783c3ee07c7d151ceac57f1f9c8bed7 |
| SHA1 | 17468f98f95bf504cc1f83c49e49a78526b3ea03 |
| SHA256 | 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322 |
| SHA512 | c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8 |
\providercommon\DllCommonsvc.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/2960-13-0x0000000001370000-0x0000000001480000-memory.dmp
memory/2960-14-0x00000000001C0000-0x00000000001D2000-memory.dmp
memory/2960-15-0x00000000003E0000-0x00000000003EC000-memory.dmp
memory/2960-16-0x00000000003D0000-0x00000000003DC000-memory.dmp
memory/2960-17-0x0000000000500000-0x000000000050C000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\8JWSH9HXV1BPA2XQCNM3.temp
| MD5 | f5fdd9ce289abbf3aea69e40e16d4387 |
| SHA1 | 8a3134c72834bc1e8c8a41471b8e10c456c3718f |
| SHA256 | 82f3ad538bf4a9f373a04e76e3ce249d4f21d3973073cd116f535575c846bfc5 |
| SHA512 | afcdd7c7005aeb450e10682b8b5cce4aed82834d11b9dbd3c7b59add7ec61cbae17f9f707d44f1f2e9195616746f0c61d2b833cf852297f748c385a49bd564fe |
memory/1980-58-0x0000000001E80000-0x0000000001E88000-memory.dmp
memory/1976-50-0x000000001B650000-0x000000001B932000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\UbyABZCdRu.bat
| MD5 | f31ada6f42a106092814cee58d61bacb |
| SHA1 | d6934b0ee5964588239afcc735d0b6d29ee37841 |
| SHA256 | f65f3987375c16c98143286794721e8884a67a2091ff6861cda33474be9c3468 |
| SHA512 | 2a71cf0b641a784f47d3e7edf8844b7df0511138e6d134af42e7e411e9a005473be65ea3de5187a51b734330fa456ca6cf5ffdf890eef993f3e9605c53806931 |
memory/2976-77-0x0000000000D70000-0x0000000000E80000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CabBE.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\TarD1.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\Local\Temp\qwBPskakqG.bat
| MD5 | 45e1dd64615274e6ff5ce841c69a8a1f |
| SHA1 | 466f5189a5b0d5e0e990bb3d498d2e8dc693ad7b |
| SHA256 | c437e67dbdb13c7970265203adf4ee0ccc926c61f95818b34dc18289db852c40 |
| SHA512 | 948aa6f9c1a6a3c042fbb151e9f6a2132f185874a12cbaaaedfc5b0b05b7c593925686bb6b34d5b311c2148be562c957b0cdcc8ccd75a7da31c78e87f2a8fa69 |
memory/2528-136-0x0000000001160000-0x0000000001270000-memory.dmp
memory/2528-137-0x00000000002B0000-0x00000000002C2000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7405fabaab93319928ab7b6b30bb5fad |
| SHA1 | a8f4925d7a67952eeb71fe2a0f2c38d2ef91f05a |
| SHA256 | 228401c705c52cc171ca9e49d6959cf654666caaf1238831f2786726b45621ec |
| SHA512 | c3a34c536794ba17ae82e47d6c3ed2351877f6c7cc95e124177bf3c39d6578730b6949394f6318865f86d55a3217dc02c376e667f35edc6d54a77a58e3696529 |
C:\Users\Admin\AppData\Local\Temp\Pkopelt31u.bat
| MD5 | 0986da0cefcc7993237cb00b72216c4e |
| SHA1 | 694cfcad26e9af3109d1ebf996ea3f5b83f5473f |
| SHA256 | 0afb8be3e876dac019b3ac18fd4b5cb28e408880a485a33bb7bd047a8ca79dd9 |
| SHA512 | 91a21608114b91758c55816937889cc8da77bfafa4dd8e2e80272e2d6b779e9ee9086b193380d3090b28c79f566484db17bd8acffe61abea9df166522a7320e6 |
memory/2884-197-0x00000000002B0000-0x00000000002C2000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8985eed6f85fc6bf2e8be68a85b2ce2d |
| SHA1 | 39d42eab1a90eba2f22a1a9da7cbe2029b57eaae |
| SHA256 | 2e7980b934c92979648c7c2b53f91ef8c86bfdaf203191493c48975d54bf6407 |
| SHA512 | 4928070fe0137879590a65cd90dccab9a666daedd7e9e757f7684bf82b2ce2e0b2de6daad75759da14fd19a6de27220f2b9f7061950758a715af0bf03920fdf0 |
