Analysis Overview
SHA256
9c6cbaa7ed17a66eb61a77fb32f03401ec875d915b97ba918c27b450d91c7151
Threat Level: Known bad
The file JaffaCakes118_9c6cbaa7ed17a66eb61a77fb32f03401ec875d915b97ba918c27b450d91c7151 was found to be: Known bad.
Malicious Activity Summary
Dcrat family
DCRat payload
DcRat
Process spawned unexpected child process
DCRat payload
Command and Scripting Interpreter: PowerShell
Loads dropped DLL
Executes dropped EXE
Checks computer location settings
Legitimate hosting services abused for malware hosting/C2
Drops file in Windows directory
Drops file in Program Files directory
System Location Discovery: System Language Discovery
Unsigned PE
Enumerates physical storage devices
Uses Task Scheduler COM API
Modifies registry class
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Scheduled Task/Job: Scheduled Task
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-12-30 18:51
Signatures
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Dcrat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-12-30 18:51
Reported
2024-12-30 18:54
Platform
win7-20240903-en
Max time kernel
149s
Max time network
144s
Command Line
Signatures
DcRat
Dcrat family
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\providercommon\DllCommonsvc.exe | N/A |
| N/A | N/A | C:\Program Files\Windows Sidebar\ja-JP\services.exe | N/A |
| N/A | N/A | C:\Program Files\Windows Sidebar\ja-JP\services.exe | N/A |
| N/A | N/A | C:\Program Files\Windows Sidebar\ja-JP\services.exe | N/A |
| N/A | N/A | C:\Program Files\Windows Sidebar\ja-JP\services.exe | N/A |
| N/A | N/A | C:\Program Files\Windows Sidebar\ja-JP\services.exe | N/A |
| N/A | N/A | C:\Program Files\Windows Sidebar\ja-JP\services.exe | N/A |
| N/A | N/A | C:\Program Files\Windows Sidebar\ja-JP\services.exe | N/A |
| N/A | N/A | C:\Program Files\Windows Sidebar\ja-JP\services.exe | N/A |
| N/A | N/A | C:\Program Files\Windows Sidebar\ja-JP\services.exe | N/A |
| N/A | N/A | C:\Program Files\Windows Sidebar\ja-JP\services.exe | N/A |
| N/A | N/A | C:\Program Files\Windows Sidebar\ja-JP\services.exe | N/A |
| N/A | N/A | C:\Program Files\Windows Sidebar\ja-JP\services.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Windows Sidebar\ja-JP\c5b4cb5e9653cc | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Windows Media Player\Visualizations\winlogon.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\Visualizations\winlogon.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Windows Media Player\Visualizations\cc11b995f2a76d | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Windows Sidebar\ja-JP\services.exe | C:\providercommon\DllCommonsvc.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9c6cbaa7ed17a66eb61a77fb32f03401ec875d915b97ba918c27b450d91c7151.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9c6cbaa7ed17a66eb61a77fb32f03401ec875d915b97ba918c27b450d91c7151.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9c6cbaa7ed17a66eb61a77fb32f03401ec875d915b97ba918c27b450d91c7151.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\providercommon\1zu9dW.bat" "
C:\providercommon\DllCommonsvc.exe
"C:\providercommon\DllCommonsvc.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Media Player\Visualizations\winlogon.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\Visualizations\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Media Player\Visualizations\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Sidebar\ja-JP\services.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\ja-JP\services.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Sidebar\ja-JP\services.exe'" /rl HIGHEST /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\Visualizations\winlogon.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\ja-JP\services.exe'
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rX48AtNwwF.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\Windows Sidebar\ja-JP\services.exe
"C:\Program Files\Windows Sidebar\ja-JP\services.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OyPKZ08zKl.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\Windows Sidebar\ja-JP\services.exe
"C:\Program Files\Windows Sidebar\ja-JP\services.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cxnNEsMM51.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\Windows Sidebar\ja-JP\services.exe
"C:\Program Files\Windows Sidebar\ja-JP\services.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5eI0Zh92hY.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\Windows Sidebar\ja-JP\services.exe
"C:\Program Files\Windows Sidebar\ja-JP\services.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tiHtiEmsSK.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\Windows Sidebar\ja-JP\services.exe
