Analysis Overview
SHA256
e2e540951cb2cc1a417064cfe84b7c0bfe678facf1f3d2d98a84414b99802be2
Threat Level: Known bad
The file JaffaCakes118_e2e540951cb2cc1a417064cfe84b7c0bfe678facf1f3d2d98a84414b99802be2 was found to be: Known bad.
Malicious Activity Summary
DcRat
Dcrat family
DCRat payload
Process spawned unexpected child process
DCRat payload
Command and Scripting Interpreter: PowerShell
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Legitimate hosting services abused for malware hosting/C2
Drops file in System32 directory
Drops file in Windows directory
Drops file in Program Files directory
Unsigned PE
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Scheduled Task/Job: Scheduled Task
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-12-30 17:05
Signatures
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Dcrat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-12-30 17:05
Reported
2024-12-30 17:07
Platform
win7-20240729-en
Max time kernel
146s
Max time network
143s
Command Line
Signatures
DcRat
Dcrat family
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\providercommon\DllCommonsvc.exe | N/A |
| N/A | N/A | C:\providercommon\smss.exe | N/A |
| N/A | N/A | C:\providercommon\smss.exe | N/A |
| N/A | N/A | C:\providercommon\smss.exe | N/A |
| N/A | N/A | C:\providercommon\smss.exe | N/A |
| N/A | N/A | C:\providercommon\smss.exe | N/A |
| N/A | N/A | C:\providercommon\smss.exe | N/A |
| N/A | N/A | C:\providercommon\smss.exe | N/A |
| N/A | N/A | C:\providercommon\smss.exe | N/A |
| N/A | N/A | C:\providercommon\smss.exe | N/A |
| N/A | N/A | C:\providercommon\smss.exe | N/A |
| N/A | N/A | C:\providercommon\smss.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Microsoft Games\Chess\en-US\winlogon.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Microsoft Games\Chess\en-US\cc11b995f2a76d | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\taskhost.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\b75386f1303e64 | C:\providercommon\DllCommonsvc.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Logs\DISM\f3b6ecef712a24 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\Web\Wallpaper\Scenes\dllhost.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\Web\Wallpaper\Scenes\5940a34987c991 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\Logs\DISM\spoolsv.exe | C:\providercommon\DllCommonsvc.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e2e540951cb2cc1a417064cfe84b7c0bfe678facf1f3d2d98a84414b99802be2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e2e540951cb2cc1a417064cfe84b7c0bfe678facf1f3d2d98a84414b99802be2.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e2e540951cb2cc1a417064cfe84b7c0bfe678facf1f3d2d98a84414b99802be2.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\providercommon\1zu9dW.bat" "
C:\providercommon\DllCommonsvc.exe
"C:\providercommon\DllCommonsvc.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\providercommon\smss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\conhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\providercommon\dwm.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\providercommon\sppsvc.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\providercommon\wininit.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\lsm.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\lsm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\lsm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Games\Chess\en-US\winlogon.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\Chess\en-US\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files\Microsoft Games\Chess\en-US\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\providercommon\csrss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\dllhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Windows\Logs\DISM\spoolsv.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\Logs\DISM\spoolsv.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Windows\Logs\DISM\spoolsv.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\conhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\providercommon\sppsvc.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Windows\Temp\Crashpad\reports\wininit.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\Temp\Crashpad\reports\wininit.