C:\Users\Admin\AppData\Local\Temp\6VGBOjzZtA.bat
| MD5 | 85b62ca95e5ddf88a8f371d0e7d36aab |
| SHA1 | 034caf69cb76c1c1c5aaf27b5a0b4b75d6e652ac |
| SHA256 | 3101b3a26dcf3c7e47bdd44d545bfe1c4a9c865f3985798cfe38fd25f48e6b35 |
| SHA512 | 005b6d996d8b0b357a0051399bf566362a63889f6422ea5b60a0d6d5f3f7e4382bf27c7a24831cdbe6df50d96e0e0acb0fe61d2404e8a58d132e4186bcc74710 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 57835819a2e815b906e7444d3dfc5f5b |
| SHA1 | 984247cc91439038276c7d02a00c8e07ede468bd |
| SHA256 | 8ddf060642a6b1f5d2b5dd7cb063b133cfa43f759d8eb10f24c895af17ebbe75 |
| SHA512 | 39593ed439cd843fc05dfc58ce13947e9b0e87c254e62f778608172f51e925aed2422db1f027f6c996d84f9df0d1358892c414c25f4130dca716b3108953b2d0 |
C:\Users\Admin\AppData\Local\Temp\Bf5uratM3O.bat
| MD5 | 8f9a4d0b77acb9d371d4455ca67fd5c2 |
| SHA1 | e24774a7caa68106295448efde58473efbc8a0bc |
| SHA256 | d2744c4021d2368ac6f234f76f67383e108f47c983f19172dab933108b4bc6bd |
| SHA512 | 7c3efcc7ce44c4cfdbad99ad15a51a689be1a5a6d52fcaba66badbb7a225c08fb82b1409ceb17c46f85387b8b869df930106b88c38b933a7fef26612f5607d42 |
memory/2556-316-0x0000000000220000-0x0000000000330000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1ef9a38aee475fc511864442d68c49ba |
| SHA1 | 095d822757fc9afa4cf4f887c3d603f52053887a |
| SHA256 | 018b25cd35a451267f6afd21464acf88ac9eb47a5a4ce014deec6d6bb61257d0 |
| SHA512 | a5a91ace516b41479bfe22b3c2849c8d4ab51d138112e7555e0ae79eefb871a7b8ea2fb2b879b8b46a6d3532738ed67e00ffc989e60a87ab51fd226ea9f1f02a |
C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat
| MD5 | 143ffab1a2ad3456560ee6b84ca23c11 |
| SHA1 | d18d9cc086493eec5d3284cef34d02c326713e7f |
| SHA256 | 2b0890e293b5d46a030e10030e2d1117d83aae13c8b3cba71e378506d5b75639 |
| SHA512 | 5e787ca7192eec0adf6f125c9ec0b8fe8df786ccbda2b9a0021326a4cfaccda8ae55876cf7e6f17ae3c176062eb4d75344d5825ceab4c5740666c378fa22a885 |
memory/3064-376-0x00000000009D0000-0x0000000000AE0000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ef50f587008b27f8cd927b023db0bb09 |
| SHA1 | e593699c47f7367cf1d999f8d39f245cbc51e4ee |
| SHA256 | fec8c8dc33ae6757953eff141debf785660cfaa448e81a36a63262d60b168c39 |
| SHA512 | 6ae07934a55c5fd7be45def3b7b4d46f119bab118fd251023ad5ad829f60917291ada0a8a911650c655dcc9870cd30d1dec675e2d77109d2b7be0abfd0bc52e2 |
C:\Users\Admin\AppData\Local\Temp\cRRFCwJQFV.bat
| MD5 | 09b4e6290ea39feae3a590489aa51249 |
| SHA1 | c5716ff83273ac31b3982ab74f50aded934f41b4 |
| SHA256 | ea3eafd236d75bf98045355c0bb1902a2cb9bc6078972ede4cedf3ff88177713 |
| SHA512 | de733a96b7ad0b68c36c76f4dbd9f9e46f5e68732e6bc092fe9d9893dae81b08e6ed89ec7a1531ba89c6bc0c091fe050510007294ac79038ddb8e7d221919d65 |
memory/2408-436-0x0000000000A90000-0x0000000000BA0000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6443f4b80fa35f0c906beb2f4a50adc1 |
| SHA1 | 7696fa9af95291f9e7905755816426707d3c54e9 |
| SHA256 | ef193af5945fe3588a8cec8d041637d655ff435e2d3ae4d77dfeb1254ff9adb3 |
| SHA512 | 2be6f9ae95db067703cb1bdd5739f3a05be3f21c4561d13fda86d2e5e5521a0ac53655c482bcf49c7dcb8a7d6a0d8f9c5205f95a7d733511db634db3b331b7e1 |
C:\Users\Admin\AppData\Local\Temp\6xwNL0dL8Y.bat
| MD5 | dde3a2e904e8ca2aba29e08df4350886 |
| SHA1 | d7c0557e3ea23795f5be47df266f61b381a49766 |
| SHA256 | e35ac54d4a76a274eff34308e78574a864dfd589747d4258734c077dcd58ba56 |
