Malware Analysis Report

2025-08-11 05:04

Sample ID 241230-cadc2stngs
Target JaffaCakes118_81a5a5bce72f570318031322a9b7786f8ba579b1dccf2c4b79d10a16b2e5d6a5
SHA256 81a5a5bce72f570318031322a9b7786f8ba579b1dccf2c4b79d10a16b2e5d6a5
Tags
rat dcrat discovery execution infostealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

81a5a5bce72f570318031322a9b7786f8ba579b1dccf2c4b79d10a16b2e5d6a5

Threat Level: Known bad

The file JaffaCakes118_81a5a5bce72f570318031322a9b7786f8ba579b1dccf2c4b79d10a16b2e5d6a5 was found to be: Known bad.

Malicious Activity Summary

rat dcrat discovery execution infostealer

DCRat payload

Process spawned unexpected child process

DcRat

Dcrat family

DCRat payload

Command and Scripting Interpreter: PowerShell

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Legitimate hosting services abused for malware hosting/C2

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-30 01:52

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-30 01:52

Reported

2024-12-30 01:54

Platform

win7-20241010-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_81a5a5bce72f570318031322a9b7786f8ba579b1dccf2c4b79d10a16b2e5d6a5.exe"

Signatures

DcRat

rat infostealer dcrat

Dcrat family

dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\conhost.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Java\winlogon.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Windows Defender\ja-JP\System.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Windows Defender\ja-JP\27d1bcfc3c54e0 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\886983d96e3d3e C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Internet Explorer\images\System.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\088424020bedd6 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Java\cc11b995f2a76d C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\csrss.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Internet Explorer\images\27d1bcfc3c54e0 C:\providercommon\DllCommonsvc.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\BitLockerDiscoveryVolumeContents\dwm.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\BitLockerDiscoveryVolumeContents\6cb0b6c459d5d3 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\ShellNew\088424020bedd6 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\Prefetch\ReadyBoot\5940a34987c991 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\Prefetch\ReadyBoot\dllhost.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\ShellNew\conhost.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\addins\audiodg.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\addins\42af1c969fbb7b C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\ShellNew\smss.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\ShellNew\69ddcba757bf72 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\Boot\DVD\EFI\en-US\dllhost.exe C:\providercommon\DllCommonsvc.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_81a5a5bce72f570318031322a9b7786f8ba579b1dccf2c4b79d10a16b2e5d6a5.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\BitLockerDiscoveryVolumeContents\dwm.exe N/A
N/A N/A C:\Windows\BitLockerDiscoveryVolumeContents\dwm.exe N/A
N/A N/A C:\Windows\BitLockerDiscoveryVolumeContents\dwm.exe N/A
N/A N/A C:\Windows\BitLockerDiscoveryVolumeContents\dwm.exe N/A
N/A N/A C:\Windows\BitLockerDiscoveryVolumeContents\dwm.exe N/A
N/A N/A C:\Windows\BitLockerDiscoveryVolumeContents\dwm.exe N/A
N/A N/A C:\Windows\BitLockerDiscoveryVolumeContents\dwm.exe N/A
N/A N/A C:\Windows\BitLockerDiscoveryVolumeContents\dwm.exe N/A
N/A N/A C:\Windows\BitLockerDiscoveryVolumeContents\dwm.exe N/A
N/A N/A C:\Windows\BitLockerDiscoveryVolumeContents\dwm.exe N/A
N/A N/A C:\Windows\BitLockerDiscoveryVolumeContents\dwm.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\providercommon\DllCommonsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\BitLockerDiscoveryVolumeContents\dwm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\BitLockerDiscoveryVolumeContents\dwm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\BitLockerDiscoveryVolumeContents\dwm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\BitLockerDiscoveryVolumeContents\dwm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\BitLockerDiscoveryVolumeContents\dwm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\BitLockerDiscoveryVolumeContents\dwm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\BitLockerDiscoveryVolumeContents\dwm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\BitLockerDiscoveryVolumeContents\dwm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\BitLockerDiscoveryVolumeContents\dwm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\BitLockerDiscoveryVolumeContents\dwm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\BitLockerDiscoveryVolumeContents\dwm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2372 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_81a5a5bce72f570318031322a9b7786f8ba579b1dccf2c4b79d10a16b2e5d6a5.exe C:\Windows\SysWOW64\WScript.exe
PID 2372 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_81a5a5bce72f570318031322a9b7786f8ba579b1dccf2c4b79d10a16b2e5d6a5.exe C:\Windows\SysWOW64\WScript.exe
PID 2372 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_81a5a5bce72f570318031322a9b7786f8ba579b1dccf2c4b79d10a16b2e5d6a5.exe C:\Windows\SysWOW64\WScript.exe
PID 2372 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_81a5a5bce72f570318031322a9b7786f8ba579b1dccf2c4b79d10a16b2e5d6a5.exe C:\Windows\SysWOW64\WScript.exe
PID 1484 wrote to memory of 1688 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1484 wrote to memory of 1688 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1484 wrote to memory of 1688 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1484 wrote to memory of 1688 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1688 wrote to memory of 2096 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 1688 wrote to memory of 2096 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 1688 wrote to memory of 2096 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 1688 wrote to memory of 2096 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 2096 wrote to memory of 2332 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2096 wrote to memory of 2332 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2096 wrote to memory of 2332 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2096 wrote to memory of 2060 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2096 wrote to memory of 2060 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2096 wrote to memory of 2060 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2096 wrote to memory of 2920 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2096 wrote to memory of 2920 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2096 wrote to memory of 2920 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2096 wrote to memory of 3008 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2096 wrote to memory of 3008 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2096 wrote to memory of 3008 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2096 wrote to memory of 2476 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2096 wrote to memory of 2476 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2096 wrote to memory of 2476 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2096 wrote to memory of 2820 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2096 wrote to memory of 2820 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2096 wrote to memory of 2820 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2096 wrote to memory of 2760 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2096 wrote to memory of 2760 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2096 wrote to memory of 2760 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2096 wrote to memory of 2264 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2096 wrote to memory of 2264 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2096 wrote to memory of 2264 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2096 wrote to memory of 2656 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2096 wrote to memory of 2656 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2096 wrote to memory of 2656 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2096 wrote to memory of 2976 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2096 wrote to memory of 2976 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2096 wrote to memory of 2976 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2096 wrote to memory of 2816 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2096 wrote to memory of 2816 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2096 wrote to memory of 2816 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2096 wrote to memory of 2772 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2096 wrote to memory of 2772 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2096 wrote to memory of 2772 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2096 wrote to memory of 2860 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2096 wrote to memory of 2860 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2096 wrote to memory of 2860 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2096 wrote to memory of 2648 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2096 wrote to memory of 2648 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2096 wrote to memory of 2648 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2096 wrote to memory of 2172 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2096 wrote to memory of 2172 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2096 wrote to memory of 2172 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2096 wrote to memory of 2748 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2096 wrote to memory of 2748 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2096 wrote to memory of 2748 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2096 wrote to memory of 1944 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2096 wrote to memory of 1944 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2096 wrote to memory of 1944 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2096 wrote to memory of 2200 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_81a5a5bce72f570318031322a9b7786f8ba579b1dccf2c4b79d10a16b2e5d6a5.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_81a5a5bce72f570318031322a9b7786f8ba579b1dccf2c4b79d10a16b2e5d6a5.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\providercommon\1zu9dW.bat" "