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Windows\Temp\Crashpad\reports\wininit.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\providercommon\cmd.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\providercommon\cmd.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\providercommon\cmd.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\taskhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\taskhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\taskhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Windows\Web\Wallpaper\Scenes\dllhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Web\Wallpaper\Scenes\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Windows\Web\Wallpaper\Scenes\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\providercommon\explorer.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Recent\winlogon.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default\Recent\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Recent\winlogon.exe'" /rl HIGHEST /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\smss.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\conhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dwm.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sppsvc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\wininit.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\lsm.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Games\Chess\en-US\winlogon.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\dllhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Logs\DISM\spoolsv.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\conhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sppsvc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Temp\Crashpad\reports\wininit.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\cmd.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\taskhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Web\Wallpaper\Scenes\dllhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\explorer.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Recent\winlogon.exe'
C:\providercommon\smss.exe
"C:\providercommon\smss.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rE1HJofSUb.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\smss.exe
"C:\providercommon\smss.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tcplHXgq9Q.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\smss.exe
"C:\providercommon\smss.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2XkxZsmkwh.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\smss.exe
"C:\providercommon\smss.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QqrgVo7Q94.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\smss.exe
"C:\providercommon\smss.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\f4KPDhjeqr.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\smss.exe
"C:\providercommon\smss.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WVE2eLfZN7.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\smss.exe
"C:\providercommon\smss.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iVopF68B7o.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\smss.exe
"C:\providercommon\smss.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kz4ReWEb5Y.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\smss.exe
"C:\providercommon\smss.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\c0TJHXkWh8.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\smss.exe
"C:\providercommon\smss.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mMyBvdYgq2.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\smss.exe
"C:\providercommon\smss.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
Files
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe
| MD5 | 8088241160261560a02c84025d107592 |
| SHA1 | 083121f7027557570994c9fc211df61730455bb5 |
| SHA256 | 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1 |
| SHA512 | 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478 |
C:\providercommon\1zu9dW.bat
| MD5 | 6783c3ee07c7d151ceac57f1f9c8bed7 |
| SHA1 | 17468f98f95bf504cc1f83c49e49a78526b3ea03 |
| SHA256 | 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322 |
| SHA512 | c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8 |
\providercommon\DllCommonsvc.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/2880-13-0x0000000001110000-0x0000000001220000-memory.dmp