"C:\Program Files\Windows Sidebar\ja-JP\services.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qwBPskakqG.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\Windows Sidebar\ja-JP\services.exe
"C:\Program Files\Windows Sidebar\ja-JP\services.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\da4noHdFs8.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\Windows Sidebar\ja-JP\services.exe
"C:\Program Files\Windows Sidebar\ja-JP\services.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hbGxgnDDQj.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\Windows Sidebar\ja-JP\services.exe
"C:\Program Files\Windows Sidebar\ja-JP\services.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VeFqpJq3BV.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\Windows Sidebar\ja-JP\services.exe
"C:\Program Files\Windows Sidebar\ja-JP\services.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\X5jGqiFaSS.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\Windows Sidebar\ja-JP\services.exe
"C:\Program Files\Windows Sidebar\ja-JP\services.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iPSx7mMsuZ.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\Windows Sidebar\ja-JP\services.exe
"C:\Program Files\Windows Sidebar\ja-JP\services.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SNnEytbzjv.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\Windows Sidebar\ja-JP\services.exe
"C:\Program Files\Windows Sidebar\ja-JP\services.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
Files
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe
| MD5 | 8088241160261560a02c84025d107592 |
| SHA1 | 083121f7027557570994c9fc211df61730455bb5 |
| SHA256 | 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1 |
| SHA512 | 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478 |
C:\providercommon\1zu9dW.bat
| MD5 | 6783c3ee07c7d151ceac57f1f9c8bed7 |
| SHA1 | 17468f98f95bf504cc1f83c49e49a78526b3ea03 |
| SHA256 | 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322 |
| SHA512 | c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8 |
C:\providercommon\DllCommonsvc.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/2784-13-0x0000000000CD0000-0x0000000000DE0000-memory.dmp
memory/2784-14-0x0000000000340000-0x0000000000352000-memory.dmp
memory/2784-15-0x00000000005D0000-0x00000000005DC000-memory.dmp
memory/2784-16-0x0000000000350000-0x000000000035C000-memory.dmp
memory/2784-17-0x00000000005E0000-0x00000000005EC000-memory.dmp
memory/2640-30-0x000000001B610000-0x000000001B8F2000-memory.dmp
memory/2640-32-0x0000000002220000-0x0000000002228000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 65fcca8c44ce38b79f5e11b8fcc74664 |
| SHA1 | 8af6927aca45640b53fc498633337a9d837765dd |
| SHA256 | 81850caedcbf0a09e9043cde1dc46b13c0587ad4785a10abc894c2b57e8a32e6 |
| SHA512 | b42a4c659b7082329007edfee1ec7a8cc1746500dc518ca865817ed8c7322c34a3f7cb8428b5966abd9dd8ee11a9813fda70fb8f673896384c22cb72e6b97b5b |
C:\Users\Admin\AppData\Local\Temp\rX48AtNwwF.bat
| MD5 | ccc28d15869fc419ef37d819b5248b4a |
| SHA1 | eeb214d86c9461e2c4c74408f421d71afc436d0f |
| SHA256 | 24c4882579973fa7a5334eb3231701229e4d55cba0eb11f10ce07cea7cc31f7c |
| SHA512 | d35b3f95ed5bc837cbb13fcbdfef0479f370c12ecf71fa438143c78766a54f778f59bdbbaa48ffeb7ee5a84f61399f928c2850db3ef75d6848528261babcb959 |
memory/2908-45-0x0000000000EE0000-0x0000000000FF0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CabFB90.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\TarFBA3.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\Local\Temp\OyPKZ08zKl.bat
| MD5 | ee44fd9c70bcff407a5bcde1d7169a44 |
| SHA1 | 3bb04bc227ef9b888dc7cefdad094e66f129fb79 |
| SHA256 | 8d861c61c6bf2865187a428e6e87c32b51bfeafa0b35446e222175df583b8b60 |
| SHA512 | fdcd9242ddbe0965dea8deb33362a858f95d35ab304d993e7a0cab72b0ccf672437ccf2522f91796cb4569c8eb0dd4293f3d517e6f023206b8023d759c907b4f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3390b88dfd062f269721c312b8102be0 |
| SHA1 | c426ab14b507e1d7d300bb03fa1e33c0ba069bb4 |
| SHA256 | 316ed4d2b8fdbee7efa267399ea48890106ea6c095bc416d8be3339a670c02e6 |
| SHA512 | 204c64df956298a7a4c2a00b69e21235b85f9439edb231c21eca42e300c243883a376b8da76c56cbb26c6a7b606ace35cbc2d9f21ff88835551204f1fad807ce |
C:\Users\Admin\AppData\Local\Temp\cxnNEsMM51.bat
| MD5 | 174e16367fa4bbca03f5db6fc9cfe0f7 |
| SHA1 | 9691a9cce96c769bc3a1ddb7de6d97e5eefb47b2 |
| SHA256 | 6b972d434f2f833260c52b66a251c9b11ce10236c38577213ccc7887292e3a9f |
| SHA512 | 801b550a2faf8617c1dda6550a3c92ef7a60ceb8ff4f30bbf16ec813ad416b7981f7ab546806f9daa4b320d86cfdd962bc746eb8022e56e297b4a7bcb05e58b6 |