C:\providercommon\DllCommonsvc.exe

"C:\providercommon\DllCommonsvc.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\providercommon\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files\Internet Explorer\images\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\images\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Program Files\Internet Explorer\images\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\conhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\providercommon\conhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files\Java\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Java\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Program Files\Java\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Windows\Prefetch\ReadyBoot\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Prefetch\ReadyBoot\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Windows\Prefetch\ReadyBoot\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\providercommon\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Windows\ShellNew\conhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\ShellNew\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Windows\ShellNew\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Windows\addins\audiodg.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\addins\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Windows\addins\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Windows\ShellNew\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\ShellNew\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Windows\ShellNew\smss.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\smss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\csrss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsass.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sppsvc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\images\System.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\conhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\conhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\winlogon.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Idle.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Prefetch\ReadyBoot\dllhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\BitLockerDiscoveryVolumeContents\dwm.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\spoolsv.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\ja-JP\System.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ShellNew\conhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dwm.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\addins\audiodg.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\smss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ShellNew\smss.exe'

C:\Windows\BitLockerDiscoveryVolumeContents\dwm.exe

"C:\Windows\BitLockerDiscoveryVolumeContents\dwm.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fELEOgu8eF.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\BitLockerDiscoveryVolumeContents\dwm.exe

"C:\Windows\BitLockerDiscoveryVolumeContents\dwm.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ELjGFNzRMY.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\BitLockerDiscoveryVolumeContents\dwm.exe

"C:\Windows\BitLockerDiscoveryVolumeContents\dwm.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZAtO29mfgG.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\BitLockerDiscoveryVolumeContents\dwm.exe

"C:\Windows\BitLockerDiscoveryVolumeContents\dwm.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RId7nS4uU7.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\BitLockerDiscoveryVolumeContents\dwm.exe

"C:\Windows\BitLockerDiscoveryVolumeContents\dwm.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FjqlTNZm6T.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\BitLockerDiscoveryVolumeContents\dwm.exe

"C:\Windows\BitLockerDiscoveryVolumeContents\dwm.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zAqEIlSfAD.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\BitLockerDiscoveryVolumeContents\dwm.exe

"C:\Windows\BitLockerDiscoveryVolumeContents\dwm.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Kq4mDwN7mD.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\BitLockerDiscoveryVolumeContents\dwm.exe

"C:\Windows\BitLockerDiscoveryVolumeContents\dwm.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xZLz5Ote6t.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\BitLockerDiscoveryVolumeContents\dwm.exe

"C:\Windows\BitLockerDiscoveryVolumeContents\dwm.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zHC6P4FzNT.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\BitLockerDiscoveryVolumeContents\dwm.exe

"C:\Windows\BitLockerDiscoveryVolumeContents\dwm.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uVUt9EuWwA.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\BitLockerDiscoveryVolumeContents\dwm.exe

"C:\Windows\BitLockerDiscoveryVolumeContents\dwm.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp

Files

C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

MD5 8088241160261560a02c84025d107592
SHA1 083121f7027557570994c9fc211df61730455bb5
SHA256 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA512 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

C:\providercommon\1zu9dW.bat

MD5 6783c3ee07c7d151ceac57f1f9c8bed7
SHA1 17468f98f95bf504cc1f83c49e49a78526b3ea03
SHA256 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512 c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