memory/2880-14-0x0000000000240000-0x0000000000252000-memory.dmp
memory/2880-15-0x0000000000270000-0x000000000027C000-memory.dmp
memory/2880-16-0x0000000000260000-0x000000000026C000-memory.dmp
memory/2880-17-0x0000000000500000-0x000000000050C000-memory.dmp
memory/1624-64-0x0000000000320000-0x0000000000430000-memory.dmp
memory/2252-65-0x000000001B6C0000-0x000000001B9A2000-memory.dmp
memory/2252-67-0x00000000021C0000-0x00000000021C8000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 58753b26524560ee6ba944ac3bc60ecc |
| SHA1 | b961d8e015d42f1e16e2bbc7e307da3b1e6d469f |
| SHA256 | 8d085ce296d7f2417f4091d4aaf23067dd879911a0842e11d5772bb6a10710f5 |
| SHA512 | e4d2ade5355423204abace0dd212e2aed45377e299d72d187c661b1a9e3f02a498791fad652bd9cf1ab8bbb827b078d6961ecd037e63cccd3b8fa6a13326a3c7 |
memory/1624-157-0x0000000000570000-0x0000000000582000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CabDE7F.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\TarDE91.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\Local\Temp\rE1HJofSUb.bat
| MD5 | 0886335fefc50072435dc9ebed3b6612 |
| SHA1 | 5ac2a62a314b630027283325e8bd010e7edc3658 |
| SHA256 | a4ae46c548e1746c33b30cb2052945093a10dee94b3e1f12e01b3c7af9eab209 |
| SHA512 | d126ae978175d44a106d6bcdf922dd2123903af26a992d907f8759246dccb34556b4aa35bf17fba50bd6936d097e2b948f2939d8be836a10a113d1d3dd876cbe |
memory/2760-216-0x0000000001090000-0x00000000011A0000-memory.dmp
memory/2760-217-0x00000000004E0000-0x00000000004F2000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d19d9cc0bcb7efa3ba277e63376b3ab4 |
| SHA1 | e4245d80d1f3223a99a8d04cebedda6ee9804010 |
| SHA256 | c6dacef36b1c73777a85c96c804cb7dc9e1a4f16baaee4254abd28553c0e49ed |
| SHA512 | 8777a19dcf1e6121b8423b9fb3d4a33cffa849fb3b56f1a0ee297b460c44dd7dfb127b5244e42b8d27b95298f085d698d8010df11287716a8f83125b371803b4 |
C:\Users\Admin\AppData\Local\Temp\tcplHXgq9Q.bat
| MD5 | 66b07c2fe1a3be7b88f743b02355527b |
| SHA1 | 9b40e8a824fac5aabf82b7a523a063a3b1dc2905 |
| SHA256 | 54d70b23902d67c269141f5907aec4f5aba929fb9ce9f3910752fa94e0b232d0 |
| SHA512 | 1816fecd9fedf7cd7863a9e3fb5ed6fd7c4136e74eedbc2241a211a49239333cb7b5c64b947bae7316ea94f5ab2dc54d06152fb47ac8f151881ed252098ed0ce |
memory/2512-277-0x0000000000350000-0x0000000000362000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f88de198c2096810ae975f050994ad26 |
| SHA1 | 5e82de9b682a7c51573ece0cff2fb6c6bd082277 |
| SHA256 | 737565a7b7e13d8a12b8c7b627c032f269a12a5b867a5641d0fa74c73f5bd38e |
| SHA512 | 0590e44642f39c9c9d99978fafbf829a51dfb63c6181267ab89997904ad1c7d890e7a60ead6e4d97bcc3e5c4f2428c2b1ea0a4a472423c77fc910c75eb754984 |
C:\Users\Admin\AppData\Local\Temp\2XkxZsmkwh.bat
| MD5 | df8f1694ddb6cd301d1c8c108659a4c9 |
| SHA1 | eb6e578b75aee2d66d79bb2c1fbb663ae9e388d3 |
| SHA256 | f7b7a8bf2eb43d0f5f8ad9c9196c8902552777b8f29081fd44dbce8102646e8f |
| SHA512 | d09257a7dd72c7ddb5fa8f3bf363468f57ed68259113c61139d0b88b6bbb103a2fb0c2664e6d96516920e8367f72f380c4261961b9ed48053a88b8cc3dfe6050 |
memory/2428-337-0x00000000000F0000-0x0000000000200000-memory.dmp
memory/2428-338-0x0000000000270000-0x0000000000282000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4b4e3b165299ebe5887f3510c1300298 |
| SHA1 | 13d1c0602a8e3a90265c6ae6d812aba5a13f4e73 |
| SHA256 | 0d34e2dd7752acf1f6e19a074744269d72c48027154e7864a28acc45ba19d03d |
| SHA512 | dae9bc2707abb29226863e5edb698092076acdb8046c999298d664ac9031bd21bbb9565a192367bcc10a2dc5da2eb69ea85682997c055e3f4ee6fe49aac06953 |
C:\Users\Admin\AppData\Local\Temp\QqrgVo7Q94.bat
| MD5 | 1552a345f606b887129d32acdb81e6c9 |
| SHA1 | a13f2b2cfbb94f6162195ba3a965a18c0b422d88 |
| SHA256 | 34541f9c4d6183387195afa3a393a7f58cbd6aa0790cfde092b32885fcc256c4 |
| SHA512 | 0746744d01b34047038b08b63d2c42df3dee8659a0aa3f075a5f30bee131332bbe92b805ae024d36e59c68da2a9b8a1b000307f02a26bd3afaa399f4db20aae5 |
memory/768-398-0x0000000000310000-0x0000000000420000-memory.dmp
memory/768-399-0x0000000000450000-0x0000000000462000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1e315fc88e524ec36f7c3619545ba278 |
| SHA1 | a526e3e185b18d5f7286f03d4e83b1a726797f9e |
| SHA256 | b3a6b79add215ff3475ac7de17f0cfc0effda1ee56cd1ecf80f053c014c98280 |
| SHA512 | 6fce4fec3a39734697092acfe84c55440b5295516ada3b9092691708c85c889494288dec7e814b28a7a3dd0397c02204c7ba9c385b0a3df4657a6194431c7f09 |
