Malware Analysis Report

2024-10-23 21:29

Sample ID 240408-hp7hbsbc9t
Target e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118
SHA256 f06f42f55d97811886559c435e20fa273b088c08552ed47a70b715c21e74308d
Tags
quasar office04 evasion persistence spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f06f42f55d97811886559c435e20fa273b088c08552ed47a70b715c21e74308d

Threat Level: Known bad

The file e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

quasar office04 evasion persistence spyware trojan

Windows security bypass

Quasar payload

Quasar RAT

Windows security modification

Checks computer location settings

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Program crash

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Runs ping.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-08 06:55

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-08 06:55

Reported

2024-04-08 06:58

Platform

win7-20240221-en

Max time kernel

117s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2772 -s 576

Network

N/A

Files

memory/2772-1-0x0000000074A30000-0x000000007511E000-memory.dmp

memory/2772-0-0x0000000000280000-0x0000000000524000-memory.dmp

memory/2772-2-0x0000000074A30000-0x000000007511E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-08 06:55

Reported

2024-04-08 06:58

Platform

win10v2004-20240226-en

Max time kernel

147s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files\Common Files\System\\svchost.exe = "0" C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe = "0" C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files\Common Files\System\\svchost.exe = "0" C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe = "0" C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\谈说话诅诙诳请诉调诠诃诔诂识诙 = "C:\\Program Files\\Common Files\\System\\\uf532\uf536\uf539\uf538\uf564\uf563\uf544\uf55a\uf569\uf577\uf576\uf530\uf55a\uf566\uf571\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\谈说话诅诙诳请诉调诠诃诔诂识诙 = "C:\\Program Files\\Common Files\\System\\\uf532\uf536\uf539\uf538\uf564\uf563\uf544\uf55a\uf569\uf577\uf576\uf530\uf55a\uf566\uf571\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\谈说话诅诙诳请诉调诠诃诔诂识诙 = "C:\\Program Files\\Common Files\\System\\\uf532\uf536\uf539\uf538\uf564\uf563\uf544\uf55a\uf569\uf577\uf576\uf530\uf55a\uf566\uf571\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\谈说话诅诙诳请诉调诠诃诔诂识诙 = "C:\\Program Files\\Common Files\\System\\\uf532\uf536\uf539\uf538\uf564\uf563\uf544\uf55a\uf569\uf577\uf576\uf530\uf55a\uf566\uf571\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\谈说话诅诙诳请诉调诠诃诔诂识诙 = "C:\\Program Files\\Common Files\\System\\\uf532\uf536\uf539\uf538\uf564\uf563\uf544\uf55a\uf569\uf577\uf576\uf530\uf55a\uf566\uf571\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\谈说话诅诙诳请诉调诠诃诔诂识诙 = "C:\\Program Files\\Common Files\\System\\\uf532\uf536\uf539\uf538\uf564\uf563\uf544\uf55a\uf569\uf577\uf576\uf530\uf55a\uf566\uf571\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\谈说话诅诙诳请诉调诠诃诔诂识诙 = "C:\\Program Files\\Common Files\\System\\\uf532\uf536\uf539\uf538\uf564\uf563\uf544\uf55a\uf569\uf577\uf576\uf530\uf55a\uf566\uf571\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\谈说话诅诙诳请诉调诠诃诔诂识诙 = "C:\\Program Files\\Common Files\\System\\\uf532\uf536\uf539\uf538\uf564\uf563\uf544\uf55a\uf569\uf577\uf576\uf530\uf55a\uf566\uf571\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 320 set thread context of 4724 N/A C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe
PID 1896 set thread context of 392 N/A C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe
PID 3776 set thread context of 1884 N/A C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe
PID 3076 set thread context of 2268 N/A C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe
PID 1156 set thread context of 4356 N/A C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe
PID 3324 set thread context of 1556 N/A C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe C:\Windows\SysWOW64\PING.EXE
PID 4940 set thread context of 4496 N/A C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe
PID 3944 set thread context of 3920 N/A C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\System\\svchost.exe C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Common Files\System\\svchost.exe C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 320 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 320 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 320 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 320 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 320 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 320 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 320 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 320 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 320 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 320 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe
PID 320 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe
PID 320 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe
PID 320 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe
PID 320 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe
PID 320 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe
PID 320 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe
PID 320 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe
PID 4724 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 4724 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 4724 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 3988 wrote to memory of 2512 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3988 wrote to memory of 2512 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3988 wrote to memory of 2512 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3988 wrote to memory of 5024 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3988 wrote to memory of 5024 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3988 wrote to memory of 5024 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3988 wrote to memory of 1896 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe
PID 3988 wrote to memory of 1896 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe
PID 3988 wrote to memory of 1896 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe
PID 1896 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1896 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1896 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1896 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1896 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1896 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1896 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1896 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1896 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1896 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe
PID 1896 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe
PID 1896 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe
PID 1896 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe
PID 1896 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe
PID 1896 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe
PID 1896 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe
PID 1896 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe
PID 392 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 392 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 392 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 3016 wrote to memory of 2724 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3016 wrote to memory of 2724 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3016 wrote to memory of 2724 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3016 wrote to memory of 1964 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3016 wrote to memory of 1964 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3016 wrote to memory of 1964 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3016 wrote to memory of 3776 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe
PID 3016 wrote to memory of 3776 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe
PID 3016 wrote to memory of 3776 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe
PID 3776 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3776 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3776 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3776 wrote to memory of 4152 N/A C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3776 wrote to memory of 4152 N/A C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3776 wrote to memory of 4152 N/A C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\\svchost.exe" -Force