memory/2336-163-0x0000000000F70000-0x0000000001080000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 54422ff10a391c9e1d0231f90b5b2f95 |
| SHA1 | d3e21a949dd035d369e0fa30b108fa21d0207b08 |
| SHA256 | 823ce7d93fea3c58e9cb67fed4cf4862420541404a8a4246ef04b014b41bfea2 |
| SHA512 | 18324eac408158a81f5c2b237280cc1ff289ae293dbbfcec567a4a73372ea6cc826a5f28654675e55ae17fcd0a884ee825a78197ef854599f2e42ace9e6561de |
C:\Users\Admin\AppData\Local\Temp\5eI0Zh92hY.bat
| MD5 | e40e0b335ec4879f2264cb7cfbade409 |
| SHA1 | f3514feee3e4322175552423b458aadf109e74c4 |
| SHA256 | 5a918b8d6950a7c1b8f84eae9f67480d26bf94669d8a6b2bead6828ae287dc86 |
| SHA512 | e54bd71c58a51c09d31d3d51e58d9edae2d61911cbc0d81b46a3eb310775b413402163da8f56fe954c7c09fd8c7e944f0af35e4e6d98064a491f259d939ba39e |
memory/2840-223-0x0000000000010000-0x0000000000120000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 442f55d9c66fb35dc6ccb99ab0fe7cc4 |
| SHA1 | 8f2a6eea221c9996fc078328e925e008a5d5c538 |
| SHA256 | 61ef61280d3bcfd05d2674eae36504b4065fb272ed1b0e3306952981a39e712f |
| SHA512 | 101bbb14f3d5d38ea0037ac6d139c7fd4ddd47d04aa7083ccfd058510357a49c8ddb3a470ec33773311da343db3a66d35e30e88b37d752b03593e82f8b75bb1d |
C:\Users\Admin\AppData\Local\Temp\tiHtiEmsSK.bat
| MD5 | f7a3952e4ac873ccdf0b7cba016ea981 |
| SHA1 | 70fa9357bd25b66cf2aef0c03170f75710965d66 |
| SHA256 | 13e4a8285a54016c48089c4f6cf97eeed7026655ab2362e6084a2df50ad243cd |
| SHA512 | 05f505752d07ff25af7db209dbc530f2cf89d664cf718e7551e03b97ec4f5e44d80bf6bc5f649bd178b64b7348149b3d8163facc2fe877e84735338dbb7330b3 |
memory/928-283-0x0000000000BF0000-0x0000000000D00000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | fd1a4670a896e75ba60fbbba355d2fff |
| SHA1 | b832074d6b4f4d57d91881539db592b2be70233a |
| SHA256 | f1d99ea7d46d37dd78b99bd42ff45adc1fbceb0bd92d3cc1ce7d29e8949319b6 |
| SHA512 | c801007391306e34c5778fd5af5154834880128071ffe06d62e3a9dff1bafc07405775077f51c8018b94377aa1e640a317626440f0bea10773b070a96ead5f93 |
C:\Users\Admin\AppData\Local\Temp\qwBPskakqG.bat
| MD5 | a2d64593c6b03dc19a2e83eef1338ce0 |
| SHA1 | 86553bd696a04ca28934f8aa81dec62ecd18f57a |
| SHA256 | 82de4239dbeacc931e6a8e502954937528270831da9e19fe6d30cf5e5cf40018 |
| SHA512 | 916eba25e8cae835c3122c553f4b50ac363e4dc8364245f8eea733c575357f48dde715300ec290c58809c3d084e79438fbb7ddc7f554af16e9aa73f81e5bf5b6 |
memory/1040-343-0x0000000000F80000-0x0000000001090000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e8c5ce9f0be74410b8e9f928cfd5ac31 |
| SHA1 | ded8f1c9f16f101101272b0b7b26f85364beafef |
| SHA256 | 51fa6daba509295498bd4860ea332c1545b5deb0873ac95d6041a2be0be833fd |
| SHA512 | c940365dbb7ff95541a5b931d0d9209bbd2de1c32ab83afff1c1dd85f1185c5fc03abf9b44a50c9ca391f8b66dda92e59aba20035d7855e660d88481bea76c94 |
C:\Users\Admin\AppData\Local\Temp\da4noHdFs8.bat
| MD5 | 36907db0980666ba05c6a5bd82059cfd |
| SHA1 | 4a9b0a99f631b3fb6edb87fab2ed4693c81f038d |
| SHA256 | c0bf05679d3a9c2902cad5934e2402ceeff2376b9e608da790135477e081d759 |
| SHA512 | 95dbee4730a1e2ced28a253b8e3f9c49189494a68dfb7102d143f200f74bf38eb0cecbcf42ab75fee8bb74efa44b3270d8ce019c978db2f32dd10bb56d417e85 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 18fd749b048d6c7940e6b51fb897bc48 |
| SHA1 | 8ddae4d31910398a866e5fe007004e8e803d51db |
| SHA256 | 2160de4c8634df6fca490c3fe43fa194271600458c0dec30d753b6a803b04de0 |
| SHA512 | e9150514432c7da861407103cf435d24a6ed8548f3b6a52342e7d43ad58b8bcfb5a70f33bb3e9655cceedc65564138371119cccf16265d065ff0ee5936b01dc0 |
C:\Users\Admin\AppData\Local\Temp\hbGxgnDDQj.bat
| MD5 | 4abb27225cf4d2388c7b976863594ec0 |
| SHA1 | fafefb94a62c4d00329372088b4fb28aa77cc38a |
| SHA256 | b5e3b20fbc6085aff5e22c7b541ecf53d77f0093b2fe2f988ac42bca80c5109e |
| SHA512 | b99219686532757fb2457ed03a2211dde77fafe69d173ed2ef6279fbad245eae2b12cf6f231c582e67cf885fb0dcc6e6954390b8ab6a9b23a8eb98e3d64361ba |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | bc669facf6623ba7424d927bd8911225 |
| SHA1 | 5d2ef4c0b165ca3d6ca0e99cda6e3b1ad261fb36 |
| SHA256 | bd4f578dc7a4d69c5241490d424d0d0dfa4cfbd451e1f36933eb06624d292dca |
| SHA512 | eb8e324b80b7a0c33148b67aeaed143fbd69c31fedec4a92bfe5df1523beb0a9aba74049dd322181274600cac68c6327197214bc20c51ba37c211a288df838e0 |
C:\Users\Admin\AppData\Local\Temp\VeFqpJq3BV.bat
| MD5 | 17105f9a75ebcc3517dab1866a7d2c18 |
| SHA1 | 44b41369685b6d229589576232a49dbbe31db3d1 |
| SHA256 | 2d76dbf17fe6e39644569ca186f5b432776261dac3845f63b04ff415f0f24576 |
| SHA512 | 21e32b01c5bd859a0f30cf5671b0281ee04690acef09cda5d5f0c43bbebcb0f9a935dbc3b0faeaaebd8abd7c03097e821c0a0834d782678b78db8511d5ac74a0 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 489896c0991143e098c7416018f2c646 |