\providercommon\DllCommonsvc.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/2096-13-0x0000000000390000-0x00000000004A0000-memory.dmp

memory/2096-14-0x00000000004D0000-0x00000000004E2000-memory.dmp

memory/2096-15-0x00000000005E0000-0x00000000005EC000-memory.dmp

memory/2096-16-0x00000000005F0000-0x00000000005FC000-memory.dmp

memory/2096-17-0x0000000000600000-0x000000000060C000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 a325046d10d140ae068e1567ab2b63f1
SHA1 7148a19809a5bb7af42af73bfa3afeccfb3cabc6
SHA256 3c33a1b3b309720862391dbd3f82a6d749f7842bc658c775691dfa962e4f87f6
SHA512 951bab629f1f8e1ce3e5d3b1572bc683a3c71fbb8d658711c9c5a3f6512c9d3f203fa090083760d6f714a4765439a91ba06010a0393f33da763fb43463019cec

memory/2332-61-0x0000000002250000-0x0000000002258000-memory.dmp

memory/2332-60-0x000000001B5E0000-0x000000001B8C2000-memory.dmp

memory/2524-100-0x0000000000030000-0x0000000000140000-memory.dmp

memory/2524-151-0x00000000002D0000-0x00000000002E2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabCAC0.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarCAE2.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\Local\Temp\fELEOgu8eF.bat

MD5 e1293437215700de5a28e634b97d0436
SHA1 af43cc1425ec1d4ddf61c0cf619b09daa11984ae
SHA256 4abc267d9ae43686962149c21c8eebe5925a86f152c6ad93bf7bc8e2f1c92b28
SHA512 9930f992206f44add7f67e924cecf86439d0bb168168ba7870017ee69b419c4f222ddbc6b94b91965ba1f7f4c9ba28678417a2f8cc9ec4c58aa8714be383e5a1

memory/3876-210-0x0000000000320000-0x0000000000430000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 da2102c4810ccccf3a30087ae53bc2df
SHA1 6af53a98463a13ef5c3a63fde875cc75bc1a03b9
SHA256 40f46b378d6f464d697221095c5353f5ec757f359260e4e15e8477397b39e2ad
SHA512 adb2571486c008b33e8562e19901550db18b8ee25fbd2d83f82826e149792314e824a7aa2b83b7cdc33581fde4bae83e1e27d37abd7273ab7b0410005e6cf997

C:\Users\Admin\AppData\Local\Temp\ELjGFNzRMY.bat

MD5 2dbc40f54d10700c9cd21f5aad653d32
SHA1 bff6358e2a4d3572691fb519aec5dc71a7e9c899
SHA256 19286a867777d6cdbb29af536caf3775161896d4fd1c59cf8e9268fbc30fd96d
SHA512 c6161771d04b75e1299c00f86b9de349b3fda44b3c78745bd1d5d407b66bfab2e5d742d6bd8e2c8e5883e160a69477c6b355ad38e85c2c7b65387ec39a87c2d8

memory/3016-270-0x00000000009D0000-0x0000000000AE0000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0297849132582d4ceaafa85fdcca5237
SHA1 88d98c173540632e9e6ab52d44b3a272b181598e
SHA256 de8f26dc1b3418e84d8e0fcf34e321ccc5baa921e91b3e90a0a3aaf270bc447a
SHA512 4db75a61c9a5d0682c9e8f64705b1a35ab17912a2d3f337fdebf6f4568d99f637726295dbc479a939681ec86829f961f209fa391855c8b21e839165c62a7b55e

C:\Users\Admin\AppData\Local\Temp\ZAtO29mfgG.bat

MD5 113283e68801317882c372196df507ed
SHA1 7c181ed91b372cc8d74eb99646469447fc970ba4
SHA256 f23d6083e047c03c06d8a0284ddd5a4f94034b26e058fccd548c5ac11596fef9
SHA512 178faff86b396d3592e1127656a9f5ca5cae7c35905e364c20eaacfb551fcbe7b787b45143a4a696fa5c7dfff68c9868adafed9b042da5dec4589c6cccd7456a

memory/2020-330-0x0000000001130000-0x0000000001240000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d4f796c733e6e15c9c62958bce099d05
SHA1 25a8d0335fe36f534c4a886acf039112c255c455
SHA256 3768c37c71dbb061e70a14c719d96e90bbf9c80cfb8f67d9a3f183641e783e40
SHA512 318e0a77a34dc5f75d59bf812e9d2c1948de11c036688aed48ad90a2884c01b8822ad75d4abacee6707ff57b791a6d2267ae451f7646819aaa123001d008d4f0

C:\Users\Admin\AppData\Local\Temp\RId7nS4uU7.bat

MD5 d5d1364b02ffa5cc31b451612785d991
SHA1 cae1d87127586607cfa7ee93141dddd90851c473
SHA256 eaa1ed254b3c022d90141d40f18ed3ecfee143bdc7fff717df28b893571862a1
SHA512 8c763852ccaf227a69ba47ef362b9784b3e133abe3250ff1c67058a4f1de8cd09085ca44ddb5d635659687d33d4d78845bf98b370c6b4aa5c5c3182da399ca37

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3ea7e70893bb6687a35a45225b9298d7
SHA1 2855127da28a195ff02cd02ab0d7d4c983b22bfa
SHA256 07ca822f7649dc202bf2ec741e4301c642ff4d92ab4f6ed99d941126716827ce
SHA512 fc33c83d3e826c7234223dff97b486946240dc67d7fb277c4b942caef19649b43a69ce7f467d4b3cfbab0289298d922daac76bb4614f5254285b52ac7583b7ae

