Analysis Overview
SHA256
d5db39bc3e7378de31a7b2d60b1660e743f3c01540c79c2c13128cb34200f169
Threat Level: Known bad
The file JaffaCakes118_d5db39bc3e7378de31a7b2d60b1660e743f3c01540c79c2c13128cb34200f169 was found to be: Known bad.
Malicious Activity Summary
DCRat payload
Dcrat family
DcRat
Process spawned unexpected child process
DCRat payload
Command and Scripting Interpreter: PowerShell
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Legitimate hosting services abused for malware hosting/C2
Drops file in Windows directory
Drops file in Program Files directory
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Unsigned PE
Scheduled Task/Job: Scheduled Task
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Modifies registry class
Uses Task Scheduler COM API
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-12-30 18:52
Signatures
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Dcrat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-12-30 18:52
Reported
2024-12-30 18:54
Platform
win7-20240903-en
Max time kernel
149s
Max time network
144s
Command Line
Signatures
DcRat
Dcrat family
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\providercommon\DllCommonsvc.exe | N/A |
| N/A | N/A | C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dllhost.exe | N/A |
| N/A | N/A | C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dllhost.exe | N/A |
| N/A | N/A | C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dllhost.exe | N/A |
| N/A | N/A | C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dllhost.exe | N/A |
| N/A | N/A | C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dllhost.exe | N/A |
| N/A | N/A | C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dllhost.exe | N/A |
| N/A | N/A | C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dllhost.exe | N/A |
| N/A | N/A | C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dllhost.exe | N/A |
| N/A | N/A | C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dllhost.exe | N/A |
| N/A | N/A | C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dllhost.exe | N/A |
| N/A | N/A | C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dllhost.exe | N/A |
| N/A | N/A | C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dllhost.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Windows Portable Devices\dwm.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Portable Devices\dwm.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Windows Portable Devices\6cb0b6c459d5d3 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Google\CrashReports\dllhost.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Google\CrashReports\5940a34987c991 | C:\providercommon\DllCommonsvc.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d5db39bc3e7378de31a7b2d60b1660e743f3c01540c79c2c13128cb34200f169.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d5db39bc3e7378de31a7b2d60b1660e743f3c01540c79c2c13128cb34200f169.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d5db39bc3e7378de31a7b2d60b1660e743f3c01540c79c2c13128cb34200f169.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\providercommon\1zu9dW.bat" "
C:\providercommon\DllCommonsvc.exe
"C:\providercommon\DllCommonsvc.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Portable Devices\dwm.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\dwm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Portable Devices\dwm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Google\CrashReports\dllhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\CrashReports\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Google\CrashReports\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dllhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dwm.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dwm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dwm.exe'" /rl HIGHEST /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\dwm.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\CrashReports\dllhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dllhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dwm.exe'
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XfWEItxuzP.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dllhost.exe
"C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dllhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TfYr4aOzGb.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dllhost.exe
"C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dllhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pCY6B1XXru.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dllhost.exe