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe" -Force

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\\svchost.exe" -Force

C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BulbEsDT2gTu.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\\svchost.exe" -Force

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe" -Force

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\\svchost.exe" -Force

C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FzbHdUlqlgk5.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\\svchost.exe" -Force

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe" -Force

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\\svchost.exe" -Force

C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qRCs6zBFRRC8.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\\svchost.exe" -Force

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe" -Force

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\\svchost.exe" -Force

C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VGkFQ4DeO5bT.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\\svchost.exe" -Force

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe" -Force

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\\svchost.exe" -Force

C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5FRatSaIBxe0.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\\svchost.exe" -Force

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe" -Force

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\\svchost.exe" -Force

C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LaoQY8EFF36B.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\\svchost.exe" -Force

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe" -Force

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\\svchost.exe" -Force

C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Q0OtEA2Nz2i4.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\\svchost.exe" -Force

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe" -Force

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\\svchost.exe" -Force

C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3920 -ip 3920

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3920 -s 12

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 16.173.189.20.in-addr.arpa udp

Files

memory/320-1-0x0000000000CF0000-0x0000000000F94000-memory.dmp

memory/320-0-0x0000000075000000-0x00000000757B0000-memory.dmp

memory/320-2-0x0000000005980000-0x0000000005A1C000-memory.dmp

memory/320-3-0x0000000006BE0000-0x0000000006BF0000-memory.dmp

memory/320-4-0x0000000007EA0000-0x0000000007F78000-memory.dmp

memory/320-5-0x0000000008530000-0x0000000008AD4000-memory.dmp

memory/3008-7-0x0000000002320000-0x0000000002356000-memory.dmp

memory/3008-8-0x0000000075000000-0x00000000757B0000-memory.dmp

memory/3008-10-0x00000000048C0000-0x00000000048D0000-memory.dmp

memory/320-9-0x0000000008DE0000-0x0000000008E72000-memory.dmp

memory/4064-14-0x00000000025F0000-0x0000000002600000-memory.dmp

memory/320-13-0x0000000008070000-0x000000000807A000-memory.dmp

memory/1020-15-0x0000000004CD0000-0x0000000004CE0000-memory.dmp

memory/1020-16-0x0000000004CD0000-0x0000000004CE0000-memory.dmp