C:\Users\Admin\AppData\Local\Temp\FjqlTNZm6T.bat

MD5 cd788331c0194e60345c4bdddeab482c
SHA1 2e8c760c1f948ddd595e2de35e7da122fc8bbff5
SHA256 80d25f19ebb52ecce030460b1c09f32f411dc4cb03a6ad5a88f1ec20e594059c
SHA512 17a55f8a4442309989b65cf56320653e81ebed83b083dc5ea479866063f981733701ce03f1c87b5d5780e76375e5d0c55f6e4b0feafc336c0596e4b981a8b832

memory/3468-449-0x0000000000260000-0x0000000000370000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c5da8241e686cfca7b7195315191e359
SHA1 7dd4a196ab4a429ec646968dd45ebc9a0b6e3bf5
SHA256 924eece126f2386efc4349a6160238d3045fcd39853413eaa0eef5ef7feedc8d
SHA512 43e0de4558e84e2b2aa3d868c53da6a9667975e0c98acee04221e681e4cfb0b30e311843c1abc66d394d01ad9c327a25357ad5070f32e05750e2dd1f2472b9a8

C:\Users\Admin\AppData\Local\Temp\zAqEIlSfAD.bat

MD5 0274a29ce134a487d61355974c288dce
SHA1 36dfdc3d70bc1b283141d06a36f95731d452be4e
SHA256 f191c23e6a67ce4f202e1503f7fc49cbffe2457f9b7b5afa028fd0c4470e76f8
SHA512 795ebff8e39c681b4caa1018784cd6ea1290edb51ba4bb831f49ce90a94c709a6293bb536bdb81dea285f0d3ab2d580639d11a509a4ad6a5cf2d61dfc763b6bf

memory/3820-509-0x00000000000D0000-0x00000000001E0000-memory.dmp

memory/3820-510-0x0000000000350000-0x0000000000362000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 74c61a01f7e28a03e856f4c42308efc6
SHA1 44f54ad4bf66db9f92f0c7c340c11960673b0793
SHA256 99a3fc5f2e3bc557de82dd58d8a96ab65d41eb76b3c6d185aed832730a946ce4
SHA512 c930fc2cb34116afa49c03e830821eb0a5def89ed3c5d076376f252522083f14720d623eecdd7a323dd782bb09aa759cd6be23a0f4799f6b2309b2470b492233

C:\Users\Admin\AppData\Local\Temp\Kq4mDwN7mD.bat

MD5 0c6719cdb5f23c6f64940860c52dea54
SHA1 5edfa302fb8606c8f03f7611cc707cb1bd7c71bc
SHA256 ca4dd9c96d046cdeb4b21a52bddbd70b9c30de974751b544937547804f87c584
SHA512 4ce10ac6af1874def9f5243192f242f8ba0fd158a17a9d091c711747b845ba234df14a13816ae29e694066b8e75d4a1d7c1137ffe61f30a0339d9956382aeea1

memory/868-570-0x0000000000190000-0x00000000002A0000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f07e003b37ac41d23a88655a54f6356b
SHA1 1224e5ecd1a74b8a66e162902fdf139a39ef72f6
SHA256 f8e7c0c3a1d5684a1f4cd6209118e2b81d3f9142e4d655d7e8803722240734b7
SHA512 31c29608b59d4c2a1fc79bd1aaa4bb1768d7659477a012e46d6f74616699d399bad0abd76cef42997a6ee5150b0e9c679d48ef03a4f2cc5b8c584e8557d0696b

C:\Users\Admin\AppData\Local\Temp\xZLz5Ote6t.bat

MD5 236fc998ccd9dcf461886fdb3dda24db
SHA1 c821507313f9bd861ce264c11adac889a73480ce
SHA256 ad87cb32c538c55ef9a4e94a9d0e807db1ba2f5c3237e614ea778fbc9adfb12f
SHA512 3a65e612e6206c87898c1c9d3342a27174583f4d92d82aa467166ed3e7bf3b5ba968f178fb20f37b130535a2042bed8433ef7c115ed0679cb186886b20d6d228

memory/3076-630-0x0000000000F10000-0x0000000001020000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bd9b7c7db4756bfc9e740d7604993045
SHA1 ad4f3254fa442dc173c460ebbcc9d62d4c0f5218
SHA256 101e7ff7c1db90d08a132c3374058f8674744e61d4f2f2b6737faaa999a60426
SHA512 e0cfa39f848662e77027f44c8b6936bf637373112bb31b0988bed95ee750c6fa423ac94cbf92a78482ff89993e6c6573312e4361c645c12b982731fba5d90ef6

C:\Users\Admin\AppData\Local\Temp\zHC6P4FzNT.bat

MD5 73a620cb1e68dcca7ef98444b44e293a
SHA1 1dd89176f02de97d49ad4ebfae791c05ca46b787
SHA256 a351a9bd453f328c0212c5f54ef012d49ec64795d5a36fdbe66987a2950d5d0c
SHA512 b76c5f8b41f267bdf94cd115f85e013f1d7bd13526793cfa5fb7c076dc0bcdf52fc3625fcd57d88100ebc1def613e23bbe50fca104e25a2f748f9f0bf6a6d604

memory/2220-690-0x0000000001190000-0x00000000012A0000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cffa744045db22410bbb22f4b4367afb
SHA1 22bccdd65901648ab0457e66cbbc193c2fc27650
SHA256 f0f04ef002055a4deb4145ddb4127ebabcd6f2497652e28aee4aec7e3bc1748a
SHA512 c8d2c844840c005ea42530bdf6e481c88fbd54c777dc7bd466a2ac29559add124269bc9a4be59d3649f4d9e96ee1fe5074505cda8728263a940ec53923a61767