| SHA1 | 4c50ca04e5c6b31581ef3c706a4d9bbc1e67499c |
| SHA256 | baf87d2f4a118f8c3c87b145d4fe0878a1266df4a8a6dfecad5d40f4a8cae178 |
| SHA512 | a04d3fa3b9aa821bb6a6aed3fd8ff6dccbef5a25f523981a2b9eaca7bd1ecba150e1719dc84515a42cdaea3f013759141f1a7bc64680da1d18a6291fc3cac66e |
C:\Users\Admin\AppData\Local\Temp\X5jGqiFaSS.bat
| MD5 | a714b0e5cda29c9f39dbe92632c5e7d8 |
| SHA1 | 7252119ea579e5f5703ffc1ba0b534c005f6e1c1 |
| SHA256 | 51a8b329f86f24e734f2a5091fe85244498c41828107004faa9a7961aec1015b |
| SHA512 | c925db7cf6d48d3319278474d45a44633a29ccb65dbfcdf83b63532700587a978e329131b826931940436d5088216147e81dd67b8c0a864104cdf06c1c921e0a |
memory/1800-580-0x0000000000060000-0x0000000000170000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 87b8b96f0d34606c08fe67025f42197f |
| SHA1 | 35b841b13233fdeb89f5b2859ac0ad102dfd1e8f |
| SHA256 | d987bb0aafc712165315d858930936a4742b31ab0fbe923abe81d19120f67535 |
| SHA512 | e091a44d3b031b0696d634bf8159b8b3726c4e92a1ce7a89757a256b8700a23d52da25b92f37f9a71437a4cf552df80461fc2e878c263f528445ab3293ee4ab8 |
C:\Users\Admin\AppData\Local\Temp\iPSx7mMsuZ.bat
| MD5 | 9fd80a65b4b302e59092726a61c547e7 |
| SHA1 | fb01053adafc7d122fb214c609bae3917e50e4bd |
| SHA256 | 161fe496949f6ef288a5bcc9edae6a5f4091d3a2eaac524d4f00110a2e74be55 |
| SHA512 | 07bb437aee9f56fd1a265fffd0f6692f58725d9fdfe8078d0a8794daca8749ffbc89fb21e5f5483f81a70f7bc6794413397dd9ce2783a03c2c2f72f8c28a6a5b |
memory/592-640-0x00000000001A0000-0x00000000002B0000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 530f7d45b8cff39118fa28ec05386107 |
| SHA1 | a51ea2dbd1ef613ca7bf6e23f0fff98e8ea3ab3a |
| SHA256 | 90edcad11104e4e8d0ba3dd4c9de84861579f56af22a74f48a4fb5e53b1d6957 |
| SHA512 | 1c3090c5d5d3185964e4e50aee22bfbee138a7fc2c67e7f81df8e18b973e718410d422130be59570dc1267dc2be4a91de034d60b8a33a3170b6ee13f4ab02c11 |
C:\Users\Admin\AppData\Local\Temp\SNnEytbzjv.bat
| MD5 | c8bf2f2dbbda6cd80381ec379f7ca401 |
| SHA1 | 95cc457f9cb808274d9a0774d0d26cf90036f231 |
| SHA256 | 6cd7d5fb4f67be4802c88f20e142ffd24331c29572d6a03e35cbeb9b6c8ecd12 |
| SHA512 | 1ec15f0f765bb62ad612e41eab563930e18c9992c6a866c68709fa7330e349be44346e1a21006a3f00d1b1d2a30609fc5f9f7d624c2c5cb29fe5052722990972 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-12-30 18:51
Reported
2024-12-30 18:54
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
DcRat
Dcrat family
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\providercommon\smss.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\providercommon\smss.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\providercommon\DllCommonsvc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\providercommon\smss.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\providercommon\smss.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\providercommon\smss.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9c6cbaa7ed17a66eb61a77fb32f03401ec875d915b97ba918c27b450d91c7151.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\providercommon\DllCommonsvc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\providercommon\DllCommonsvc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\providercommon\smss.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\providercommon\smss.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\providercommon\smss.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\providercommon\smss.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\providercommon\smss.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\providercommon\smss.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\providercommon\smss.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\providercommon\DllCommonsvc.exe | N/A |
| N/A | N/A | C:\providercommon\DllCommonsvc.exe | N/A |
| N/A | N/A | C:\providercommon\DllCommonsvc.exe | N/A |
| N/A | N/A | C:\providercommon\smss.exe | N/A |
| N/A | N/A | C:\providercommon\smss.exe | N/A |
| N/A | N/A | C:\providercommon\smss.exe | N/A |
| N/A | N/A | C:\providercommon\smss.exe | N/A |
| N/A | N/A | C:\providercommon\smss.exe | N/A |
| N/A | N/A | C:\providercommon\smss.exe | N/A |
| N/A | N/A | C:\providercommon\smss.exe | N/A |
| N/A | N/A | C:\providercommon\smss.exe | N/A |
| N/A | N/A | C:\providercommon\smss.exe | N/A |
| N/A | N/A | C:\providercommon\smss.exe | N/A |
| N/A | N/A | C:\providercommon\smss.exe | N/A |
| N/A | N/A | C:\providercommon\smss.exe | N/A |