memory/4064-17-0x00000000025F0000-0x0000000002600000-memory.dmp

memory/4724-18-0x0000000000400000-0x0000000000484000-memory.dmp

memory/4064-12-0x0000000075000000-0x00000000757B0000-memory.dmp

memory/4064-11-0x0000000005090000-0x00000000056B8000-memory.dmp

memory/1020-20-0x0000000075000000-0x00000000757B0000-memory.dmp

memory/320-21-0x0000000075000000-0x00000000757B0000-memory.dmp

memory/3008-28-0x0000000004E70000-0x0000000004E92000-memory.dmp

memory/4724-29-0x00000000058C0000-0x00000000058D0000-memory.dmp

memory/4724-27-0x0000000075000000-0x00000000757B0000-memory.dmp

memory/4064-35-0x0000000005810000-0x0000000005876000-memory.dmp

memory/4064-37-0x0000000005880000-0x00000000058E6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uzd5j4eu.520.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3008-48-0x00000000058B0000-0x0000000005C04000-memory.dmp

memory/4724-59-0x0000000075000000-0x00000000757B0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\e6e2378b5d5ef85b039d0b261db4fa9e_JaffaCakes118.exe.log

MD5 b5b0a1b2facedfcf3b5cf410369d8a78
SHA1 3e0703974b6abdf939dcfd81309b9d9ed65edb17
SHA256 1d8944aa85aa7d0a35e6596ecdec7bbb4974607e984a22d0a5d89f1bcdbb625d
SHA512 aea990f8e277e78c8f13ac6bc4270ef42be831b7d3f304e844fdf30eac0ce04d394650fd580c530985112c3dba8670f825ff5b1b0ef8ac0db3e143a95999403a

memory/3008-60-0x0000000005C50000-0x0000000005C6E000-memory.dmp

memory/3008-61-0x0000000005C90000-0x0000000005CDC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BulbEsDT2gTu.bat

MD5 ffb6bf2ae5e742b3adcca68e5d5798ad
SHA1 fa0fa5c96bff8e7f9c9f85386a19e4863e0fe94f
SHA256 fd8f606bb8b627e3965c239d01ddd2948081e1b14d73e7c43d2381e5459ac81f
SHA512 6f67afc9d35a533cd37f27d4532f60405a71e955904e03c87392589648bc8027828d6e046f3d30ad2f542d5c9c8278e44937ba3db652dcc4516380c2e8e0faf7

memory/3008-63-0x00000000048C0000-0x00000000048D0000-memory.dmp

memory/1020-64-0x0000000004CD0000-0x0000000004CE0000-memory.dmp

memory/3008-65-0x0000000075000000-0x00000000757B0000-memory.dmp

memory/3008-66-0x0000000006230000-0x0000000006262000-memory.dmp

memory/3008-77-0x0000000006210000-0x000000000622E000-memory.dmp

memory/3008-67-0x0000000073AD0000-0x0000000073B1C000-memory.dmp

memory/4064-78-0x000000007F4E0000-0x000000007F4F0000-memory.dmp

memory/4064-80-0x0000000073AD0000-0x0000000073B1C000-memory.dmp

memory/3008-81-0x00000000048C0000-0x00000000048D0000-memory.dmp

memory/3008-79-0x0000000006E30000-0x0000000006ED3000-memory.dmp

memory/1020-91-0x0000000073AD0000-0x0000000073B1C000-memory.dmp

memory/1020-102-0x000000007FCD0000-0x000000007FCE0000-memory.dmp

memory/4064-92-0x0000000075000000-0x00000000757B0000-memory.dmp

memory/1020-103-0x0000000007890000-0x0000000007F0A000-memory.dmp

memory/3008-104-0x0000000006F70000-0x0000000006F8A000-memory.dmp

memory/4064-105-0x0000000007290000-0x000000000729A000-memory.dmp

memory/1020-106-0x00000000074D0000-0x0000000007566000-memory.dmp

memory/4064-107-0x0000000007420000-0x0000000007431000-memory.dmp

memory/1020-108-0x00000000074A0000-0x00000000074AE000-memory.dmp

memory/4064-109-0x0000000007460000-0x0000000007474000-memory.dmp

memory/3008-110-0x00000000072C0000-0x00000000072DA000-memory.dmp

memory/3008-111-0x00000000072B0000-0x00000000072B8000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