C:\Users\Admin\AppData\Local\Temp\f4KPDhjeqr.bat
| MD5 | afaface201281907da8ecb7f69dee075 |
| SHA1 | e6f63e210a0e085eea41e5ccd9494b75db4978ab |
| SHA256 | 3f258f4fcd210aae717842eb16dde2a0dc49b490269eb070471427818f46c6cb |
| SHA512 | e6a3d168073dd47299101102f537aabd1e6026900b48733738b3fd7a9d09203c6aeb969d9d3b794cda24c4a17d7c558a6735323f8fe48db80b4f39c96db3b9b9 |
memory/952-459-0x0000000000250000-0x0000000000360000-memory.dmp
memory/952-460-0x0000000000240000-0x0000000000252000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4a842f4d94c9220b15503e4e3e8ffa45 |
| SHA1 | 1aa7efbc99a2b6edee8ed124426c5adf3bcbfe4e |
| SHA256 | a2d993d3487f10558ccb7c2c276e3678c039e6d99da8b06c2baf15f002bdc9d9 |
| SHA512 | 902d5b260da77edd8669de6f0d1cbca79b7f49aaca1f1b51ecfc4ec465b9fceff5eb74aced7696e43efce5c685bbddc2bcbc376dcc1890e13c28670e5f0ccc53 |
C:\Users\Admin\AppData\Local\Temp\WVE2eLfZN7.bat
| MD5 | 177c50df1f09644a84cd66dac7827c84 |
| SHA1 | 07cce867f6ee9240800172034dab84c890a0ef1b |
| SHA256 | 3c561c0fdef3684f8cd3721c97687a7e7c8cfbf3387e5a2510e08c0df6db7369 |
| SHA512 | 82feb5301027b1aed940bd29ad31c435c54249d9ccdf2f85b14633609ce10afa016f4c4769338f15e856af25257dad02ecbaf19d1a14ad68679b33b597bde51f |
memory/3024-520-0x0000000000230000-0x0000000000340000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d680f70dca318da0fdba6b75ffeda800 |
| SHA1 | 3cdc17844a9ac9b2f28385937cd04328946a27bc |
| SHA256 | e11926aae931fe4a24efab1fa0c0044e1a543b59adcf1cc4bcbce2a2d4e6d2dd |
| SHA512 | 4e093da5263771527907d6ad50793118013c061aeb8ed188d6ab80f4dcb416cc35a3e8560de71137eca6f22b32bd6a769a082667bb2ef05fc133dc32b8c47068 |
C:\Users\Admin\AppData\Local\Temp\iVopF68B7o.bat
| MD5 | dada77dd59bdca6f3ec6f3df009b2c28 |
| SHA1 | 1d70495fe9b7524f76af0cd711afcf3f834a1594 |
| SHA256 | 7e5a609a4e0d3c5e0d8af0dd2d7b791750be703d00bfa09416debab987c903ad |
| SHA512 | 1b490046d26dc1874130cc81e5aee2a9b6de036d88b995a0e702ac0a88f712327256fe53c1d4a337d241b13aa7c66049609ec1508183610389b51820c4a6f1cd |
memory/1100-580-0x0000000001250000-0x0000000001360000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 24c2ff1fdc8893700268be8f54caaa4c |
| SHA1 | 011d73ca7562bbdfe3fd02ca0656e4273be5ab5e |
| SHA256 | cade0b4a0dca65b23caa519abbbfc2b95de554b19e2cf20a7bd3b1d61342b028 |
| SHA512 | 5663e94c3224f6b75296daf0345a70d4171e6afde6d53f740d44bcd378d3f5b57a7ec1eb019f22685aa8c52373fcfe3a8d81c35b3b85f5fabf4f304b02f9cfa5 |
C:\Users\Admin\AppData\Local\Temp\kz4ReWEb5Y.bat
| MD5 | 2b71d79a4afd0dcd97304ef93f3dab93 |
| SHA1 | ef0afade4282f923f5ea7dba5be7c35805018835 |
| SHA256 | 90906f1ce33c644525524cca37bf2927ed871a9ccb78f028ff2148020a149cb9 |
| SHA512 | 2df830cfc37f38fa87b33473a6a4c9f13f7294936fea7ebe80f4049a75e6a0aa8aca0b30c04c9ecaa753316dca5f006c0f73d4a65fead86609a68749c6b167ec |
memory/1532-640-0x00000000004E0000-0x00000000004F2000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e472bf8631a613085345aefaf2d045a3 |
| SHA1 | 7f65ebc2556facacf8c08286ddc26dadb5bb7dcd |
| SHA256 | 01fb5cfa9a4d4e8f8671a95356c93f36418783a7b7f2a01b4e877a64ea0ea0b0 |
| SHA512 | c970864398d31be31f59f21340b5344296b7675d8ea8998ebf65f6f1f415e1f48f79cffea8da10eec95402697b1ef5400804d848cbb1e15c9b00b9ab14cc6c62 |
C:\Users\Admin\AppData\Local\Temp\c0TJHXkWh8.bat
| MD5 | 1a288c0edbcf30d1ba27f356ece0309c |
| SHA1 | 20a4e6df37036dde7ac3a7df02bcb197eb20393d |
| SHA256 | f472f11a03871fc793d727940e02b56519d96ae98ca6346dc305348a4bf54e7a |
| SHA512 | ff12d3a6a7673a0ee4d43b1924fd4165d154e658e3f375ad97b9d011d9ec3132d41a69609abff33933848a7c4debee8f5235515a1f97205fedbb2f5fb2ed9ef8 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c38bc76a342018ce16ea516678767938 |
| SHA1 | ab7b17b9ea31264a01cd8f4ba4fddc47fc1045a2 |
| SHA256 | db70da41611d3301d4328211f707400f34a7afa2f0dc16ac1bd2afbe2844fa2c |
| SHA512 | 8b3656caa691aaeb96c8357e1792d27253a68cf3bc53e973a5efa185aa4fd00ede169e4e48713a143778a54b8fe2e652f4eedc7fe6327c5650106db34d95fd93 |
C:\Users\Admin\AppData\Local\Temp\mMyBvdYgq2.bat
| MD5 | dd922653072f6a773a65c3cb0d88a50c |
| SHA1 | dca896f7703300f44879c079567338345b23ea5a |
| SHA256 | e048aeb93a1164cceda696a3e3079d50f341c773ecd5cb0d3500e3026429f9d7 |
| SHA512 | b09f84b254d026515f052dc01ae0f5149fc80569c3b543539535efb11b1762a4bde182231e2ba2921695b2abafd880d1c4b98bcf6af00eb9aebd42533f4ec0b1 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-12-30 17:05
Reported
2024-12-30 17:07