"C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dllhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vF7CrwxjwX.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dllhost.exe
"C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dllhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\D5faDLbbQ0.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dllhost.exe
"C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dllhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vlZZCFJNsh.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dllhost.exe
"C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dllhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oYNvu0ZNBR.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dllhost.exe
"C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dllhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\h6hK16ZrMt.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dllhost.exe
"C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dllhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\34gW2xHJWZ.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dllhost.exe
"C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dllhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hibqn60Xcy.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dllhost.exe
"C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dllhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HZWv28qLDz.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dllhost.exe
"C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dllhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qsbi9TUILn.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dllhost.exe
"C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dllhost.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
Files
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe
| MD5 | 8088241160261560a02c84025d107592 |
| SHA1 | 083121f7027557570994c9fc211df61730455bb5 |
| SHA256 | 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1 |
| SHA512 | 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478 |
C:\providercommon\1zu9dW.bat
| MD5 | 6783c3ee07c7d151ceac57f1f9c8bed7 |
| SHA1 | 17468f98f95bf504cc1f83c49e49a78526b3ea03 |
| SHA256 | 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322 |
| SHA512 | c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8 |
C:\providercommon\DllCommonsvc.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/2044-13-0x0000000000CE0000-0x0000000000DF0000-memory.dmp
memory/2044-14-0x00000000004C0000-0x00000000004D2000-memory.dmp
memory/2044-15-0x0000000000A10000-0x0000000000A1C000-memory.dmp
memory/2044-16-0x0000000002380000-0x000000000238C000-memory.dmp
memory/2044-17-0x0000000000A00000-0x0000000000A0C000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\V90WW3BQFYXQKMWYBYQO.temp
| MD5 | 389d97ff412fa01d84a708c3476c37fd |
| SHA1 | 7ce0954c9f25ba50016b9c8cf8973752f243c2dd |
| SHA256 | eff603ce8fddf2a09854fa1315f666df5f63cdc29abc9fb5efa628b814de3a95 |
| SHA512 | 8e0fd803c27cf71face47689c4439b607f9e0309c0be550b2f1fee15e364a2c6655511228618a01260eb6e661f95936ef1e9a19fadcddbf5c73b27ac9cc589ce |
memory/824-36-0x0000000001EF0000-0x0000000001EF8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\XfWEItxuzP.bat
| MD5 | ebff3c7cc1dd60089b886e5ea1ce3d3c |
| SHA1 | c5fd2cd1a3caacede728f92e3043a08388af75e1 |
| SHA256 | d9a86d75d7c24879760b032c53da30a70891d508e2df5cc7643c07830abbafc3 |
| SHA512 | 8742d6be0b518a024ea1453f610c8956f2bff02e11199890c97e959aa11a106791465b884c286e5923b26b8ad57153761bbc4b1f2bed8ba8251a31144ca671c4 |
memory/824-35-0x000000001B570000-0x000000001B852000-memory.dmp
memory/1292-57-0x00000000003F0000-0x0000000000500000-memory.dmp
memory/1292-58-0x00000000002C0000-0x00000000002D2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CabE3BC.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\TarE3CF.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
memory/1628-116-0x0000000000FE0000-0x00000000010F0000-memory.dmp
memory/1628-117-0x00000000002C0000-0x00000000002D2000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e34bf06c357272b3f282b21389c5d357 |
| SHA1 | 70b38b9c81983df7e9f78d250571b262173c9e46 |
| SHA256 | 3bcfbead674605049e91faeef3ea9e3b8e769516056ce12e79c96a3c8e2c5359 |
| SHA512 | 4f7402098a723f4d4ec6c429d5e0644a0d70fa69835da0b833542b49b5122593b147b68b769ee2630c66f14fa89149610c97da8427bdb1534e65dc2712941e47 |
C:\Users\Admin\AppData\Local\Temp\pCY6B1XXru.bat
| MD5 | 2f222b14373e37acd7e96a76e170ec5d |
| SHA1 | 292c2343ea1dbd2f34824f4aa2b3db97fb17362d |