memory/1020-117-0x0000000075000000-0x00000000757B0000-memory.dmp

memory/3008-116-0x0000000075000000-0x00000000757B0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 b1dd697cd7c316d754bfb6b6383552a1
SHA1 83bfa0e226be561628eadc337e29d814f1d20f4e
SHA256 93412549855a706d023b8f19d42cf2fb7a7c8431dff6930ab4b3cca02cd8cb23
SHA512 7811885a385de99716037c59885659549d3cbae69d075d6a248f214053b9b915ab57edfcf76bf361fb75c6d5b784c6d716c93340ea1bf85069a41f6ac073efd7

memory/4064-121-0x0000000075000000-0x00000000757B0000-memory.dmp

memory/1896-122-0x00000000750A0000-0x0000000075850000-memory.dmp

memory/1896-123-0x0000000002A50000-0x0000000002A60000-memory.dmp

memory/3884-124-0x00000000750A0000-0x0000000075850000-memory.dmp

memory/2360-125-0x00000000750A0000-0x0000000075850000-memory.dmp

memory/2360-129-0x0000000002620000-0x0000000002630000-memory.dmp

memory/2360-128-0x0000000002620000-0x0000000002630000-memory.dmp

memory/2400-131-0x0000000002F90000-0x0000000002FA0000-memory.dmp

memory/2400-132-0x0000000002F90000-0x0000000002FA0000-memory.dmp

memory/1896-130-0x00000000750A0000-0x0000000075850000-memory.dmp

memory/3884-127-0x00000000053C0000-0x00000000053D0000-memory.dmp

memory/392-133-0x00000000750A0000-0x0000000075850000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FzbHdUlqlgk5.bat

MD5 1e232f94d11010c98f878cbe770bc544
SHA1 bad6dce3050a61df3aae8a11b5318632d3570bb8
SHA256 bc861e318c902f007ac30fec8ad5fa5f2f10106f9802d21c1d9009a6f0cac160
SHA512 94b58135042fdd094b027175c8879d38c4fb80801ad6b7c032adbc78557221506bb574ae54fbad7ca53576baf42c9d95b04dcafe7b700af906b42eda1ec183bb

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 61461cbed4ac4a91e547e5519f86cbe5
SHA1 7324f0e281f71e8edf67e764131a6f9ee9240db4
SHA256 cb4db4737669360faad122ad8d9af3c6adb35bdcac72f3ea9d890c6fcd06fad5
SHA512 10880ce1041a5d062988d7bce2792067461c8753f1a2228ff2d3f9579cbce55f52e26a6b73802ab288331f881d963a14cddef8e48c6655f7a701eb9b63bc8a93

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 33569a1d6fceffc659fc22935873fb0e
SHA1 449c236cf8731cb4121a518e87a29e9e2b3ea869
SHA256 73d6aa1176d733c628839ec14da727d19564b000bacfcb160c1732cd96ebd627
SHA512 d79dd0c3b6dcb3d029fe99adcb07598764aaf6720d9fa1bf54855517dba92432276f18f600a771556b263d0d71f280e5d01c10910d49a5e11ecb2d5c04fec46f

C:\Users\Admin\AppData\Local\Temp\qRCs6zBFRRC8.bat

MD5 698fd8ff1bc97927977cae4eb8b86068
SHA1 274cef0cd4709020cb6133dd85aa812a19d6de7b
SHA256 3e51484ff6eb009781f28ce9e46b1089266352dbdd232149901bbf1af35973ba
SHA512 66b274377fb143097871a052ffadb4a3f0256a50e72e272d36aa5deb56e2434f13ccebd3b5e6c6c0f433619b45529ef30d98dadfa93cc64c471d2be8756fa0e8