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
DcRat
Dcrat family
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\unsecapp.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\unsecapp.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\unsecapp.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\providercommon\DllCommonsvc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\unsecapp.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\unsecapp.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\unsecapp.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e2e540951cb2cc1a417064cfe84b7c0bfe678facf1f3d2d98a84414b99802be2.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\unsecapp.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\unsecapp.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\unsecapp.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\unsecapp.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\unsecapp.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\unsecapp.exe | N/A |
Executes dropped EXE
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\icsxml\taskhostw.exe | C:\providercommon\DllCommonsvc.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Windows Defender\fr-FR\7a0fd90576e088 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\MSBuild\SppExtComObj.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\MSBuild\e1ef82546f0b02 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Crashpad\attachments\SppExtComObj.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Crashpad\attachments\e1ef82546f0b02 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Windows Defender\fr-FR\explorer.exe | C:\providercommon\DllCommonsvc.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\bcastdvr\886983d96e3d3e | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\debug\unsecapp.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\debug\29c1c3cc0f7685 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\security\cap\winlogon.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\security\cap\cc11b995f2a76d | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\bcastdvr\csrss.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File opened for modification | C:\Windows\bcastdvr\csrss.exe | C:\providercommon\DllCommonsvc.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e2e540951cb2cc1a417064cfe84b7c0bfe678facf1f3d2d98a84414b99802be2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings | C:\providercommon\DllCommonsvc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings | C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\unsecapp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings | C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\unsecapp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings | C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\unsecapp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings | C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\unsecapp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings | C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\unsecapp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings | C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\unsecapp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e2e540951cb2cc1a417064cfe84b7c0bfe678facf1f3d2d98a84414b99802be2.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings | C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\unsecapp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings | C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\unsecapp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings | C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\unsecapp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings | C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\unsecapp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings | C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\unsecapp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings | C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\unsecapp.exe | N/A |
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e2e540951cb2cc1a417064cfe84b7c0bfe678facf1f3d2d98a84414b99802be2.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e2e540951cb2cc1a417064cfe84b7c0bfe678facf1f3d2d98a84414b99802be2.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
