Malware Analysis Report

2024-10-10 12:52

Sample ID 240601-tjnntagb9x
Target 8afdf3a8d8d1dd5e8268ff1b0a2d5892_JaffaCakes118
SHA256 cfa4c2dd4f3589460c4f54c80f78e2065be7d5594f2196a04f5dff38c496120a
Tags
dcrat infostealer rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cfa4c2dd4f3589460c4f54c80f78e2065be7d5594f2196a04f5dff38c496120a

Threat Level: Known bad

The file 8afdf3a8d8d1dd5e8268ff1b0a2d5892_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

dcrat infostealer rat

DcRat

Drops startup file

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-01 16:05

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 16:05

Reported

2024-06-01 16:07

Platform

win7-20240220-en

Max time kernel

118s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8afdf3a8d8d1dd5e8268ff1b0a2d5892_JaffaCakes118.exe"

Signatures

DcRat

rat infostealer dcrat

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System.lnk C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System.lnk C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\hostdll\KrpS9OBg3hbHhletXxK9.exe N/A
N/A N/A C:\hostdll\commonsvc.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\hostdll\commonsvc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\hostdll\commonsvc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2904 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\8afdf3a8d8d1dd5e8268ff1b0a2d5892_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 2904 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\8afdf3a8d8d1dd5e8268ff1b0a2d5892_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 2904 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\8afdf3a8d8d1dd5e8268ff1b0a2d5892_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 2904 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\8afdf3a8d8d1dd5e8268ff1b0a2d5892_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 2508 wrote to memory of 2420 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2508 wrote to memory of 2420 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2508 wrote to memory of 2420 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2508 wrote to memory of 2420 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2420 wrote to memory of 2704 N/A C:\Windows\SysWOW64\cmd.exe C:\hostdll\KrpS9OBg3hbHhletXxK9.exe
PID 2420 wrote to memory of 2704 N/A C:\Windows\SysWOW64\cmd.exe C:\hostdll\KrpS9OBg3hbHhletXxK9.exe
PID 2420 wrote to memory of 2704 N/A C:\Windows\SysWOW64\cmd.exe C:\hostdll\KrpS9OBg3hbHhletXxK9.exe
PID 2420 wrote to memory of 2704 N/A C:\Windows\SysWOW64\cmd.exe C:\hostdll\KrpS9OBg3hbHhletXxK9.exe
PID 2704 wrote to memory of 2640 N/A C:\hostdll\KrpS9OBg3hbHhletXxK9.exe C:\Windows\SysWOW64\WScript.exe
PID 2704 wrote to memory of 2640 N/A C:\hostdll\KrpS9OBg3hbHhletXxK9.exe C:\Windows\SysWOW64\WScript.exe
PID 2704 wrote to memory of 2640 N/A C:\hostdll\KrpS9OBg3hbHhletXxK9.exe C:\Windows\SysWOW64\WScript.exe
PID 2704 wrote to memory of 2640 N/A C:\hostdll\KrpS9OBg3hbHhletXxK9.exe C:\Windows\SysWOW64\WScript.exe
PID 2704 wrote to memory of 2284 N/A C:\hostdll\KrpS9OBg3hbHhletXxK9.exe C:\Windows\SysWOW64\WScript.exe
PID 2704 wrote to memory of 2284 N/A C:\hostdll\KrpS9OBg3hbHhletXxK9.exe C:\Windows\SysWOW64\WScript.exe
PID 2704 wrote to memory of 2284 N/A C:\hostdll\KrpS9OBg3hbHhletXxK9.exe C:\Windows\SysWOW64\WScript.exe
PID 2704 wrote to memory of 2284 N/A C:\hostdll\KrpS9OBg3hbHhletXxK9.exe C:\Windows\SysWOW64\WScript.exe
PID 2640 wrote to memory of 2168 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 2168 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 2168 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 2168 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2168 wrote to memory of 1860 N/A C:\Windows\SysWOW64\cmd.exe C:\hostdll\commonsvc.exe
PID 2168 wrote to memory of 1860 N/A C:\Windows\SysWOW64\cmd.exe C:\hostdll\commonsvc.exe
PID 2168 wrote to memory of 1860 N/A C:\Windows\SysWOW64\cmd.exe C:\hostdll\commonsvc.exe
PID 2168 wrote to memory of 1860 N/A C:\Windows\SysWOW64\cmd.exe C:\hostdll\commonsvc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\8afdf3a8d8d1dd5e8268ff1b0a2d5892_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\8afdf3a8d8d1dd5e8268ff1b0a2d5892_JaffaCakes118.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostdll\lNrjazEB4MngkM9e2yivBBGzL393R9.vbs"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostdll\lYVahkiDZg24kHPEAmzuNde2JNVrzg.bat" "