| SHA256 | 1f94db8b76a909bdcd48c4c66247a7fb6677369733eee9b728094405a00bbd77 |
| SHA512 | 275ad0a5404b07ec79ab239cc3d45c72032412a17d30fcef528f7260d9dad5d541996c3007d278547d0359e9470aae7df7f9c4a1a0c0b78ed1f5104e9820056a |
memory/2300-177-0x00000000002F0000-0x0000000000400000-memory.dmp
memory/2300-178-0x0000000000140000-0x0000000000152000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8c2641c7f1f55b0851b94d59f3ec44d2 |
| SHA1 | bfb6bcfa354cab9508cbe34bc3e97bd0c0cbb9e6 |
| SHA256 | d52a35674fe78ef9aa49dc0ace3c0f21932cf65ebb1a9b1231be61ea968dbe15 |
| SHA512 | f5aa18fa862cf1d415e0f2f5c18b1df011a4daca0279a4648b92c2eb5e0696863b5ea1d58c52cb2b969035a96073c5e3a93dd20db4b1ffe4d238753891142a82 |
C:\Users\Admin\AppData\Local\Temp\vF7CrwxjwX.bat
| MD5 | 1dbe82acd06c5dfec97ebf8a345db024 |
| SHA1 | f3eeb392affc5d6911432123f409ed59f507bf20 |
| SHA256 | ea3edecc9503178c74aacba1279c1c6f5a9cc30ffe41e0095d686b6fdbeb31dd |
| SHA512 | b5c4cffb6a5a034a86fd6297ba9ef1623f1b5b423872eafb863a0cb779b8122cccf4571c325c25bda4d489b86434ce9f40ba9daee44af98ed37a8af5cb2e18b1 |
memory/2800-238-0x0000000000F10000-0x0000000001020000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ffdb44cc5c69eb2d303cd7e1e8e815f3 |
| SHA1 | 86a3d05d8344a6838b7fcf593b30fc7b27ddb64e |
| SHA256 | dc7947926b9e8c270142b8938c7baff1a7133a34fe8b991788d4fd43272866f9 |
| SHA512 | 0ca0beb9337eb4c1d22f414a3717251877c0be159c95fc8ad4823678aa98c62cc253d79484140aecd1d4a72bda43ba1797b39486feeb98dbd468328faf39ad39 |
C:\Users\Admin\AppData\Local\Temp\D5faDLbbQ0.bat
| MD5 | 4670143960c4042239aebb3ed2b30840 |
| SHA1 | 676343886fbae68daf4afb63ad05be779a793db6 |
| SHA256 | 0b2fffd5a58afce869e2219717dd1efa7cab9646d6fc8791592ac33a17b4575c |
| SHA512 | 7e265fc450d311bc313722675c3a5211b4fa16425fb19947951256d83463f4b3ad7ac33562f5a4f1efabb338cb68be4c4f951aadc6e96a92eeb6cc0af2a8c2fc |
memory/1592-298-0x00000000003C0000-0x00000000004D0000-memory.dmp
memory/1592-299-0x0000000000250000-0x0000000000262000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e0fdd7cbd2a0fa99f63f374b149b01d8 |
| SHA1 | c3518795d4cc010927691ce6f8f8e4a7d2a6d9a6 |
| SHA256 | 69986be0bcae5bd661a29a7e0af4381bd48a1afac7464e376469f684ab7e1159 |
| SHA512 | c44105cdb6c3f2973e75f4065c217adaebda8d7e842130343b8db8847561695e473f4fce6cc12b1e73820abbe0cec4bf88e38b68109252a3bba5c5c466676d68 |
C:\Users\Admin\AppData\Local\Temp\vlZZCFJNsh.bat
| MD5 | a64db4a1b0bb99fa1eb9ead51d8e575b |
| SHA1 | 9bcbc622b02a0a95963806003895fcda659bfdda |
| SHA256 | b214fff58ab6cb4cb50d5d7404ef6db4cff7207df73779639ea63e20d5818682 |
| SHA512 | 13d6001618cbc0f965bc007c3a56bd32618403c306d340b18cdcf18b6a8ed5c957ac4bef99d99099b3f325e290ecdd23add216b0d4b968b60959532ee92faf51 |
memory/764-359-0x00000000000E0000-0x00000000001F0000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a20e7bf785ab1704df46d245dda618b6 |
| SHA1 | 97d24c1146b138236df4a5d7f3158a8534d74c59 |
| SHA256 | 517b54a02682ef2d3f74b05f3a6d0043c22725817adeac545a712e9eecda342f |
| SHA512 | a76dd65fae11852d96154e3276354415b2e1c18f1f7afe6d3987cb2b526a31ae00b5aa1c594cd90af7e04c560a80c4df578b47fbd1444fac9ef01bd972b2362b |
C:\Users\Admin\AppData\Local\Temp\oYNvu0ZNBR.bat
| MD5 | 32891d3fa30443dcd67f4ebfba8d1de9 |
| SHA1 | 77cccf05f722737f021ff55819ac7d09104dc0e0 |
| SHA256 | ca6ef58209a76b3247bd0c172ed43021d20861de18755e760f29d68c14e61bd2 |
| SHA512 | 8aeb71e17c230e70085ee542cde2fc01afa0e2d7e93bab36ba2ac1e46b95a72b18c2f69c0ea458b0d35ffa22348f51366faadc8e979da99360341cfaf9845332 |
memory/1964-419-0x0000000000250000-0x0000000000360000-memory.dmp
memory/1964-420-0x00000000005D0000-0x00000000005E2000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 67b59173df2213b7f9b93a58a81a853a |
| SHA1 | 99a9af578ac792991a7c632dea07c58072db5835 |
| SHA256 | 1c1998e6720d92f1c6c140448eabb3b39c2c058fa69859a0ed4fb50cfb4368bd |
| SHA512 | a744d213e6d3d4dc3ff235ff974d342d7d97618b802d32d4a642a2e7b67df9cdf6272e9bc2f0f467d33f91a0c733dfdd5dbbc30d97cd74ef13b989e1105cea9b |
C:\Users\Admin\AppData\Local\Temp\h6hK16ZrMt.bat
| MD5 | 1a0ad7726d6c95e931dbbfe08c2ba080 |
| SHA1 | 145577956c529e45f0d02c4118c921ed89772bd8 |
| SHA256 | 94c6cfda08c1e510ae4c00c6144c3b7f7d1a9ef0357b11544f5b8784469f3650 |
| SHA512 | f561124331401cbc1f650ba0cd085af172099582a146ba79c7a9299bdb289d6d8b81cd57814f0cbac6b1bdc0a04ae5b1e128f3728535f918f31d9d2cbc3687c0 |
memory/1696-480-0x0000000000A30000-0x0000000000B40000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a245f85e1a9af5f2c4c3178e2a0b5552 |
| SHA1 | 6b82adce744353d6096a146dc19710bde9e41ef9 |
| SHA256 | 470833d643468b35dfb5245ef7f42ff179a9daa4a4b146e6572408ceea15d5ca |