C:\providercommon\DllCommonsvc.exe
"C:\providercommon\DllCommonsvc.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Windows\bcastdvr\csrss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\bcastdvr\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Windows\bcastdvr\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\MSBuild\SppExtComObj.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\SppExtComObj.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\MSBuild\SppExtComObj.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 6 /tr "'C:\Program Files\Crashpad\attachments\SppExtComObj.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files\Crashpad\attachments\SppExtComObj.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 10 /tr "'C:\Program Files\Crashpad\attachments\SppExtComObj.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\providercommon\sppsvc.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 8 /tr "'C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\unsecapp.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\unsecapp.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 12 /tr "'C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\unsecapp.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 14 /tr "'C:\Windows\debug\unsecapp.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Windows\debug\unsecapp.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 11 /tr "'C:\Windows\debug\unsecapp.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Defender\fr-FR\explorer.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\fr-FR\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Defender\fr-FR\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Windows\security\cap\winlogon.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\security\cap\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Windows\security\cap\winlogon.exe'" /rl HIGHEST /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\bcastdvr\csrss.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\SppExtComObj.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Crashpad\attachments\SppExtComObj.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sppsvc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\unsecapp.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\debug\unsecapp.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\fr-FR\explorer.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\security\cap\winlogon.exe'
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fmxpVlvNzE.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\unsecapp.exe
"C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\unsecapp.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7ouYA2TrKB.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\unsecapp.exe
"C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\unsecapp.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qzqLwOyuSO.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\unsecapp.exe
"C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\unsecapp.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Nflxmifgtk.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\unsecapp.exe
"C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\unsecapp.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nDwMkfOC2e.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\unsecapp.exe
"C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\unsecapp.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Pbn0SniZDX.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\unsecapp.exe
"C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\unsecapp.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eTpA0L9dlX.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\unsecapp.exe
"C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\unsecapp.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HiXkD60p2N.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\unsecapp.exe
"C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\unsecapp.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UQ4uSu8U9J.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\unsecapp.exe
"C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\unsecapp.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\p8yPRkR6MR.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\unsecapp.exe