C:\hostdll\KrpS9OBg3hbHhletXxK9.exe

KrpS9OBg3hbHhletXxK9.exe -pc9752d735504b8e7294f2bf746d3325329eb193a

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostdll\System.vbe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostdll\msg.vbs"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostdll\9CM8UClgzDu6e663tzDYIdEhMOgVSu.bat" "

C:\hostdll\commonsvc.exe

"C:\hostdll\commonsvc.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ovz1.j1069869.pr46m.vps.myjino.ru udp
RU 195.161.114.152:80 ovz1.j1069869.pr46m.vps.myjino.ru tcp

Files

C:\hostdll\lNrjazEB4MngkM9e2yivBBGzL393R9.vbs

MD5 872e7407b5d5add0e8f73c1c670db7da
SHA1 c4275d42130a321653681d3dc098503a1170debb
SHA256 f55a81590f802b846103a970597b4015ea76faadbd080875f3db9638bec7c18c
SHA512 28325c9c1d4c16fc001bb36a3e6f741c05fbc6547668f8ff3201680f78a6cdb06fa4bcf5406bc9674459cc4e7c5c5e2fd3e32fb1dc7fa9bbab784ad018b1d6a5

C:\hostdll\lYVahkiDZg24kHPEAmzuNde2JNVrzg.bat

MD5 1fe32b40dc4800a79bf02d7882d2cc3c
SHA1 43a73900a65a2a1efb05a0bb6a11c8c502a13196
SHA256 e90439335ed2096276ad888524fa585a10f0c23f9d36ab41ed0e6e2f2abe9f1c
SHA512 8fa375705a9c2c2826acabe9c00de126702ca5e9ad3ab96abc3fb69269948e1ad55dda93b97dfd89c5b8c7fdc8611d9ebdc6bf3771bf8f6b66e64822d81066e8

C:\hostdll\KrpS9OBg3hbHhletXxK9.exe

MD5 e5b1a4cb926664f49b35aa44a46af988
SHA1 567adda47b5cf24e9cbaea1150c6b8307c521bb1
SHA256 213ab367f4b6de4bff76229f31f9f1aa928a4d97dd69892d551a00b3ce1da14c
SHA512 4f53d73adcd137bd741880a8314acf733a085ca4b97800c5cb3c892eed45512940886d8d56ca716e5748b89561134ea0936a124e43a052b94ce744883f718ea9

C:\hostdll\System.vbe

MD5 95d20761fafb2ae8633a06a98ae98f45
SHA1 2666021eb7d6e697ed295adc1d5d1664aece9cc0
SHA256 2db7bad80e704aee083f5ed269f38145fac740eb135db36e7c4d502eff1e351c
SHA512 7d817db928ae1f096737edf0fb863aff6c7c1b3a6d97db2e08a162c359f66653d52eaeccc6a8b1efa2bab6b130b1f2c0e7e85cb30ad20678e2e4c4b4a98e84f1

C:\hostdll\msg.vbs

MD5 01c71ea2d98437129936261c48403132
SHA1 dc689fb68a3e7e09a334e7a37c0d10d0641af1a6
SHA256 0401f2dd76d5ed6f90c82b72e1e7a122ef127bedbaf717532c4bba26d43a0061
SHA512 a668d4216a50ccc699221dd902d8b0f864e44368dc7474fa5659a739154d4e769b85d49b60a73affb8fba7628e7210b0f8106d5652006d1bbba67083513e65d9

C:\hostdll\MOS

MD5 7fdcdf0890033579d5af74a47a395563
SHA1 70e726b9aabff8bb1e961bd749e101b09c9bea70
SHA256 475b1832f2c5af887bce9c8b72406e3b72b640f88c9bec4360ee25bf38a4d153
SHA512 3c13bae8e31050c3cda9153b5619611e8ce12aef6dd9cf4269ba6b6a569fbc6430ba819c92556f554bf834f909d67ec0df9de265655abafa798d360fe4270021