C:\Users\Admin\AppData\Local\Temp\uVUt9EuWwA.bat

MD5 a1bde383caa5ffc938e5fd03e1848c40
SHA1 aa4c5a8e0dfb9991f9f8273e1decf9eba32b4624
SHA256 a8cbfc03d40a0ec0e2cf09594ce81190e560cbb4f944ccba76ee69a68fab5d9d
SHA512 f9394ec1cab821fddd9ad66869c71a383426c396b0b782820c40f22a2527da3f437b596a42325bb1cb61b9758cb23652f7aa20f6aa2758df97d875f659d8d9d5

memory/3312-750-0x00000000011C0000-0x00000000012D0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-30 01:52

Reported

2024-12-30 01:54

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_81a5a5bce72f570318031322a9b7786f8ba579b1dccf2c4b79d10a16b2e5d6a5.exe"

Signatures

DcRat

rat infostealer dcrat

Dcrat family

dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Windows\assembly\GAC_32\CustomMarshalers\conhost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Windows\assembly\GAC_32\CustomMarshalers\conhost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_81a5a5bce72f570318031322a9b7786f8ba579b1dccf2c4b79d10a16b2e5d6a5.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Windows\assembly\GAC_32\CustomMarshalers\conhost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Windows\assembly\GAC_32\CustomMarshalers\conhost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Windows\assembly\GAC_32\CustomMarshalers\conhost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Windows\assembly\GAC_32\CustomMarshalers\conhost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Windows\assembly\GAC_32\CustomMarshalers\conhost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\providercommon\DllCommonsvc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Windows\assembly\GAC_32\CustomMarshalers\conhost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Windows\assembly\GAC_32\CustomMarshalers\conhost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Windows\assembly\GAC_32\CustomMarshalers\conhost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Windows\assembly\GAC_32\CustomMarshalers\conhost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Windows\assembly\GAC_32\CustomMarshalers\conhost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Windows\assembly\GAC_32\CustomMarshalers\conhost.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\assembly\GAC_32\CustomMarshalers\conhost.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\assembly\GAC_32\CustomMarshalers\088424020bedd6 C:\providercommon\DllCommonsvc.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_81a5a5bce72f570318031322a9b7786f8ba579b1dccf2c4b79d10a16b2e5d6a5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings C:\Windows\assembly\GAC_32\CustomMarshalers\conhost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings C:\Windows\assembly\GAC_32\CustomMarshalers\conhost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings C:\Windows\assembly\GAC_32\CustomMarshalers\conhost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings C:\Windows\assembly\GAC_32\CustomMarshalers\conhost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings C:\Windows\assembly\GAC_32\CustomMarshalers\conhost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings C:\Windows\assembly\GAC_32\CustomMarshalers\conhost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings C:\Windows\assembly\GAC_32\CustomMarshalers\conhost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings C:\Windows\assembly\GAC_32\CustomMarshalers\conhost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings C:\Windows\assembly\GAC_32\CustomMarshalers\conhost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings C:\Windows\assembly\GAC_32\CustomMarshalers\conhost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_81a5a5bce72f570318031322a9b7786f8ba579b1dccf2c4b79d10a16b2e5d6a5.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings C:\providercommon\DllCommonsvc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings C:\Windows\assembly\GAC_32\CustomMarshalers\conhost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings C:\Windows\assembly\GAC_32\CustomMarshalers\conhost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings C:\Windows\assembly\GAC_32\CustomMarshalers\conhost.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\assembly\GAC_32\CustomMarshalers\conhost.exe N/A
N/A N/A C:\Windows\assembly\GAC_32\CustomMarshalers\conhost.exe N/A
N/A N/A C:\Windows\assembly\GAC_32\CustomMarshalers\conhost.exe N/A
N/A N/A C:\Windows\assembly\GAC_32\CustomMarshalers\conhost.exe N/A
N/A N/A C:\Windows\assembly\GAC_32\CustomMarshalers\conhost.exe N/A
N/A N/A C:\Windows\assembly\GAC_32\CustomMarshalers\conhost.exe N/A
N/A N/A C:\Windows\assembly\GAC_32\CustomMarshalers\conhost.exe N/A
N/A N/A C:\Windows\assembly\GAC_32\CustomMarshalers\conhost.exe N/A
N/A N/A C:\Windows\assembly\GAC_32\CustomMarshalers\conhost.exe N/A
N/A N/A C:\Windows\assembly\GAC_32\CustomMarshalers\conhost.exe N/A
N/A N/A C:\Windows\assembly\GAC_32\CustomMarshalers\conhost.exe N/A
N/A N/A C:\Windows\assembly\GAC_32\CustomMarshalers\conhost.exe N/A
N/A N/A C:\Windows\assembly\GAC_32\CustomMarshalers\conhost.exe N/A
N/A N/A C:\Windows\assembly\GAC_32\CustomMarshalers\conhost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\providercommon\DllCommonsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\assembly\GAC_32\CustomMarshalers\conhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\assembly\GAC_32\CustomMarshalers\conhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\assembly\GAC_32\CustomMarshalers\conhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\assembly\GAC_32\CustomMarshalers\conhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\assembly\GAC_32\CustomMarshalers\conhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\assembly\GAC_32\CustomMarshalers\conhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\assembly\GAC_32\CustomMarshalers\conhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\assembly\GAC_32\CustomMarshalers\conhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\assembly\GAC_32\CustomMarshalers\conhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\assembly\GAC_32\CustomMarshalers\conhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\assembly\GAC_32\CustomMarshalers\conhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\assembly\GAC_32\CustomMarshalers\conhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\assembly\GAC_32\CustomMarshalers\conhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\assembly\GAC_32\CustomMarshalers\conhost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3784 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_81a5a5bce72f570318031322a9b7786f8ba579b1dccf2c4b79d10a16b2e5d6a5.exe C:\Windows\SysWOW64\WScript.exe
PID 3784 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_81a5a5bce72f570318031322a9b7786f8ba579b1dccf2c4b79d10a16b2e5d6a5.exe C:\Windows\SysWOW64\WScript.exe