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3651a8550970b66295fdd06356f37483
SHA1 15b1674553c5a5b50a48399860d0e15d685f5fca
SHA256 a2dc8cb9213f8d8bf8819061d970265f181a24ddca3f9783c1169c83c0e736fc
SHA512 8f0ddf9ee694ab484f30824dbbba5ec2297e5027101183a717d9cd56d8a2b9ab9375df9ef8ab857749ae39166463b32e6dd42c5fed871a3aa1748461a0391510

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3e268cbbb2f99f7dab5fab7e1b609c7d
SHA1 215361e9b1a0e1f8a941edafc98eab73e53db49c
SHA256 0bbf2ea56780a703adb2b686550111ddeaa6b53e3dfa7dcc5360c1a6c56d4579
SHA512 23af36f6c4fa0a4740ada07e45c7eaf62dada751f12c5d6194a77615804eac7ee9b1e1f21695fbdeb224fa96acff2934d42ef6e00a29c56b2d1cf39c647270b9

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 10087504da1cc7cc7a46cac64c321837
SHA1 504de9493e8494122c48c23c579e3fd9bcf4f4a1
SHA256 f3df9bb912cc579fc5a80b6cec4d947067134dc148ebd7843ca50163262c094a
SHA512 97760830984261da04deeb8d44893eb76061d6370f4cad79f5984d083e2295794ab1f454d899f3cc7fc64d7573d02b94077c50fb0e8bba1e4acdbfcbb747c272

C:\Users\Admin\AppData\Local\Temp\VGkFQ4DeO5bT.bat

MD5 a5b16e3312e6b6e613c7f6d9ba1c272b
SHA1 c90aad3160e9e8d54a7556b43c6e472c46694537
SHA256 cdd9b986c709314ff208c2200762c06a3fb35ba8dc8411b7ba9da1eba06af173
SHA512 665846165bd573747580352af54c5cf22390562029ce58d5ac0c0ff63d787b0d67eb90913683d0c6a696f847ba6e3cce384bb2ad5661f670398fa00dd74adc4f

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e82c38951bc904de3c17debde20f7c63
SHA1 dc6728b8d21a7c60a9aa03a54959aaf211d52fe5
SHA256 e723321379d4719b7f416929ec57a01a8b44cb1285c1c46db82df08a6e8f231f
SHA512 318b1d6edfe322433f0a93d1ca828857166c48d6136ddf48b0b2d3fa82e902eb6dff564ef7d84ac639d16d9ac00cd9adc347449fe945d529dd19eb6de24d9e27

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 02f4de5e4fe6294f6db2fe1955ad429a
SHA1 8bdd827170cd2199c16110a62b9c20f720a3dc59
SHA256 bee33028fc669e30572e7bb25466dc2c84d26c731b83d2b0823edf4d8b5af564
SHA512 7547f1f7f93fabf6cb7019e3df214e647b90f46862e7e53ec8da9eb9ab19f833dbf303138355383f30a51e3a1d41a13c25b6806597ca55ae1e78cca9f305e4ce

C:\Users\Admin\AppData\Local\Temp\5FRatSaIBxe0.bat

MD5 38e9411396d4d67d42c1f3e80032fc78
SHA1 dce12840b2d14a93063b64744c2aa296dd3c135f
SHA256 b2551a2ccea45e140a9086c194958252cff4a3a185ef4084e9bca0dcf9c1300e
SHA512 2c40871ca6448be0ed475aaa524ee298640729fc97b9317cb1927aa92979271405005d4a031ff75a5489dfcdfcdb91f4c0f41b420f547fdd6bd0fb3e51c7c4e5

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 4c6ca02277bcdc0f78c88c291e205941
SHA1 417949b1bbe29e369767504b375a06f34165df4f
SHA256 029ad5291ae1cb0927063e5609db1c6f67a571cbb1058f5dd22497ce66affa7d
SHA512 9bc95c84d9720e86c3a1b9561cd1cda1f2bbf44c1070f699f25c4bd201c2d34f988b4bb2a6e051f3894a91ebb70664309022e75908735753e22dc51bad064ed0