| SHA512 | 14a0e4ee9f8bc03f37c7fb0961d8287a6db80d33be353576627683c16f6517f9e07d758d2441fbc1d2d94eccaad547ef950d4758d253518d02354141d10a1040 |
C:\Users\Admin\AppData\Local\Temp\34gW2xHJWZ.bat
| MD5 | 1c152c53cb71a3572e4cd4b1285bdaa2 |
| SHA1 | 6a23e94d065480df5a1094218e9ac76fa752c068 |
| SHA256 | af9958dc26ff5b8af86a5190ff9e913190184edfd3b1f9b4a020a5f6b0c0e712 |
| SHA512 | b15ab97eda0b2274452db84968808de927afbbadd76915ccb2d1097e73880a76f1866bd34643f412c38433de41babfc73217bb282f74be1387bc62716df2f5da |
memory/2548-540-0x0000000000B30000-0x0000000000C40000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 82bed4fde9e447f180350cdd86da0c68 |
| SHA1 | aaf95a6b6ab7209d85f3a543b0d63dc2b87eca63 |
| SHA256 | 5942a021a02f7ee8276682027fdf94304b47a51ae2e301fbc3ff0f406817ce58 |
| SHA512 | a80cf461a8b48131d96843b021040cf0a1f07363176c841f660a295a52e4d77d990cb02992c2ba005fa2c2118d498de5225ac253d1ce2d3233106483c08ea38e |
C:\Users\Admin\AppData\Local\Temp\hibqn60Xcy.bat
| MD5 | 41a0395d219ce451f4acaaab5927bba7 |
| SHA1 | 039977bbbdf02dd328e9a4908d70299693daf114 |
| SHA256 | d969724166a7ee3c0db50d093d4a1e68db49088aaf5cb3de238eb096770a7d25 |
| SHA512 | ce166fb6a10a33a6d2aba43a5ae769bd1812f671e76c02eb2e8a8549daee70deb6dac37cca399ad3fd9fb1bee02fca6b3894565b88bee56d8960ae1ca3c5ca97 |
memory/3012-600-0x00000000010A0000-0x00000000011B0000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1471558b5a25f2e7edcd8a82403ab3cd |
| SHA1 | ec006bc3de7a96619a2d0c0e4e8ba4dfab738b75 |
| SHA256 | ea30fe42ac7df7a8071e05dd1c3ac7b7b610fbb715fcc984c3427fae84a5ed77 |
| SHA512 | 3823493560a98045af979648674f933fcd91e46ae11f0e13bb7cfa83905e907cd8f371115d408f8a466d00515759845fc1bdf70199e37e06d9334a75ec5ff1f2 |
C:\Users\Admin\AppData\Local\Temp\HZWv28qLDz.bat
| MD5 | f34f24588210de7f04d2e67dd3f5e6cc |
| SHA1 | 1fe8c2f99d13c2236ef2833c8252b2be0c5687ec |
| SHA256 | ca75d0f4b15d17a34967fff9861f5bb8344a9c58f2068dc826ef44b2959e9113 |
| SHA512 | 324857cda7f39e23fb88c5bfaad4c596544265f05fc273fb429ed94336b9e774c208eb10b8afc773f86b68face5e625c39ea8f4d7f869f15eaefad969978f2ab |
memory/1104-660-0x0000000000230000-0x0000000000340000-memory.dmp
memory/1104-661-0x0000000000160000-0x0000000000172000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 541a94f3a70a62d0eac49fd67260d3cf |
| SHA1 | 93d1be511710dea084533f3212d49c1a112ea2cb |
| SHA256 | 204d55ac26d47f128b47763d73aeee894a94e6ea7065504377d4af684cd1f72c |
| SHA512 | 4c583434079064dd6d123a624f958e41ffc883f66a119553a9bf7caa28e0c6f04e40c937ed6842d6cfa9f2984960c744b6aa622326b046e46120c7ae42815202 |
C:\Users\Admin\AppData\Local\Temp\qsbi9TUILn.bat
| MD5 | f9951ecaece3ca8fce1d10b89ccd03ae |
| SHA1 | 73b8decbc6ecbc93c3a04c4b2df6a6d7da3d6656 |
| SHA256 | 1af14a7e95d52b106cc2b36bc458f32428a613249c371af705ce4f2b321b0fcb |
| SHA512 | e4e2d4462ff45a5bbe466ae8239cce9ca3a63084cbc9983e152f5e99101509b85642f4a507603aab098fa92bc107f3422fc7f1c5411ff1a29ec4a44c73c26447 |
memory/2440-721-0x0000000001310000-0x0000000001420000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-12-30 18:52
Reported
2024-12-30 18:54
Platform
win10v2004-20241007-en
Max time kernel
147s
Max time network
151s
Command Line
Signatures
DcRat
Dcrat family
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d5db39bc3e7378de31a7b2d60b1660e743f3c01540c79c2c13128cb34200f169.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\providercommon\DllCommonsvc.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\providercommon\DllCommonsvc.exe | N/A |
| N/A | N/A | C:\Recovery\WindowsRE\TextInputHost.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Common Files\System\de-DE\unsecapp.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\System\de-DE\29c1c3cc0f7685 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\dotnet\upfc.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\wininit.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Windows Multimedia Platform\7a0fd90576e088 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Crashpad\attachments\dwm.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Windows Portable Devices\conhost.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Windows Portable Devices\088424020bedd6 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Internet Explorer\RuntimeBroker.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Windows NT\Accessories\es-ES\unsecapp.