| SHA512 | 2ec9f9f3e19dcbbce36e940e3886812029e7c21790871960a4973e98099ba06f1b765b7ea876e30169d9055bb49f443fb536641000fb5e44f4c1d6833aa9c0ef |
memory/340-496-0x0000000000CE0000-0x0000000000DF0000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 37493c62e17dff0af3202dcce2fd26d1 |
| SHA1 | fd272e3f2bbd2901349b69b39f8a9714c0de7dc4 |
| SHA256 | ba2e58bde02ce652645a424f8997582fec15c24773eb76b66202f7378747bbf9 |
| SHA512 | c791ceed5df76447422448a42169f3205349a722adc85b2c3373ac5fa175c5a7a24bd7a2b7e19576ee6d5de067a11e7fd662467e7f9c44195f0a99080e5836ae |
C:\Users\Admin\AppData\Local\Temp\iMm147yiIR.bat
| MD5 | 90503dfd66d411eaf32046eb047d160a |
| SHA1 | 4c15e3c6d096d11f06b9d68ebc9d6676b4d36367 |
| SHA256 | ba096035e5c0926d63cfd3d10fe6ae4253746faa50b9d3ce2c3483cfd0236775 |
| SHA512 | 184858240bc141f1b4014029e5fe2465dcace3a3add3ac46e671e274488eb98cb6c3fc3b149b09a52c3075788c29b4166e43bf662f5ab7be96b96c30a27590c7 |
memory/1960-556-0x0000000000F30000-0x0000000001040000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7a1db1559d737213845ea0fa5a98474e |
| SHA1 | 3e2b9f66e130d160f2ee9e25565580dd6b25b0c0 |
| SHA256 | e05bd816e6d8e721c496652170233c152d9f4055c675b4bb5ea3473d9c6dfa43 |
| SHA512 | 08248cd8a64b19f8adec8306b8f19a3dd13c980d253d227a08200c73d2392d20aa60098b193ed13fd987bf15aea20a2464c14c0ec1d6eb88b7c5ac89a48b4774 |
C:\Users\Admin\AppData\Local\Temp\WYuyh03jyF.bat
| MD5 | 2252f47fcc17c7a205f6b95a5ca0f9f8 |
| SHA1 | 672fc71c92c99c18a9013f711f34ef89fd4b2048 |
| SHA256 | 44cd3be882d75aa4d0963a50498c8f1eb93b271db6fcd937bc03f10290d12731 |
| SHA512 | 2527e0b9f5a9921ce4af139faaf63e5a06d66080edd1ccb72f019e932116529026c330c322a2f62acaeef06a5fcb0d0c6493ff96ad2de0c1158482db4833e3ad |
memory/2952-616-0x00000000011D0000-0x00000000012E0000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2e67100773296045c1bebca34101ab36 |
| SHA1 | 3578a49c949e9fb8c46158d7419d7528b4ff3103 |
| SHA256 | 6c3c239e9e18e5839539ee617e41a4aa95de3673fafbbd86ec67d7173f5178e4 |
| SHA512 | e9839169cf672b8cd1bb8f09ee9362b7c7ab23aa7c5d7f42876f94568a0fb3ad8fd33298097a6b54f0b77a55b70549eec35b3d8e48c253a8e217b85f84544e32 |
C:\Users\Admin\AppData\Local\Temp\SaOkt9ru2m.bat
| MD5 | 8a66c801cbf41107b9a903674f12c189 |
| SHA1 | eb10bf7f6203f9c9da19e3866ba3a23a6381433b |
| SHA256 | 13f3f57bbf40e85747b37b1177a118698aa4d33b5f83099e00b5a33cd4aeb9c3 |
| SHA512 | 094951820335c43705e6ab9dc6908ecb847697a37c44c9c5880297b91847d0e804931b85cd630d2d4cdfd856b877a245a5d283dbfc6af40edf38939ec8cc45ef |
Analysis: behavioral2
Detonation Overview
Submitted
2024-12-30 17:18
Reported
2024-12-30 17:21
Platform
win10v2004-20241007-en
Max time kernel
147s
Max time network
148s
Command Line
Signatures
DcRat
Dcrat family
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation | C:\Windows\bcastdvr\DllCommonsvc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation | C:\Windows\bcastdvr\DllCommonsvc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation | C:\Windows\bcastdvr\DllCommonsvc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation | C:\Windows\bcastdvr\DllCommonsvc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation | C:\providercommon\DllCommonsvc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation | C:\Windows\bcastdvr\DllCommonsvc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_20bb14fded0029e7840c9ced7efb17e0293f6069ea6d8d387b8c033eb0c97177.