C:\hostdll\9CM8UClgzDu6e663tzDYIdEhMOgVSu.bat

MD5 1eb97692a5d4fbdb389ac7318a420b81
SHA1 54b5d069f0c06670ee0d3a244eb8930779768520
SHA256 14b4f85a00d3756e4702c5e241850bc90d9b9d846a3b2827334c9ec88ae7e8ad
SHA512 a60eb9a4d8ee82d85eb43a9a9a39b95f55a164436cb1b01ab2c76e3184f35e8c227b327e11b901b41c8c99c4dcb86957d5c6b66f0ba1e7dee231acf7a803d8bb

C:\hostdll\System.lnk

MD5 8a7b7389d7b75d4bec9c6d497eb51450
SHA1 f48905d31e6d110a04a825fd3ee5b3270c911731
SHA256 6d20670f9cb9578c89510eeed0bcd46c156864a98e858366900ade370c5a97c9
SHA512 cef5deadc8e746539fc1ca79a597dc90d5ad15164321f08baaa65317d599741d6b13ae16985095d3b978be6dc0c6d43f4a0b5d9487069bf8583a68426642e1b9

\hostdll\commonsvc.exe

MD5 7df85f5215c5a11c4e2ad007bd5b1571
SHA1 4ff16210bf5fab2f6fab85e6472c551d70fee692
SHA256 d9381960ff3975d9e76a8d1ba5642c2ab7abc16a7e8ec1aedca3d88c15175541
SHA512 df09df54155cdf36b0cda46e985cc24342c2427e61e52ca9e590791e3dc46753584ad2926994ee9db6ae68908b83af191856db82623e354cba32358c9b512b62

memory/1860-42-0x0000000000DA0000-0x0000000000FD2000-memory.dmp

memory/1860-43-0x000000001B780000-0x000000001BAD2000-memory.dmp

memory/1860-44-0x00000000005F0000-0x0000000000644000-memory.dmp

memory/1860-45-0x000000001AA40000-0x000000001AAD0000-memory.dmp

memory/1860-47-0x000000001AEE0000-0x000000001AF5C000-memory.dmp

memory/1860-46-0x0000000000660000-0x0000000000676000-memory.dmp

C:\hostdll\vmcheck32.dll

MD5 aa338ae7093e16da7e433883f6b85006
SHA1 b6e2e74dbe795180eab59764b3a4a24c5dd19310
SHA256 b5b4815b9f918262561de8d3b82cc3b73881cb516d0dd7d9cbb8a0f204e7be40
SHA512 e7cc60345d98d6e0fb7e6790714d23bcd85a0dd580d34aa83462d12937e5dc7a602a1115af24bbe53186823ac19341a174391f2cf936c93f57fad5c17eebf7e5

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 16:05

Reported

2024-06-01 16:08

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8afdf3a8d8d1dd5e8268ff1b0a2d5892_JaffaCakes118.exe"