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Crashpad\attachments\6cb0b6c459d5d3 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\56085415360792 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Internet Explorer\9e8d7a4ca61bd9 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Windows NT\Accessories\es-ES\29c1c3cc0f7685 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\dotnet\ea1d8f6d871115 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Windows Multimedia Platform\explorer.exe | C:\providercommon\DllCommonsvc.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\en-US\csrss.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\en-US\886983d96e3d3e | C:\providercommon\DllCommonsvc.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d5db39bc3e7378de31a7b2d60b1660e743f3c01540c79c2c13128cb34200f169.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d5db39bc3e7378de31a7b2d60b1660e743f3c01540c79c2c13128cb34200f169.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings | C:\providercommon\DllCommonsvc.exe | N/A |
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d5db39bc3e7378de31a7b2d60b1660e743f3c01540c79c2c13128cb34200f169.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d5db39bc3e7378de31a7b2d60b1660e743f3c01540c79c2c13128cb34200f169.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
C:\providercommon\DllCommonsvc.exe
"C:\providercommon\DllCommonsvc.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Start Menu\dllhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Admin\Start Menu\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Start Menu\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files\Internet Explorer\RuntimeBroker.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files\Internet Explorer\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\WindowsHolographicDevices\SpatialStore\taskhostw.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Users\All Users\WindowsHolographicDevices\SpatialStore\taskhostw.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\WindowsHolographicDevices\SpatialStore\taskhostw.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows NT\Accessories\es-ES\unsecapp.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\es-ES\unsecapp.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows NT\Accessories\es-ES\unsecapp.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Common Files\System\de-DE\unsecapp.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\System\de-DE\unsecapp.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Common Files\System\de-DE\unsecapp.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 14 /tr "'C:\Program Files\dotnet\upfc.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files\dotnet\upfc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 5 /tr "'C:\Program Files\dotnet\upfc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 13 /tr "'C:\providercommon\upfc.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\providercommon\upfc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 13 /tr "'C:\providercommon\upfc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Documents\My Music\fontdrvhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Admin\Documents\My Music\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Documents\My Music\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Multimedia Platform\explorer.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Multimedia Platform\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 11 /tr "'C:\providercommon\upfc.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\providercommon\upfc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 5 /tr "'C:\providercommon\upfc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Program Files\Crashpad\attachments\dwm.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Crashpad\attachments\dwm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Program Files\Crashpad\attachments\dwm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Portable Devices\conhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Portable Devices\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\providercommon\spoolsv.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Windows\en-US\csrss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\en-US\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Windows\en-US\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 6 /tr "'C:\providercommon\unsecapp.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\providercommon\unsecapp.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 9 /tr "'C:\providercommon\unsecapp.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\wininit.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\wininit.