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation | C:\Windows\bcastdvr\DllCommonsvc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation | C:\Windows\bcastdvr\DllCommonsvc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation | C:\Windows\bcastdvr\DllCommonsvc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation | C:\Windows\bcastdvr\DllCommonsvc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation | C:\Windows\bcastdvr\DllCommonsvc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation | C:\Windows\bcastdvr\DllCommonsvc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation | C:\Windows\bcastdvr\DllCommonsvc.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\providercommon\DllCommonsvc.exe | N/A |
| N/A | N/A | C:\Windows\bcastdvr\DllCommonsvc.exe | N/A |
| N/A | N/A | C:\Windows\bcastdvr\DllCommonsvc.exe | N/A |
| N/A | N/A | C:\Windows\bcastdvr\DllCommonsvc.exe | N/A |
| N/A | N/A | C:\Windows\bcastdvr\DllCommonsvc.exe | N/A |
| N/A | N/A | C:\Windows\bcastdvr\DllCommonsvc.exe | N/A |
| N/A | N/A | C:\Windows\bcastdvr\DllCommonsvc.exe | N/A |
| N/A | N/A | C:\Windows\bcastdvr\DllCommonsvc.exe | N/A |
| N/A | N/A | C:\Windows\bcastdvr\DllCommonsvc.exe | N/A |
| N/A | N/A | C:\Windows\bcastdvr\DllCommonsvc.exe | N/A |
| N/A | N/A | C:\Windows\bcastdvr\DllCommonsvc.exe | N/A |
| N/A | N/A | C:\Windows\bcastdvr\DllCommonsvc.exe | N/A |
| N/A | N/A | C:\Windows\bcastdvr\DllCommonsvc.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\SppExtComObj.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\e1ef82546f0b02 | C:\providercommon\DllCommonsvc.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\bcastdvr\DllCommonsvc.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File opened for modification | C:\Windows\bcastdvr\DllCommonsvc.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\bcastdvr\a76d7bf15d8370 | C:\providercommon\DllCommonsvc.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_20bb14fded0029e7840c9ced7efb17e0293f6069ea6d8d387b8c033eb0c97177.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings | C:\Windows\bcastdvr\DllCommonsvc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings | C:\Windows\bcastdvr\DllCommonsvc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings | C:\Windows\bcastdvr\DllCommonsvc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings | C:\Windows\bcastdvr\DllCommonsvc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings | C:\Windows\bcastdvr\DllCommonsvc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings | C:\Windows\bcastdvr\DllCommonsvc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings | C:\Windows\bcastdvr\DllCommonsvc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings | C:\Windows\bcastdvr\DllCommonsvc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings | C:\Windows\bcastdvr\DllCommonsvc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings | C:\Windows\bcastdvr\DllCommonsvc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings | C:\Windows\bcastdvr\DllCommonsvc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings | C:\Windows\bcastdvr\DllCommonsvc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_20bb14fded0029e7840c9ced7efb17e0293f6069ea6d8d387b8c033eb0c97177.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_20bb14fded0029e7840c9ced7efb17e0293f6069ea6d8d387b8c033eb0c97177.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_20bb14fded0029e7840c9ced7efb17e0293f6069ea6d8d387b8c033eb0c97177.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