PID 3784 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_81a5a5bce72f570318031322a9b7786f8ba579b1dccf2c4b79d10a16b2e5d6a5.exe C:\Windows\SysWOW64\WScript.exe
PID 1784 wrote to memory of 1420 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1784 wrote to memory of 1420 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1784 wrote to memory of 1420 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1420 wrote to memory of 2820 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 1420 wrote to memory of 2820 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 2820 wrote to memory of 100 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2820 wrote to memory of 100 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2820 wrote to memory of 3724 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2820 wrote to memory of 3724 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2820 wrote to memory of 4480 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2820 wrote to memory of 4480 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2820 wrote to memory of 732 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\cmd.exe
PID 2820 wrote to memory of 732 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\cmd.exe
PID 732 wrote to memory of 852 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 732 wrote to memory of 852 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 732 wrote to memory of 3764 N/A C:\Windows\System32\cmd.exe C:\Windows\assembly\GAC_32\CustomMarshalers\conhost.exe
PID 732 wrote to memory of 3764 N/A C:\Windows\System32\cmd.exe C:\Windows\assembly\GAC_32\CustomMarshalers\conhost.exe
PID 3764 wrote to memory of 2276 N/A C:\Windows\assembly\GAC_32\CustomMarshalers\conhost.exe C:\Windows\System32\cmd.exe
PID 3764 wrote to memory of 2276 N/A C:\Windows\assembly\GAC_32\CustomMarshalers\conhost.exe C:\Windows\System32\cmd.exe
PID 2276 wrote to memory of 2648 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2276 wrote to memory of 2648 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2276 wrote to memory of 4508 N/A C:\Windows\System32\cmd.exe C:\Windows\assembly\GAC_32\CustomMarshalers\conhost.exe
PID 2276 wrote to memory of 4508 N/A C:\Windows\System32\cmd.exe C:\Windows\assembly\GAC_32\CustomMarshalers\conhost.exe
PID 4508 wrote to memory of 5088 N/A C:\Windows\assembly\GAC_32\CustomMarshalers\conhost.exe C:\Windows\System32\cmd.exe
PID 4508 wrote to memory of 5088 N/A C:\Windows\assembly\GAC_32\CustomMarshalers\conhost.exe C:\Windows\System32\cmd.exe
PID 5088 wrote to memory of 2104 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 5088 wrote to memory of 2104 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 5088 wrote to memory of 4788 N/A C:\Windows\System32\cmd.exe C:\Windows\assembly\GAC_32\CustomMarshalers\conhost.exe
PID 5088 wrote to memory of 4788 N/A C:\Windows\System32\cmd.exe C:\Windows\assembly\GAC_32\CustomMarshalers\conhost.exe
PID 4788 wrote to memory of 3620 N/A C:\Windows\assembly\GAC_32\CustomMarshalers\conhost.exe C:\Windows\System32\cmd.exe
PID 4788 wrote to memory of 3620 N/A C:\Windows\assembly\GAC_32\CustomMarshalers\conhost.exe C:\Windows\System32\cmd.exe
PID 3620 wrote to memory of 3012 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3620 wrote to memory of 3012 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3620 wrote to memory of 1088 N/A C:\Windows\System32\cmd.exe C:\Windows\assembly\GAC_32\CustomMarshalers\conhost.exe
PID 3620 wrote to memory of 1088 N/A C:\Windows\System32\cmd.exe C:\Windows\assembly\GAC_32\CustomMarshalers\conhost.exe
PID 1088 wrote to memory of 1444 N/A C:\Windows\assembly\GAC_32\CustomMarshalers\conhost.exe C:\Windows\System32\cmd.exe
PID 1088 wrote to memory of 1444 N/A C:\Windows\assembly\GAC_32\CustomMarshalers\conhost.exe C:\Windows\System32\cmd.exe
PID 1444 wrote to memory of 4848 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1444 wrote to memory of 4848 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1444 wrote to memory of 3540 N/A C:\Windows\System32\cmd.exe C:\Windows\assembly\GAC_32\CustomMarshalers\conhost.exe
PID 1444 wrote to memory of 3540 N/A C:\Windows\System32\cmd.exe C:\Windows\assembly\GAC_32\CustomMarshalers\conhost.exe
PID 3540 wrote to memory of 4804 N/A C:\Windows\assembly\GAC_32\CustomMarshalers\conhost.exe C:\Windows\System32\cmd.exe
PID 3540 wrote to memory of 4804 N/A C:\Windows\assembly\GAC_32\CustomMarshalers\conhost.exe C:\Windows\System32\cmd.exe
PID 4804 wrote to memory of 4312 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4804 wrote to memory of 4312 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4804 wrote to memory of 988 N/A C:\Windows\System32\cmd.exe C:\Windows\assembly\GAC_32\CustomMarshalers\conhost.exe
PID 4804 wrote to memory of 988 N/A C:\Windows\System32\cmd.exe C:\Windows\assembly\GAC_32\CustomMarshalers\conhost.exe
PID 988 wrote to memory of 4324 N/A C:\Windows\assembly\GAC_32\CustomMarshalers\conhost.exe C:\Windows\System32\cmd.exe
PID 988 wrote to memory of 4324 N/A C:\Windows\assembly\GAC_32\CustomMarshalers\conhost.exe C:\Windows\System32\cmd.exe
PID 4324 wrote to memory of 4588 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4324 wrote to memory of 4588 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4324 wrote to memory of 3532 N/A C:\Windows\System32\cmd.exe C:\Windows\assembly\GAC_32\CustomMarshalers\conhost.exe
PID 4324 wrote to memory of 3532 N/A C:\Windows\System32\cmd.exe C:\Windows\assembly\GAC_32\CustomMarshalers\conhost.exe
PID 3532 wrote to memory of 5064 N/A C:\Windows\assembly\GAC_32\CustomMarshalers\conhost.exe C:\Windows\System32\cmd.exe
PID 3532 wrote to memory of 5064 N/A C:\Windows\assembly\GAC_32\CustomMarshalers\conhost.exe C:\Windows\System32\cmd.exe
PID 5064 wrote to memory of 3684 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 5064 wrote to memory of 3684 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 5064 wrote to memory of 624 N/A C:\Windows\System32\cmd.exe C:\Windows\assembly\GAC_32\CustomMarshalers\conhost.exe
PID 5064 wrote to memory of 624 N/A C:\Windows\System32\cmd.exe C:\Windows\assembly\GAC_32\CustomMarshalers\conhost.exe
PID 624 wrote to memory of 3028 N/A C:\Windows\assembly\GAC_32\CustomMarshalers\conhost.exe C:\Windows\System32\cmd.exe
PID 624 wrote to memory of 3028 N/A C:\Windows\assembly\GAC_32\CustomMarshalers\conhost.exe C:\Windows\System32\cmd.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_81a5a5bce72f570318031322a9b7786f8ba579b1dccf2c4b79d10a16b2e5d6a5.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_81a5a5bce72f570318031322a9b7786f8ba579b1dccf2c4b79d10a16b2e5d6a5.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "

C:\providercommon\DllCommonsvc.exe

"C:\providercommon\DllCommonsvc.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Default User\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Windows\assembly\GAC_32\CustomMarshalers\conhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\assembly\GAC_32\CustomMarshalers\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Windows\assembly\GAC_32\CustomMarshalers\conhost.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\fontdrvhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\assembly\GAC_32\CustomMarshalers\conhost.exe'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\x1VfyMFqhT.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\assembly\GAC_32\CustomMarshalers\conhost.exe

"C:\Windows\assembly\GAC_32\CustomMarshalers\conhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GX2kvMhQbI.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\assembly\GAC_32\CustomMarshalers\conhost.exe

"C:\Windows\assembly\GAC_32\CustomMarshalers\conhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yyRUJOSyqo.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\assembly\GAC_32\CustomMarshalers\conhost.exe

"C:\Windows\assembly\GAC_32\CustomMarshalers\conhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HcCr6nEVp7.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\assembly\GAC_32\CustomMarshalers\conhost.exe

"C:\Windows\assembly\GAC_32\CustomMarshalers\conhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2qVagYZlTM.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\assembly\GAC_32\CustomMarshalers\conhost.exe

"C:\Windows\assembly\GAC_32\CustomMarshalers\conhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2qVagYZlTM.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\assembly\GAC_32\CustomMarshalers\conhost.exe

"C:\Windows\assembly\GAC_32\CustomMarshalers\conhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZBm8ilTxac.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\assembly\GAC_32\CustomMarshalers\conhost.exe

"C:\Windows\assembly\GAC_32\CustomMarshalers\conhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Dk8ljd7jBY.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\assembly\GAC_32\CustomMarshalers\conhost.exe

"C:\Windows\assembly\GAC_32\CustomMarshalers\conhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\p8yPRkR6MR.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\assembly\GAC_32\CustomMarshalers\conhost.exe

"C:\Windows\assembly\GAC_32\CustomMarshalers\conhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hANH4lx1y1.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\assembly\GAC_32\CustomMarshalers\conhost.exe

"C:\Windows\assembly\GAC_32\CustomMarshalers\conhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qzqLwOyuSO.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\assembly\GAC_32\CustomMarshalers\conhost.exe

"C:\Windows\assembly\GAC_32\CustomMarshalers\conhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Pbn0SniZDX.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\assembly\GAC_32\CustomMarshalers\conhost.exe

"C:\Windows\assembly\GAC_32\CustomMarshalers\conhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YKuCD7w8Ue.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\assembly\GAC_32\CustomMarshalers\conhost.exe

"C:\Windows\assembly\GAC_32\CustomMarshalers\conhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QSfwyRFOJU.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\assembly\GAC_32\CustomMarshalers\conhost.exe

"C:\Windows\assembly\GAC_32\CustomMarshalers\conhost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 133.109.199.185.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 86.49.80.91.in-addr.arpa udp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 181.129.81.91.in-addr.arpa udp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp

Files

C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

MD5 8088241160261560a02c84025d107592
SHA1 083121f7027557570994c9fc211df61730455bb5
SHA256 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA512 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

C:\providercommon\1zu9dW.bat

MD5 6783c3ee07c7d151ceac57f1f9c8bed7
SHA1 17468f98f95bf504cc1f83c49e49a78526b3ea03
SHA256 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512 c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

C:\providercommon\DllCommonsvc.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/2820-12-0x00007FF887633000-0x00007FF887635000-memory.dmp

memory/2820-13-0x0000000000430000-0x0000000000540000-memory.dmp

memory/2820-14-0x0000000002860000-0x0000000002872000-memory.dmp

memory/2820-15-0x000000001B050000-0x000000001B05C000-memory.dmp

memory/2820-16-0x0000000002870000-0x000000000287C000-memory.dmp

memory/2820-17-0x000000001B060000-0x000000001B06C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3uzpjfty.bs2.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3724-35-0x000002B7718F0000-0x000002B771912000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\x1VfyMFqhT.bat