| N/A | N/A | C:\providercommon\smss.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Windows NT\Accessories\es-ES\e1ef82546f0b02 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Internet Explorer\ja-JP\powershell.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Java\DllCommonsvc.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Java\a76d7bf15d8370 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Windows NT\Accessories\es-ES\SppExtComObj.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Internet Explorer\ja-JP\e978f868350d50 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Windows Media Player\es-ES\RuntimeBroker.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Windows Media Player\es-ES\9e8d7a4ca61bd9 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\hrtfs\csrss.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\hrtfs\886983d96e3d3e | C:\providercommon\DllCommonsvc.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\twain_32\DllCommonsvc.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\twain_32\a76d7bf15d8370 | C:\providercommon\DllCommonsvc.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9c6cbaa7ed17a66eb61a77fb32f03401ec875d915b97ba918c27b450d91c7151.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings | C:\providercommon\smss.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings | C:\providercommon\smss.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings | C:\providercommon\smss.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings | C:\providercommon\smss.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings | C:\providercommon\smss.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings | C:\providercommon\smss.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings | C:\providercommon\smss.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9c6cbaa7ed17a66eb61a77fb32f03401ec875d915b97ba918c27b450d91c7151.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings | C:\providercommon\smss.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings | C:\providercommon\smss.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings | C:\providercommon\smss.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings | C:\providercommon\smss.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings | C:\providercommon\smss.exe | N/A |
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9c6cbaa7ed17a66eb61a77fb32f03401ec875d915b97ba918c27b450d91c7151.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9c6cbaa7ed17a66eb61a77fb32f03401ec875d915b97ba918c27b450d91c7151.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
C:\providercommon\DllCommonsvc.exe
"C:\providercommon\DllCommonsvc.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 9 /tr "'C:\providercommon\SppExtComObj.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\providercommon\SppExtComObj.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 7 /tr "'C:\providercommon\SppExtComObj.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\VideoLAN\VLC\hrtfs\csrss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\hrtfs\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files\VideoLAN\VLC\hrtfs\csrss.exe'" /rl HIGHEST /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\SppExtComObj.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\hrtfs\csrss.exe'
C:\providercommon\DllCommonsvc.exe
"C:\providercommon\DllCommonsvc.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 12 /tr "'C:\Program Files\Java\DllCommonsvc.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files\Java\DllCommonsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 12 /tr "'C:\Program Files\Java\DllCommonsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 14 /tr "'C:\Windows\twain_32\DllCommonsvc.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Windows\twain_32\DllCommonsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 6 /tr "'C:\Windows\twain_32\DllCommonsvc.exe'" /rl HIGHEST /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\Idle.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\DllCommonsvc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\twain_32\DllCommonsvc.exe'
C:\providercommon\DllCommonsvc.exe