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 762e1a5678d5e7ef87333f79619c0507
SHA1 a33bb57133e74a59b02395501ed36318eee43375
SHA256 724f4f9ac17959e1849cadfa34366975ccabc011dbbebbb66508a552c267414e
SHA512 11f9b6072e3598142594e7ca1046a71f91e686d2c54eb69c690c3219409f4ed0905d5467150594d5929408dac5a22119067943d25a13ae61745d683d316efb36

C:\Users\Admin\AppData\Local\Temp\LaoQY8EFF36B.bat

MD5 648b16187f1a6f1c1a195766acb890ac
SHA1 b40d9be4a87b038ef877b7eb63d11c2cc710737e
SHA256 65c5db6f47499355557eefd9ab14e576c450dfdc9b0d6d81af76406841e33ebf
SHA512 b41d924495468f5ee722e658a8bbee8ce68c8000024ae720a6a8a39a24642e5284d6e17efb58e120186e646c6e3fd95f6787107807ebeea1c069a45954028bfa

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 f506c654d69b3f525ce3533e218f391a
SHA1 5a32632967c1b338058b086af02b1cda550001f2
SHA256 6b188115e148c0101c585af78ba8621edc215fd0bb3419d2a070640928c5ee69
SHA512 78560717b379a05f1fd4ca387aff7087d37bf1cfa73025770d18576bcb358a79102d858b4d624790f042731201b9504ca71f9eaf86e6ccd9cbc97470b955e5a6

C:\Users\Admin\AppData\Local\Temp\Q0OtEA2Nz2i4.bat

MD5 193a61f864003fecb61245923f756e21
SHA1 52f9f1d6daba9d5dfbec37db2ce068f08ebf9889
SHA256 c007746a5af151b9c3afd49b050eb834963e5410af1c60892d5bc2c38660f75f
SHA512 2c9911ae44b75560be1e500b31b5648c7c89e7508eb29191f25a6d68568ab9c619006801acc446b9b0b9f72624e54e8545d96ba35be3efcc9b244269e41abf87

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3e8db22cbd32dd9d7f76860caa0307dc
SHA1 030df9525547c785f9c9b614b2b3dd28d80e738e
SHA256 0c569bb8b66d3845f6a29bf8b40ae1e1a0d7fbb14628fa8309e459f81fedbacf
SHA512 b23aa56b6911299a8f133473ef0d071ad7676a871e75367887f8a6b12a551b8075444301f7c394479ef4c577e972ef8d9130809066453816ed5a5264b5bdd168

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 5ee3c15a416fbe4fef69b33470cb3d69
SHA1 5184bb76f7083c9abe69e7576f0cd50b1e07c392
SHA256 f56256dd22832ceaa95aa3d85b34a1acedac13bf0faeef18b444fce0e59a803e
SHA512 7428671896467c0a340e2fb134c5130fecbff80a2a7f6d385ab542b6c0685b55409d07768a7a8a6fcd45cc38545c73ae479c655f7404f9877582bde9d5b3910f

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 54ebffe73dfbbad731c863dc3b1a63d8
SHA1 80d212dfc74d529307266699e29287fbd1ad8d41
SHA256 382a9a13aca2704cda61c74e35dd0cd69ef4f8a24079f0e546e36b00897832a9
SHA512 2e8ad9d66c63b0887f0d3ba422d27ec24c280698f10ce1a77565f932d363e57c981d1dfa9615922ea389e481c07cb5fb9b90054942b9b687372529b789519844

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 358391e713467e4024613bf55c720abe
SHA1 00ceb553141b1714ccb4deeaff19157028a40490
SHA256 012e78d6b1d1958b85c131e1a8af7452c3f46a789bb65825a5a562beddc397f9
SHA512 0974699c38f6847df0124ea2e4ebaca0056104ed8c1396f02af1a0332cefc4d6e57c2e5b2027da3277962c88eaa21f32beb2762babb719a5bc87aa8d22697b42

memory/3920-756-0x0000000000200000-0x0000000000200000-memory.dmp