C:\providercommon\DllCommonsvc.exe
"C:\providercommon\DllCommonsvc.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 6 /tr "'C:\Windows\bcastdvr\DllCommonsvc.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Windows\bcastdvr\DllCommonsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 6 /tr "'C:\Windows\bcastdvr\DllCommonsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\SppExtComObj.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\SppExtComObj.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\SppExtComObj.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\dwm.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\dwm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\dwm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\bcastdvr\DllCommonsvc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\SppExtComObj.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\dwm.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\RuntimeBroker.exe'
C:\Windows\bcastdvr\DllCommonsvc.exe
"C:\Windows\bcastdvr\DllCommonsvc.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FBcCl1WGSV.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\bcastdvr\DllCommonsvc.exe
"C:\Windows\bcastdvr\DllCommonsvc.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YpMZYQImRp.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\bcastdvr\DllCommonsvc.exe
"C:\Windows\bcastdvr\DllCommonsvc.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\bcastdvr\DllCommonsvc.exe
"C:\Windows\bcastdvr\DllCommonsvc.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YyUd3mmyLr.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\bcastdvr\DllCommonsvc.exe
"C:\Windows\bcastdvr\DllCommonsvc.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MzhLoGhvPq.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\bcastdvr\DllCommonsvc.exe
"C:\Windows\bcastdvr\DllCommonsvc.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tebxeZNirC.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\bcastdvr\DllCommonsvc.exe
"C:\Windows\bcastdvr\DllCommonsvc.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JCnMdX7E06.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\bcastdvr\DllCommonsvc.exe
"C:\Windows\bcastdvr\DllCommonsvc.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ATgAsDsfjz.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\bcastdvr\DllCommonsvc.exe
"C:\Windows\bcastdvr\DllCommonsvc.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\S2GQUB77UU.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\bcastdvr\DllCommonsvc.exe
"C:\Windows\bcastdvr\DllCommonsvc.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7Xe7C8pmPD.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\bcastdvr\DllCommonsvc.exe
"C:\Windows\bcastdvr\DllCommonsvc.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HGlJwS3LgK.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\bcastdvr\DllCommonsvc.exe