"C:\providercommon\DllCommonsvc.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\providercommon\smss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\taskhostw.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Users\Default User\taskhostw.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\taskhostw.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\providercommon\explorer.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows NT\Accessories\es-ES\SppExtComObj.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\es-ES\SppExtComObj.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows NT\Accessories\es-ES\SppExtComObj.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\providercommon\RuntimeBroker.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\providercommon\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\providercommon\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\powershell.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\powershell.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\powershell.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Internet Explorer\ja-JP\powershell.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\ja-JP\powershell.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Internet Explorer\ja-JP\powershell.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 7 /tr "'C:\providercommon\TextInputHost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\providercommon\TextInputHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 9 /tr "'C:\providercommon\TextInputHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Media Player\es-ES\RuntimeBroker.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\es-ES\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Media Player\es-ES\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\smss.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\taskhostw.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\explorer.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\Accessories\es-ES\SppExtComObj.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\RuntimeBroker.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\powershell.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\ja-JP\powershell.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\TextInputHost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\es-ES\RuntimeBroker.exe'
C:\providercommon\smss.exe
"C:\providercommon\smss.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EzDSmeWZ76.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\smss.exe
"C:\providercommon\smss.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AJeLhFiBvb.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\smss.exe
"C:\providercommon\smss.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sQQ1IAg9p0.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\smss.exe
"C:\providercommon\smss.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BDITavvsiM.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\smss.exe
"C:\providercommon\smss.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SsFcJDxdf6.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\smss.exe
"C:\providercommon\smss.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kRqsvBC5Qb.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\smss.exe
"C:\providercommon\smss.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iVopF68B7o.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\smss.exe
"C:\providercommon\smss.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TdlfhXh7Yo.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\smss.exe
"C:\providercommon\smss.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Rhkc0SdEF2.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\smss.exe
"C:\providercommon\smss.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7C7JiPLtAl.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\smss.exe
"C:\providercommon\smss.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yMeEqlK1gO.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\smss.exe
"C:\providercommon\smss.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wRcBAgH7Mb.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\smss.exe
"C:\providercommon\smss.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 213.143.182.52.in-addr.arpa | udp |
Files
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe
| MD5 | 8088241160261560a02c84025d107592 |
| SHA1 | 083121f7027557570994c9fc211df61730455bb5 |
| SHA256 | 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1 |
| SHA512 | 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478 |
C:\providercommon\1zu9dW.bat
| MD5 | 6783c3ee07c7d151ceac57f1f9c8bed7 |
| SHA1 | 17468f98f95bf504cc1f83c49e49a78526b3ea03 |
| SHA256 | 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322 |
| SHA512 | c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8 |
C:\providercommon\DllCommonsvc.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/4360-12-0x00007FFCFCD53000-0x00007FFCFCD55000-memory.dmp
memory/4360-13-0x0000000000380000-0x0000000000490000-memory.dmp
memory/4360-14-0x0000000000C60000-0x0000000000C72000-memory.dmp