"C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\unsecapp.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WM6x9zCNT5.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\unsecapp.exe
"C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\unsecapp.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WM6x9zCNT5.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\unsecapp.exe
"C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\unsecapp.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BfyeXCadxk.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.109.199.185.in-addr.arpa | udp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.12.20.2.in-addr.arpa | udp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 22.49.80.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
Files
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe
| MD5 | 8088241160261560a02c84025d107592 |
| SHA1 | 083121f7027557570994c9fc211df61730455bb5 |
| SHA256 | 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1 |
| SHA512 | 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478 |
C:\providercommon\1zu9dW.bat
| MD5 | 6783c3ee07c7d151ceac57f1f9c8bed7 |
| SHA1 | 17468f98f95bf504cc1f83c49e49a78526b3ea03 |
| SHA256 | 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322 |
| SHA512 | c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8 |
C:\providercommon\DllCommonsvc.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/4204-12-0x00007FFCCB2D3000-0x00007FFCCB2D5000-memory.dmp
memory/4204-13-0x00000000006F0000-0x0000000000800000-memory.dmp
memory/4204-14-0x000000001B2F0000-0x000000001B302000-memory.dmp
memory/4204-15-0x000000001B420000-0x000000001B42C000-memory.dmp
memory/4204-16-0x000000001B410000-0x000000001B41C000-memory.dmp
memory/4204-17-0x000000001B430000-0x000000001B43C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bljmgomc.jjf.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1520-47-0x0000018ACE530000-0x0000018ACE552000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\fmxpVlvNzE.bat
| MD5 | f4cb126b742ee5738a68a4581327eaef |
| SHA1 | ead811b7e04342131279b578633ee03120839af4 |
| SHA256 | 8d1605796d3b171ec82fa1d62eac1d1956b5932e67568aed5491a1e1e714864d |
| SHA512 | ba8a4613a7b2edb3702ac13d26008d2e53c49a5992d3d5a4cea5314fea8ce74b974bf0d186d373b3640cc2b735667c2ee37ea18e5464ea6bf8e92f382110f036 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d28a889fd956d5cb3accfbaf1143eb6f |
| SHA1 | 157ba54b365341f8ff06707d996b3635da8446f7 |
| SHA256 | 21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45 |
| SHA512 | 0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | be9965796e35a7999ce50af07f73b631 |
| SHA1 | dde100f3f5a51fa399755fefd49da003d887742a |
| SHA256 | 6ea6a56f5d5ec6f60b5a748840eed28859f792db2e37f4c1c419e3a92fc619b3 |
| SHA512 | 45369246c8f6e80fa7a3c34db98922702e5f10e67348c94bb27f5bb241ad72cecd72ff5843a2c6b47cec390a6b9c97ba3c4d4244c62b8119ce1b2ca0c3dc3e37 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 59d97011e091004eaffb9816aa0b9abd |
| SHA1 | 1602a56b01dd4b7c577ca27d3117e4bcc1aa657b |
| SHA256 | 18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d |
| SHA512 | d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | cadef9abd087803c630df65264a6c81c |
| SHA1 | babbf3636c347c8727c35f3eef2ee643dbcc4bd2 |
| SHA256 | cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438 |
| SHA512 | 7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 6d3e9c29fe44e90aae6ed30ccf799ca8 |
| SHA1 | c7974ef72264bbdf13a2793ccf1aed11bc565dce |
| SHA256 | 2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d |
| SHA512 | 60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a |
memory/4180-144-0x00000000023A0000-0x00000000023B2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7ouYA2TrKB.bat
| MD5 | 1cee088e8b9dd65045ceda65454b9a24 |
| SHA1 | 07ff51c42223239474b44663ec001b3a506323ce |
| SHA256 | a8f16019d94620cbe435262ccdc23567cbde1d78c5eac120940036a06dd1edbb |
| SHA512 | a66a7e578e55757dc1ab9d470c8931fd5bb34986ad8bc1c04320e1b43bae6585d2189e8441676abbf13791e6b042b784d0c1206332e4cf13d6c5c04eb33af2b8 |
memory/4180-151-0x000000001BC30000-0x000000001BD9A000-memory.dmp
memory/4180-152-0x000000001BDA0000-0x000000001BDF6000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\unsecapp.exe.log