"C:\Windows\bcastdvr\DllCommonsvc.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uVUt9EuWwA.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.111.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 107.12.20.2.in-addr.arpa | udp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
Files
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe
| MD5 | 8088241160261560a02c84025d107592 |
| SHA1 | 083121f7027557570994c9fc211df61730455bb5 |
| SHA256 | 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1 |
| SHA512 | 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478 |
C:\providercommon\1zu9dW.bat
| MD5 | 6783c3ee07c7d151ceac57f1f9c8bed7 |
| SHA1 | 17468f98f95bf504cc1f83c49e49a78526b3ea03 |
| SHA256 | 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322 |
| SHA512 | c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8 |
C:\providercommon\DllCommonsvc.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/3024-12-0x00007FFF0C4A3000-0x00007FFF0C4A5000-memory.dmp
memory/3024-13-0x00000000008A0000-0x00000000009B0000-memory.dmp
memory/3024-14-0x0000000002BE0000-0x0000000002BF2000-memory.dmp
memory/3024-15-0x0000000002C10000-0x0000000002C1C000-memory.dmp
memory/3024-16-0x0000000002BF0000-0x0000000002BFC000-memory.dmp
memory/3024-17-0x0000000002C00000-0x0000000002C0C000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\DllCommonsvc.exe.log
| MD5 | 7f3c0ae41f0d9ae10a8985a2c327b8fb |
| SHA1 | d58622bf6b5071beacf3b35bb505bde2000983e3 |
| SHA256 | 519fceae4d0dd4d09edd1b81bcdfa8aeab4b59eee77a4cd4b6295ce8e591a900 |
| SHA512 | 8a8fd17eef071f86e672cba0d8fc2cfed6118aff816100b9d7c06eb96443c04c04bc5692259c8d7ecb1563e877921939c61726605af4f969e3f586f0913ed125 |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_q2c3gksp.22v.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4204-50-0x000001E529530000-0x000001E529552000-memory.dmp
memory/3636-75-0x0000000002990000-0x00000000029A2000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d28a889fd956d5cb3accfbaf1143eb6f |
| SHA1 | 157ba54b365341f8ff06707d996b3635da8446f7 |
| SHA256 | 21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45 |
| SHA512 | 0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\FBcCl1WGSV.bat
| MD5 | c20200e418652e34dc09faf924ee7e9d |
| SHA1 | bae20eedd2d8ce5b3a952cfaf429ca13fb107936 |
| SHA256 | 7a93648c1881c1096dbfb994db16e35fe7ce5a1f7d61fe628ed8150cd307a740 |
| SHA512 | 54adf5ed24fc305d57f1148e072ac0596b45eb68b08e0779b3e58affa853a37f34e503b4d22ad66f612e66127e0b95fdefe12548f77fe03d1c61f456d0950984 |
C:\Users\Admin\AppData\Local\Temp\YpMZYQImRp.bat
| MD5 | a77393f440de76d384746b5db6c4c63f |
| SHA1 | 1cd5579d0d5476221b301c3d24877ebcba07b710 |
| SHA256 | 7021bebe788d83c41f9e5b4a2a1537dc84fa650ba97edeba10bb1f76c19abbd0 |
| SHA512 | dd86e40ab0c4f2f08bc5b92a4358b131b1f17aafd86823f27ee6c85efcc9784de9e4d47fd9173f0e919b2d81ce2443f4697aa6d5a8e521a3582281defd689a22 |
C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat
| MD5 | c53d062bc6af5ca899cb7a6392bfe112 |
| SHA1 | 687fae03f6e1623f89bba0f97c4aaafa21827e73 |
| SHA256 | cc16859d1b142df2fb19ca7fe1db5a8f6bb562d784123b1a32a9603e45375b48 |
| SHA512 | 0ba0d699c7e427036aa877b1e5e0c0e6fd7c347f7ea3b6a1eba044db84b8750ac07a149e3633490dc82ce1ebe8818ea4302b3a20ce5849f147033041d8785d9f |
memory/1128-114-0x00000000029A0000-0x00000000029B2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\YyUd3mmyLr.bat
| MD5 | 2904630b6237f97613113da9833a008e |