memory/4360-15-0x00000000026D0000-0x00000000026DC000-memory.dmp
memory/4360-17-0x00000000026E0000-0x00000000026EC000-memory.dmp
memory/4360-16-0x00000000026B0000-0x00000000026BC000-memory.dmp
memory/4444-28-0x000001D884270000-0x000001D884292000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sk2nkstd.3lx.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1832-52-0x0000000000B40000-0x0000000000B52000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 6d3e9c29fe44e90aae6ed30ccf799ca8 |
| SHA1 | c7974ef72264bbdf13a2793ccf1aed11bc565dce |
| SHA256 | 2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d |
| SHA512 | 60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 15dde0683cd1ca19785d7262f554ba93 |
| SHA1 | d039c577e438546d10ac64837b05da480d06bf69 |
| SHA256 | d6fa39eab7ee36f44dc3f9f2839d098433db95c1eba924e4bcf4e5c0d268d961 |
| SHA512 | 57c0e1b87bc1c136f0d39f3ce64bb8f8274a0491e4ca6e45e5c7f9070aa9d9370c6f590ce37cd600b252df2638d870205249a514c43245ca7ed49017024a4672 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\DllCommonsvc.exe.log
| MD5 | 7f3c0ae41f0d9ae10a8985a2c327b8fb |
| SHA1 | d58622bf6b5071beacf3b35bb505bde2000983e3 |
| SHA256 | 519fceae4d0dd4d09edd1b81bcdfa8aeab4b59eee77a4cd4b6295ce8e591a900 |
| SHA512 | 8a8fd17eef071f86e672cba0d8fc2cfed6118aff816100b9d7c06eb96443c04c04bc5692259c8d7ecb1563e877921939c61726605af4f969e3f586f0913ed125 |
memory/3140-105-0x0000000000AD0000-0x0000000000AE2000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | e2efbfd23e33d8d07d019bdd9ca20649 |
| SHA1 | 68d3b285c423d311bdf8dc53354f5f4000caf386 |
| SHA256 | f4386e3a103dafd6e85bebc2ad649069d168b4da8a0ded51b3ec96fa1408a828 |
| SHA512 | b7a961002557ff2efb785f756c9347e250392eab3dcb5168c67e89238e85368a41d0a5bdc94bfbbc192ba427c83e982234b3cf8824b166a69973f3f9df177443 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 9b57902ba8287ea15038da415e6f0f01 |
| SHA1 | 981d0ce5838ca2940c8cf128412ff56a35344587 |
| SHA256 | d4c911bc6521a4f84436dc95db7cf0be7942517a7af909e8e9531d10d9c4d84b |
| SHA512 | fc80f90cecaf1cdc18edcc4c543e31b50169fcf34888b7b9767c08fe89949f0153a43b32c1223e432b59a4d7b3e73bcfa3adf569ab3fcc82f03a8ce925e2e070 |
memory/516-232-0x000000001ADF0000-0x000000001AE02000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 2d06ce10e4e5b9e174b5ebbdad300fad |
| SHA1 | bcc1c231e22238cef02ae25331320060ada2f131 |
| SHA256 | 87d1dd56f12a88907ba5aebca8d555443d6f77ed214497277cc8bcd31c669f2c |
| SHA512 | 38cfbeb59605854ae4fcfae8619a6b26bd916148acfb5636383672a3960b45ca41fed5c241f97465129e92eaf78c4c85dcf258f1ab501a2bf771287ce04f76a7 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | a9451a6b9669d49bd90704dff21beb85 |
| SHA1 | 5f93d2dec01a31e04fc90c28eb1c5ca62c6fff80 |
| SHA256 | b2ff191507379930b97a212f869c3774c20b274e8fc9fcc96da5c154fb0e3056 |
| SHA512 | 06634cb578f6ce8d721e6306004082073fc224b91ceea37ef870df87b12b2d5f59e7d08b20b520787a1d13f3edbbb004197bf70f180f86dd7f401a5ad289ccb5 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 731b557e0ee947ffea50ddda1428652d |
| SHA1 | 86d1fb26c97231eb9644f4d6d9ac7fc2636e58be |
| SHA256 | 59f81e22931690346777739fb36d5e262c4d3e91aa2ef466925d9500e5951add |
| SHA512 | 664d368f2cc51dffd46036fea01c18da1a87f6cf301b0d983ac580b00f2abea11e66370c4ef40428d24e225b061ea409e87e926ddc3842e782a36e337f9fb906 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 816d03b14553d8d2cd19771bf135873f |
| SHA1 | 3efdd566ca724299705e7c30d4cbb84349b7a1ae |
| SHA256 | 70d3acdba0037de3d175aca44a86daf8392b2350f6f8b026b7accb02f95a9304 |
| SHA512 | 365ac792e05619e5ef42b40f1e4dd5d1ebb18a5a409be9c5428e52be7896f4b18eef2a93a4e0f5e1930996bf70798fe45fc5b6d829687d975191015944dbbdbd |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | c65338524586fc00cf00e679a7d4a1f4 |
| SHA1 | 62abf26bfb979dcbf7c7649cf8a681c2a8c7c9ae |
| SHA256 | faa246e6b356f55ad8b18cea908dbf9035f67feaa06f8259d934306e13e88bf6 |
| SHA512 | c6721362afa4998c60ff60225a7b7571aaf1dbc8cb624ad7557b365a37df26e629763fa052dc31904b3175587e940d7e0630362620870c2c7351960a14c29310 |
C:\Users\Admin\AppData\Local\Temp\EzDSmeWZ76.bat
| MD5 | 4c7d79bcdf1103f033fbfb930d8de335 |
| SHA1 | 4b8db1ae164f72379ccbd564c6ce0aa4a2bee36d |
| SHA256 | af33b09c1de4c2091ba732eb6f0bea3dcc37ad99e592915e6b987ce4b694d8e1 |
| SHA512 | 0542d9ff7023aec606681eee66d866351caf0a9d1472467f75729c0fdc11ca99cd58a96f1cc9cdd7456d1fa098eb1de04f77b8c443ba0e5c65508a875cb84bf9 |
memory/516-258-0x000000001CA00000-0x000000001CB02000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\smss.exe.log
| MD5 | baf55b95da4a601229647f25dad12878 |
| SHA1 | abc16954ebfd213733c4493fc1910164d825cac8 |
| SHA256 | ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924 |