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\wininit.exe'" /rl HIGHEST /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Start Menu\dllhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\RuntimeBroker.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\WindowsHolographicDevices\SpatialStore\taskhostw.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\Accessories\es-ES\unsecapp.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\System\de-DE\unsecapp.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\dotnet\upfc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\upfc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Documents\My Music\fontdrvhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Multimedia Platform\explorer.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\upfc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Crashpad\attachments\dwm.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\conhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\spoolsv.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\en-US\csrss.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\TextInputHost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\unsecapp.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\wininit.exe'
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8mEF9UVP9d.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Recovery\WindowsRE\TextInputHost.exe
"C:\Recovery\WindowsRE\TextInputHost.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
Files
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe
| MD5 | 8088241160261560a02c84025d107592 |
| SHA1 | 083121f7027557570994c9fc211df61730455bb5 |
| SHA256 | 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1 |
| SHA512 | 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478 |
C:\providercommon\1zu9dW.bat
| MD5 | 6783c3ee07c7d151ceac57f1f9c8bed7 |
| SHA1 | 17468f98f95bf504cc1f83c49e49a78526b3ea03 |
| SHA256 | 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322 |
| SHA512 | c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8 |
C:\providercommon\DllCommonsvc.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/3520-12-0x00007FFD21D33000-0x00007FFD21D35000-memory.dmp
memory/3520-13-0x0000000000440000-0x0000000000550000-memory.dmp
memory/3520-14-0x0000000000EA0000-0x0000000000EB2000-memory.dmp
memory/3520-15-0x0000000000EB0000-0x0000000000EBC000-memory.dmp
memory/3520-16-0x0000000000EC0000-0x0000000000ECC000-memory.dmp
memory/3520-17-0x0000000000ED0000-0x0000000000EDC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nnxu3nmk.eze.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3784-65-0x0000020BE32F0000-0x0000020BE3312000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\8mEF9UVP9d.bat
| MD5 | 57bc6566f2339b1ccbfd9d9adf357ecb |
| SHA1 | f83608d89073e9ef3b2ab42cc002d41e587d21c3 |
| SHA256 | 191a21672a4352f73fb27edecb8fde6ef98856f2331b1e077ea342b720752444 |
| SHA512 | c6725ec3da94cf3298e1dc793adb4e6563968e6d97af8d4dae5739629ab72bf62e09bf9a9ea23b35d632e5e7dd3d7da5afbd01380050027ecebc737f590d7715 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d28a889fd956d5cb3accfbaf1143eb6f |
| SHA1 | 157ba54b365341f8ff06707d996b3635da8446f7 |
| SHA256 | 21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45 |
| SHA512 | 0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 3a6bad9528f8e23fb5c77fbd81fa28e8 |
| SHA1 | f127317c3bc6407f536c0f0600dcbcf1aabfba36 |
| SHA256 | 986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05 |
| SHA512 | 846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | cadef9abd087803c630df65264a6c81c |
| SHA1 | babbf3636c347c8727c35f3eef2ee643dbcc4bd2 |
| SHA256 | cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438 |
| SHA512 | 7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 5f0ddc7f3691c81ee14d17b419ba220d |
| SHA1 | f0ef5fde8bab9d17c0b47137e014c91be888ee53 |
| SHA256 | a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5 |
| SHA512 | 2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | e243a38635ff9a06c87c2a61a2200656 |
| SHA1 | ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc |
| SHA256 | af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f |
| SHA512 | 4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | aaaac7c68d2b7997ed502c26fd9f65c2 |
| SHA1 | 7c5a3731300d672bf53c43e2f9e951c745f7fbdf |
| SHA256 | 8724dc2c3c8e8f17aeefae44a23741b1ea3b43c490fbc52fd61575ffe1cd82bb |
| SHA512 | c526febd9430413b48bed976edd9a795793ad1f06c8ff4f6b768b4ad63f4d2f06b9da72d4fcfa7cb9530a64e2dc3554f5ad97fd0ab60129701d175f2724ef1ac |
memory/3520-260-0x00007FFD21D33000-0x00007FFD21D35000-memory.dmp