Signatures

DcRat

rat infostealer dcrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\8afdf3a8d8d1dd5e8268ff1b0a2d5892_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation C:\hostdll\KrpS9OBg3hbHhletXxK9.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System.lnk C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System.lnk C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\hostdll\KrpS9OBg3hbHhletXxK9.exe N/A
N/A N/A C:\hostdll\commonsvc.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings C:\hostdll\KrpS9OBg3hbHhletXxK9.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\8afdf3a8d8d1dd5e8268ff1b0a2d5892_JaffaCakes118.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\hostdll\commonsvc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\hostdll\commonsvc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4228 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\8afdf3a8d8d1dd5e8268ff1b0a2d5892_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 4228 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\8afdf3a8d8d1dd5e8268ff1b0a2d5892_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 4228 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\8afdf3a8d8d1dd5e8268ff1b0a2d5892_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 1316 wrote to memory of 4176 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1316 wrote to memory of 4176 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1316 wrote to memory of 4176 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4176 wrote to memory of 3660 N/A C:\Windows\SysWOW64\cmd.exe C:\hostdll\KrpS9OBg3hbHhletXxK9.exe
PID 4176 wrote to memory of 3660 N/A C:\Windows\SysWOW64\cmd.exe C:\hostdll\KrpS9OBg3hbHhletXxK9.exe
PID 4176 wrote to memory of 3660 N/A C:\Windows\SysWOW64\cmd.exe C:\hostdll\KrpS9OBg3hbHhletXxK9.exe
PID 3660 wrote to memory of 5200 N/A C:\hostdll\KrpS9OBg3hbHhletXxK9.exe C:\Windows\SysWOW64\WScript.exe
PID 3660 wrote to memory of 5200 N/A C:\hostdll\KrpS9OBg3hbHhletXxK9.exe C:\Windows\SysWOW64\WScript.exe
PID 3660 wrote to memory of 5200 N/A C:\hostdll\KrpS9OBg3hbHhletXxK9.exe C:\Windows\SysWOW64\WScript.exe
PID 3660 wrote to memory of 5208 N/A C:\hostdll\KrpS9OBg3hbHhletXxK9.exe C:\Windows\SysWOW64\WScript.exe
PID 3660 wrote to memory of 5208 N/A C:\hostdll\KrpS9OBg3hbHhletXxK9.exe C:\Windows\SysWOW64\WScript.exe
PID 3660 wrote to memory of 5208 N/A C:\hostdll\KrpS9OBg3hbHhletXxK9.exe C:\Windows\SysWOW64\WScript.exe
PID 5200 wrote to memory of 904 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 5200 wrote to memory of 904 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 5200 wrote to memory of 904 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 904 wrote to memory of 4796 N/A C:\Windows\SysWOW64\cmd.exe C:\hostdll\commonsvc.exe
PID 904 wrote to memory of 4796 N/A C:\Windows\SysWOW64\cmd.exe C:\hostdll\commonsvc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\8afdf3a8d8d1dd5e8268ff1b0a2d5892_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\8afdf3a8d8d1dd5e8268ff1b0a2d5892_JaffaCakes118.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostdll\lNrjazEB4MngkM9e2yivBBGzL393R9.vbs"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostdll\lYVahkiDZg24kHPEAmzuNde2JNVrzg.bat" "

C:\hostdll\KrpS9OBg3hbHhletXxK9.exe

KrpS9OBg3hbHhletXxK9.exe -pc9752d735504b8e7294f2bf746d3325329eb193a

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostdll\System.vbe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostdll\msg.vbs"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostdll\9CM8UClgzDu6e663tzDYIdEhMOgVSu.bat" "

C:\hostdll\commonsvc.exe

"C:\hostdll\commonsvc.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 105.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 ovz1.j1069869.pr46m.vps.myjino.ru udp
RU 195.161.114.152:80 ovz1.j1069869.pr46m.vps.myjino.ru tcp
US 8.8.8.8:53 152.114.161.195.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 145.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 95.16.208.104.in-addr.arpa udp

Files

C:\hostdll\lNrjazEB4MngkM9e2yivBBGzL393R9.vbs

MD5 872e7407b5d5add0e8f73c1c670db7da
SHA1 c4275d42130a321653681d3dc098503a1170debb
SHA256 f55a81590f802b846103a970597b4015ea76faadbd080875f3db9638bec7c18c
SHA512 28325c9c1d4c16fc001bb36a3e6f741c05fbc6547668f8ff3201680f78a6cdb06fa4bcf5406bc9674459cc4e7c5c5e2fd3e32fb1dc7fa9bbab784ad018b1d6a5

C:\hostdll\lYVahkiDZg24kHPEAmzuNde2JNVrzg.bat

MD5 1fe32b40dc4800a79bf02d7882d2cc3c
SHA1 43a73900a65a2a1efb05a0bb6a11c8c502a13196
SHA256 e90439335ed2096276ad888524fa585a10f0c23f9d36ab41ed0e6e2f2abe9f1c
SHA512 8fa375705a9c2c2826acabe9c00de126702ca5e9ad3ab96abc3fb69269948e1ad55dda93b97dfd89c5b8c7fdc8611d9ebdc6bf3771bf8f6b66e64822d81066e8

C:\hostdll\KrpS9OBg3hbHhletXxK9.exe

MD5 e5b1a4cb926664f49b35aa44a46af988
SHA1 567adda47b5cf24e9cbaea1150c6b8307c521bb1
SHA256 213ab367f4b6de4bff76229f31f9f1aa928a4d97dd69892d551a00b3ce1da14c
SHA512 4f53d73adcd137bd741880a8314acf733a085ca4b97800c5cb3c892eed45512940886d8d56ca716e5748b89561134ea0936a124e43a052b94ce744883f718ea9