| SHA512 | 24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545 |
memory/2232-261-0x000000001C340000-0x000000001C352000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\AJeLhFiBvb.bat
| MD5 | 9420738fee254b1a35d73f145fca83b6 |
| SHA1 | bc6b15a901f5322c3c3fc71b0ec1f40cee77aaff |
| SHA256 | 64357b7820d668fa9c8912c8971b60406d804d53900fb989db4ea0814aeb0428 |
| SHA512 | 9d662e6c5df5b97076f819d2d154913659cededc23098949fe275011211b4d02f896b8a8a6e14893f9c22dc15156cf53e186897d4f246c592e845cbde2726da6 |
memory/2416-268-0x000000001BFF0000-0x000000001C002000-memory.dmp
memory/2416-272-0x000000001D830000-0x000000001D932000-memory.dmp
memory/2416-274-0x000000001D830000-0x000000001D932000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sQQ1IAg9p0.bat
| MD5 | c258118c0874da12d4a71b976d4eee6b |
| SHA1 | 780f802755c988205ed7bdf1b08f8a519d3a0471 |
| SHA256 | 7ca674e63ebe3bf305c9e7d9e3e73fb6a35eba4ec1fbe550dea9f065e3900974 |
| SHA512 | 6149f27f6162cc01be73bd0e7a361907727115f43cbb2e42502ab227f4c0a4f1e656bb8a4e6b4c4c074a027d9026fae43cc6b5b86e9b817a63d21523d2ebde1a |
memory/2208-281-0x000000001CF20000-0x000000001D022000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BDITavvsiM.bat
| MD5 | a323156b939b952841fb0e3a99a5bb84 |
| SHA1 | 5c7665c5dc53bb11f54f07447c2bd37fbc81c7f3 |
| SHA256 | 4db6ebf44315069be34542f600189b46f88b4ff89b083caa0d0773a1ca6149d3 |
| SHA512 | 5e6b8f5b790928511036df44dab77a0b2f2f87ffb511cf36655079d2ad269d42b592d5c94094c2e20a50f1907825d05381db68e60769d20a842aec102035d4b0 |
memory/1248-288-0x000000001D000000-0x000000001D102000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\SsFcJDxdf6.bat
| MD5 | 32ab75006486a9d58018e1ba60e4df75 |
| SHA1 | 6c26df013e60b5c4b0ea7e6c8e58e73209a6bc6b |
| SHA256 | 7ed1cd06250d43f141002a34e22fff87b8e126acc1c2229d683af77e8f26e75e |
| SHA512 | 329a459f1ff07e0c68e0a2d5ffad8fde1c99bd02551f4eb933f4a6f76df02cf519755bdaf1fcc7705f509cd86c667d3af229d6374fc584101c5ef12cbd0d09c7 |
memory/2328-295-0x000000001CE00000-0x000000001CF02000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\kRqsvBC5Qb.bat
| MD5 | 9e48b9a099d261ffe1e928af42c25a64 |
| SHA1 | c1273951731f051cd9b91e3c79896549d7b1fa4a |
| SHA256 | 494e6646d8cd186ce5b6d1168dfc349d77daef5ec9125916322d56b2736b25eb |
| SHA512 | e1fd1121baa10df5213c7d522f1c3eef851a66b294a3f8c5436743cefba202e208a7cccf57f85d95eb15d3b94bba61b019c116fe3de19d8940762653140d1da2 |
C:\Users\Admin\AppData\Local\Temp\iVopF68B7o.bat
| MD5 | dada77dd59bdca6f3ec6f3df009b2c28 |
| SHA1 | 1d70495fe9b7524f76af0cd711afcf3f834a1594 |
| SHA256 | 7e5a609a4e0d3c5e0d8af0dd2d7b791750be703d00bfa09416debab987c903ad |
| SHA512 | 1b490046d26dc1874130cc81e5aee2a9b6de036d88b995a0e702ac0a88f712327256fe53c1d4a337d241b13aa7c66049609ec1508183610389b51820c4a6f1cd |
C:\Users\Admin\AppData\Local\Temp\TdlfhXh7Yo.bat
| MD5 | a455425660b1663898004aefdbd12dde |
| SHA1 | f6f8d9fa954603c9a8c2cb7e15852a632a95d3de |
| SHA256 | 010b784e1bfb01264c884ea7707cfc00f1db4b2de0807a1b2926bf479bcae3ae |
| SHA512 | 2717570b382d0851c7daf265a0339696de93814a2173e27969bbe75f5e6ebe15aeb9ca34edca7a7df64707c0eb980d32ef1c3ac9999f97a75b39dd70105a04e4 |
memory/412-310-0x000000001B9F0000-0x000000001BA02000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Rhkc0SdEF2.bat
| MD5 | 69743dd4e5951017ad2d6dca543ac81a |
| SHA1 | ea42f3a54d87c1a9157b48720325751b791709ec |
| SHA256 | dd2ead4ef2ce96922b0e9d86e9e2a324e10de75b8ffe057b7e3e9af7b6436a69 |
| SHA512 | a85c70d5ddc079517d233c8d28d26369a26d3da297d4fdcb74deecec776242ee098de1805b0ca45f00eea870f08cf8f8168041b99e39cabc9d397a16812a3662 |
C:\Users\Admin\AppData\Local\Temp\7C7JiPLtAl.bat
| MD5 | e6475aeedafacf61972fcd9a828f4ec1 |
| SHA1 | fc2be0e7e5ba587d9f1c4382fb40ae7efc48e718 |
| SHA256 | 2e63d983238011ac6a5e1d1406f61aa176de8da5c012f7c41068b8a2b709c9a9 |
| SHA512 | e4a8b5b7c1e74de0648389804cec7d78dcb750b18976e40d1c804116b66477fdee65e821ee9e40bfe309f1a86eea17913b9451a6414232e2d028b58793cc7913 |
C:\Users\Admin\AppData\Local\Temp\yMeEqlK1gO.bat
| MD5 | 8d5eb33e4c836015e09ebf4caa348d79 |
| SHA1 | 4834669788a495a7dd589947ace378ef3df675da |
| SHA256 | 6f2fb9641feb86841c97ee31c570e540619aefaeca927b5207a75346db5a0752 |
| SHA512 | 9055d228285034e071e59f7f876e3438e9ade5f7646b090b87316b400777c92d84095297e3a639979c7767dfa6815670b0bf9157349c98e968ab67ea3ab94be4 |
C:\Users\Admin\AppData\Local\Temp\wRcBAgH7Mb.bat
| MD5 | 1c8ed158721bb7792bf14501f0e03cab |
| SHA1 | 3b3e9b5615bb88f4da7f7b1c4e0d8488c55c8163 |
| SHA256 | 6903aaa65fc1456717deeaa03cadaf4109e9e36eea876fa1ce093cce6913c877 |
| SHA512 | f6d2d81f543fe6d8d23b7a540dbfd3b92fafe6cb21369a527bd23b5e4fd683f9558a5275d2e9a9ecd908a2c75defe60d838ba52e06c8a13fe27b73623f79f975 |