| MD5 | baf55b95da4a601229647f25dad12878 |
| SHA1 | abc16954ebfd213733c4493fc1910164d825cac8 |
| SHA256 | ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924 |
| SHA512 | 24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545 |
memory/3016-155-0x0000000003010000-0x0000000003022000-memory.dmp
memory/3016-160-0x000000001C9D0000-0x000000001CB3A000-memory.dmp
memory/3016-161-0x000000001CB80000-0x000000001CBD6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\qzqLwOyuSO.bat
| MD5 | 02502ce1f86dc8e9a5afe4ffcf9bfeab |
| SHA1 | bd5bb81a9f2e3751d879a50ac961ba513bb67bdf |
| SHA256 | 1eab0876e49032af6de881087351bf7f8992c3113c120427da6bdf46d07f8f52 |
| SHA512 | defcd43305fa159e81ecb7ca8468f2f28bfeb224d0b2c29f50804680fbb14a9a6f06f647c8269f078528d3e6611a260fd37494828ae4f9dd80f6e2fa032d6e82 |
memory/4496-164-0x00000000013D0000-0x00000000013E2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Nflxmifgtk.bat
| MD5 | 814d20a9a442759613052d65b7db8926 |
| SHA1 | f02125a89e66d0d438ca9502d90e3a29b969c731 |
| SHA256 | d3ca7eb89fd3fb7f50ec305568a2cdd460abcc2f8b1f98a070ce80d82ffafad5 |
| SHA512 | aa0ee494cedcfc054032d38c20f2c7b59423a393f7e5858b04cf1055a92796396f80851eebeefe04936423d67575f7ec831c5d0a59eeeb929ea7c41f7f7a816e |
C:\Users\Admin\AppData\Local\Temp\nDwMkfOC2e.bat
| MD5 | b0f42276232699e9cedbe905881b1e1b |
| SHA1 | 42632bf7f39beb1e24c7239df8a9ef2cd3e13396 |
| SHA256 | b3c9ee75e688d8d3804bdaf6fe92cb33ea8cec72cb02882dfd083fd981b0bab2 |
| SHA512 | 3b05fc89bb782d91bb6c9499511fc3c04821d42dbe0d4c786afae2d3777a945d0a7ce87e4803e2dc5bf509958b2f9e02b3694375adb7f1bc40b8efa9bba05078 |
C:\Users\Admin\AppData\Local\Temp\Pbn0SniZDX.bat
| MD5 | b9f34d4a522fad99b319f0fcff6c50e1 |
| SHA1 | 71093b6453841e51ae5a88fa65fd810c92850272 |
| SHA256 | 8973dc81cc76f295abba47c2d33e8723d9f08a7a39c08e9787af951eadb3ec3d |
| SHA512 | 06004646a31320affdcc77ada62b53efc0003bbe4c360efd2e1dd692e93155c5a96d00b79fa35b2a386be60581b0b14e3e6f583c0d8f7afcabf621925eb84732 |
C:\Users\Admin\AppData\Local\Temp\eTpA0L9dlX.bat
| MD5 | b787661965bd9d7599793b53aaf3b2f7 |
| SHA1 | abd95d07e2d7343e78cb5a6fd855195903014c62 |
| SHA256 | aa8dd0048e207c2a6dcb74698e6d327e5406b1eca085eeb7a2d1471188b6018c |
| SHA512 | bcf845709a1edf5faa049dc8e603a21bcc562bc05d27720427a2d137d2208eeb0e929edd9eda83873dc328632b9bddd1ff3c976681500dd59264a24693953fd1 |
C:\Users\Admin\AppData\Local\Temp\HiXkD60p2N.bat
| MD5 | 262ef3ee872b08595f0374be1dcdc3d6 |
| SHA1 | c3ef598236294a3ef7a8d7601bea65f53cef2a21 |
| SHA256 | daca2666302603274569cabe01598db1f4357fe2c3a8e72061fc980c0851a136 |
| SHA512 | 6ca982d32f4cdb51fea2868a70a8ab47c3cd22c3d28d93ef6a25f000c6825985409aed405c1c529d5f5906d6f6e29029dbc07b49bec881a690700ab61d5750e5 |
C:\Users\Admin\AppData\Local\Temp\UQ4uSu8U9J.bat
| MD5 | b6baf574eabd9823a8e7ddb9158dd853 |
| SHA1 | 1ea67396208cf49409edd526a471d40759598c8e |
| SHA256 | 0d70acef4054304eda1f63c1f7c8cd5cf08a50642f2c69ae09ec4f8d27406074 |
| SHA512 | 9a9efcec427866986f3d6087cb73e72147016581e448d583cadcc625137a593e451effb9d13b2e52d8933219058f097703a1607056703878bae87acf9a82ab11 |
memory/4372-201-0x0000000000FD0000-0x0000000000FE2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\p8yPRkR6MR.bat
| MD5 | 63e638227c8254db15365ce7eb1b6672 |
| SHA1 | fb1a36e5a31539b6f3c0f1b88198b92c8a936d8f |
| SHA256 | c4c1d4a98345f71434d8b75c132befc8d92230e21a8947105772207e66b6a6b6 |
| SHA512 | 095f09f35961a5e727f7f64ebdf03e3edd42ee7aa45e47ecad9226add34f18b0998a66f86de811176161f1c6695e41d786e6757091d54ccc88e6351237e01a74 |
memory/3428-208-0x0000000002830000-0x0000000002842000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\WM6x9zCNT5.bat
| MD5 | 8e2668bcd75a5042cd18e8dfb37a5d57 |
| SHA1 | 68129a11984212f4769f06e0c352d7e8c76a8c49 |
| SHA256 | 3acb802d794df60ca64496828efe7a453217fd98283965f8b6c333f53c531ab8 |
| SHA512 | 1b38e0df4e23fb7a1bc9cddc9c66b251c4c7c28d5fb1018f46b495bd246f722b04efe758f8f2ea6bb1e988aad5db6ace923f80ddcf7c2f966999ef7f832a77f0 |
memory/4120-221-0x0000000001300000-0x0000000001312000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BfyeXCadxk.bat
| MD5 | a099b5352ac582a4ab7fdb759b9b012b |
| SHA1 | d02dd49fb92f39b8cdfb4ed089db24a01791024d |
| SHA256 | c938f9e72bb30e99d47a8c8ff22ba9569a7d013248ca03b5e67a94bd3caa4c29 |
| SHA512 | ee6fb09bc13d5f9e0e2846bb174b75416fcc0edb91734d59b1f64a8250484050eeb07f73872ac6bf792ec0f78a3ada87bb1a67e228243e021eb01df38d342278 |