| SHA1 | 824d7c0ad1fff1364b4d48506ada4c22f9c2e2ad |
| SHA256 | 41928a2566f5cf5a54e1e8cfc0dd408c976465aaa6bc44b46edd5a0040d92b88 |
| SHA512 | de523fcf4404753e29e179afa86a8fde08ee5e89163b3dc0fa5a64b7c6b93847f6495587b95245010c71cdd357ba67df6640a6d230c63ee454c0e01f2b3a60a7 |
C:\Users\Admin\AppData\Local\Temp\MzhLoGhvPq.bat
| MD5 | f10fbb1c4761cf4753fc3b324ce04774 |
| SHA1 | 7e9be3830eab6c75dfef0dc6befdeb086b74bd08 |
| SHA256 | b54c611b5b9a13ba92024addd5ccdd1853ea0893cc3161633fc8ab506535aacd |
| SHA512 | a6ae6ee8d12bb1a56cc2b05e90a1e51858d89d13d34a62c0b9818abc3aed79261cfb1ea0d9fad3e6f95562fdbf7bde05c559c2e5e0f47762373715e8845c7551 |
C:\Users\Admin\AppData\Local\Temp\tebxeZNirC.bat
| MD5 | 4b3d181082149b655446685beccec9f4 |
| SHA1 | 911fd0457a2c498d39b7dd9be729897119d948fe |
| SHA256 | 5792d718079aa032aff5e80758e20b8e1d481af4df0ef3bb4f4a2d8441b25c0b |
| SHA512 | 607e52e1bc9bf5543da5c8b46873c1365416d5b665740856effe9cc74835cdb413920c62124cae2c706da670cb3bf32e937a20aa83907624526152c0927f8cb0 |
C:\Users\Admin\AppData\Local\Temp\JCnMdX7E06.bat
| MD5 | 72ec0ca508df79dbb551cb51b5f53d17 |
| SHA1 | c3b76fb254e2b2f95c646bd405f0009cfd8c914d |
| SHA256 | a64ab4cf7a76b34eaf9efb044d38a919d2e82272ad456f239cadaf3e9b51c024 |
| SHA512 | 767a0451458ccaeaace4844aa0ac9a4e793e49c619659e604e289b3479771896471b7ded9844d42756d8893901e75b56c4b4e30d37852ecef8c829d7a91c89cd |
C:\Users\Admin\AppData\Local\Temp\ATgAsDsfjz.bat
| MD5 | 4703a6f0f23be37ef3ef5039b7a60506 |
| SHA1 | 9f69c3b18fee06b364669878c028a793703a776c |
| SHA256 | ea93f72d92b5450b34785437aad8b6053135c344f21fb31b85e88339f8613f58 |
| SHA512 | 96ff18ddaa97dc327377d017819753092bd5ef7018f125120f1f4a94a2d9665db09a99081b80039afc98b12c3cf588b8eb39f9fba1f74e57c9cb073e897a60c2 |
C:\Users\Admin\AppData\Local\Temp\S2GQUB77UU.bat
| MD5 | eeda916025e42eb67b06b5cc96ada430 |
| SHA1 | f3a5b1bed80ff46668054c8d9d202580d49d3904 |
| SHA256 | 2eed28016d52e1addddae12c3d02694b977dfccd96e45594313296e34c514f76 |
| SHA512 | 955cf46a76c22d7036d5e288bea028291ff2c041bb98c6c859bf168d60d16643f77cf59272e5dde80628757f423307e9b56699ed18f447c1b6640aa1f04eac0f |
C:\Users\Admin\AppData\Local\Temp\7Xe7C8pmPD.bat
| MD5 | 24a62f927e8d93563f521a85b6087308 |
| SHA1 | bd9fab1315cd81c866fe5116a11352b339ad28ec |
| SHA256 | e86ce2f3f5d57fe0132f7567d594724d1b83aa405bf4e05b0ede5cb656b03f17 |
| SHA512 | fd5a73d6b3dd587f3a4a5788cc36f75a79fa511b60b05c9a8740b155b1ecb59402bfccc7faffee304b88c8b900ed6e91e829cb5d4ca750100337c1d8336e8d72 |
memory/4456-157-0x000000001B020000-0x000000001B032000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\HGlJwS3LgK.bat
| MD5 | efd502bd8e21e2b60ba0b1636d92ef2e |
| SHA1 | fe17e624dd4a670135a073d879e4d08c05f7b62f |
| SHA256 | 3cb02e36d526f49206b87d067a517bedde0a3e73942decf353a5a1a277322dfb |
| SHA512 | 1ce7faac04ad72ca329c9732758f25bd6ef34042bed4adc0ab426960bee8dfeef54802feadc9b0e8bc59269fce872ab4e491287141865906ac413ce44fcabb23 |
memory/1504-164-0x0000000002AC0000-0x0000000002AD2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\uVUt9EuWwA.bat
| MD5 | b8b718b32a2a3193eb7d931cce194c1d |
| SHA1 | c2187734e5842eb38319428ac338414c394facae |
| SHA256 | 3d52fa3a748276bcdcdbe66c4dd600b3aed0f82a39ddcad5eb8974da450985ae |
| SHA512 | ec8bfa2d243cd65648741fd1655db7ab78713c88745a6cb2ceacedee8711b2ffb44f5249072830386898279e5e6819241b480bfab34e76bf4b7aef584a7458d1 |