C:\hostdll\System.vbe

MD5 95d20761fafb2ae8633a06a98ae98f45
SHA1 2666021eb7d6e697ed295adc1d5d1664aece9cc0
SHA256 2db7bad80e704aee083f5ed269f38145fac740eb135db36e7c4d502eff1e351c
SHA512 7d817db928ae1f096737edf0fb863aff6c7c1b3a6d97db2e08a162c359f66653d52eaeccc6a8b1efa2bab6b130b1f2c0e7e85cb30ad20678e2e4c4b4a98e84f1

C:\hostdll\msg.vbs

MD5 01c71ea2d98437129936261c48403132
SHA1 dc689fb68a3e7e09a334e7a37c0d10d0641af1a6
SHA256 0401f2dd76d5ed6f90c82b72e1e7a122ef127bedbaf717532c4bba26d43a0061
SHA512 a668d4216a50ccc699221dd902d8b0f864e44368dc7474fa5659a739154d4e769b85d49b60a73affb8fba7628e7210b0f8106d5652006d1bbba67083513e65d9

C:\hostdll\MOS

MD5 7fdcdf0890033579d5af74a47a395563
SHA1 70e726b9aabff8bb1e961bd749e101b09c9bea70
SHA256 475b1832f2c5af887bce9c8b72406e3b72b640f88c9bec4360ee25bf38a4d153
SHA512 3c13bae8e31050c3cda9153b5619611e8ce12aef6dd9cf4269ba6b6a569fbc6430ba819c92556f554bf834f909d67ec0df9de265655abafa798d360fe4270021

C:\hostdll\9CM8UClgzDu6e663tzDYIdEhMOgVSu.bat

MD5 1eb97692a5d4fbdb389ac7318a420b81
SHA1 54b5d069f0c06670ee0d3a244eb8930779768520
SHA256 14b4f85a00d3756e4702c5e241850bc90d9b9d846a3b2827334c9ec88ae7e8ad
SHA512 a60eb9a4d8ee82d85eb43a9a9a39b95f55a164436cb1b01ab2c76e3184f35e8c227b327e11b901b41c8c99c4dcb86957d5c6b66f0ba1e7dee231acf7a803d8bb

C:\hostdll\System.lnk

MD5 58aa4f5e59b5b7834f4e4b9a9eb29066
SHA1 4328ccd34cb6c7e8a2c0b3f2fd79d3821e177413
SHA256 e2392500f8ca036a94b08a8becfd4494e56a1f373abeff55b2aa0487f8f05240
SHA512 59671c43ec0f9695cb386be7b23e2a9ad12a60f4c8aeac918e5d2fc960fce077643076a42f328b735f20a6ce90ce86c04024619d060611646ec8471d637f0cec

C:\hostdll\commonsvc.exe

MD5 7df85f5215c5a11c4e2ad007bd5b1571
SHA1 4ff16210bf5fab2f6fab85e6472c551d70fee692
SHA256 d9381960ff3975d9e76a8d1ba5642c2ab7abc16a7e8ec1aedca3d88c15175541
SHA512 df09df54155cdf36b0cda46e985cc24342c2427e61e52ca9e590791e3dc46753584ad2926994ee9db6ae68908b83af191856db82623e354cba32358c9b512b62

memory/4796-41-0x0000020B975C0000-0x0000020B977F2000-memory.dmp

memory/4796-42-0x0000020BB1FE0000-0x0000020BB2332000-memory.dmp

memory/4796-43-0x0000020B97BA0000-0x0000020B97BF4000-memory.dmp

memory/4796-44-0x0000020B97CD0000-0x0000020B97D60000-memory.dmp

memory/4796-45-0x0000020B97D60000-0x0000020B97D76000-memory.dmp

memory/4796-46-0x0000020B99560000-0x0000020B995DC000-memory.dmp

C:\hostdll\vmcheck32.dll

MD5 aa338ae7093e16da7e433883f6b85006
SHA1 b6e2e74dbe795180eab59764b3a4a24c5dd19310
SHA256 b5b4815b9f918262561de8d3b82cc3b73881cb516d0dd7d9cbb8a0f204e7be40
SHA512 e7cc60345d98d6e0fb7e6790714d23bcd85a0dd580d34aa83462d12937e5dc7a602a1115af24bbe53186823ac19341a174391f2cf936c93f57fad5c17eebf7e5