MD5 cbe4f799caf7e9c4ec221433e4284c72
SHA1 30dca6c51b21ff4b229f6756c27185a1dee51783
SHA256 46c1efd516d4cca882b3b41a0067a22a054c93f4813dff3676a863c9edbe6b91
SHA512 a5706803dd5e3ebddc9aa432d5453cd5ffb607c834cd10bd44aa966f90672fa64dcdd0116b131c3775dccbed8f950c729eb50aaa08e75793ab7de7c7f2c2bf66

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d28a889fd956d5cb3accfbaf1143eb6f
SHA1 157ba54b365341f8ff06707d996b3635da8446f7
SHA256 21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA512 0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6d42b6da621e8df5674e26b799c8e2aa
SHA1 ab3ce1327ea1eeedb987ec823d5e0cb146bafa48
SHA256 5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c
SHA512 53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Temp\GX2kvMhQbI.bat

MD5 9c14f7cc489abcda0af8584ac657c5ab
SHA1 796ac85375f8dfd96e26824244b8184137141fd6
SHA256 7f1b3def876f82a68b984d4cb26c5ea50be4eac7ba3706406d98a2a5930ddd1d
SHA512 1e3c34a792ee2f39ed8dd8bcd2a910afb273778bd2d89ce5a23467767c5858a1f4c160c23b414ed3e431f820a7f8d90305be6ea01a9d75e977fbc9f6c4dbf4f4

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.log

MD5 baf55b95da4a601229647f25dad12878
SHA1 abc16954ebfd213733c4493fc1910164d825cac8
SHA256 ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA512 24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

memory/4508-78-0x000000001C7F0000-0x000000001C999000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\yyRUJOSyqo.bat

MD5 b3adbbefb7f73214c1d1df1665c254e3
SHA1 49d637d67bc4b618fd655b7e723c3173f97de037
SHA256 9331287b85098926201e0266c39e9e766f8c46f3e3d1e1eed0f5b02bcea6f882
SHA512 816d05c6f27753648b4da788cdf876a13c17b0e7930b406d5e218d5ae61114281dfaadd980d81e00f3c9ee491b61dda88d62357a78f057937392c58c439bd873

memory/4788-81-0x0000000001710000-0x0000000001722000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\HcCr6nEVp7.bat

MD5 4649db160a79c5c984846b0367d1255a
SHA1 337fb348c1a93ff99f9ed2a0a98f804aabc76a8a
SHA256 a87f774610f2f1124fd822588cceeacc9beb52a69ce893458de4bb440d678bcd
SHA512 61d87ec515908aaf26fc50434d81ebcce327831d0cc64fa5851cab2d093499229a292cd3b332a62b90fe5305bf85f55317af97045b6208d6740b591c3b8fef89

memory/4788-86-0x000000001CB00000-0x000000001CBA1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2qVagYZlTM.bat

MD5 d9c08cae7c0286c1d0ff406d3d13cd8d
SHA1 691f97baf482c00295e3b61e62785b2098b2d2dc
SHA256 820f41eac816cdd912de68a4af98c9d913b37030c953692adb95dd26dd16913a
SHA512 0a638c58eab0925cea8d4fb2f4dadfb0ba5cdeeac68bb405249566d76202695c119962f432239e3a29cbb9ab59c192d1d5fefd39bb00044c2e01d7d76d22f62f

memory/1088-93-0x000000001C390000-0x000000001C4FA000-memory.dmp

memory/3540-96-0x0000000001010000-0x0000000001022000-memory.dmp

memory/988-103-0x00000000027D0000-0x00000000027E2000-memory.dmp

memory/988-108-0x000000001C230000-0x000000001C39A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ZBm8ilTxac.bat

MD5 5bd32fdf96b64345e42e6bfbe8f97d0c
SHA1 fa224ce1969dc292668f1c3d6d002b6cd9247a63
SHA256 99bb6ff89b475d38aa61209740c8282ef7004d08bb3e951bbd28c1405138c98a
SHA512 7ce711bbc74ec264c4293445791302bd232891752847b6e790b71a08a7eae88b4a5631fd9db40ff430fa08800095e89882d343078146c882f83483f2df7561b5

C:\Users\Admin\AppData\Local\Temp\Dk8ljd7jBY.bat

MD5 2f63db3e83af266f173d788950e2d002
SHA1 17456d20466dd792c386ea5c4e86f486ea041d6c
SHA256 388134922388f97894d771e41bfd4c4d407d39a4904aac06e1912ae36dcfc718
SHA512 9549b0a04605683dc32cab72866648f5ed5e8283f18a15f6f3d17f1469e4653e35247dcbc7684c088dfb2d4d0b2363160e3941ce6a716b0d92164fffd8d14cba

memory/624-117-0x00000000015D0000-0x00000000015E2000-memory.dmp

memory/624-122-0x000000001C950000-0x000000001CABA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\p8yPRkR6MR.bat

MD5 0018d94887a580adf8d3e0e4bc6036dd
SHA1 4b30936757e0277111841a1565e5594bfb72333a
SHA256 1ce244faf50dcf45fa226f784e1f2d4f19c66c8ce98717ccb7a6285d0de09022
SHA512 8589f09e66b7a37837f479856beb4cbc3deea6ad4234ff8230753244288302829b4b71dcbce34d0da4295467b908120b2fb8a1a851d4434b11fa197fa9a33c31

memory/3012-125-0x00000000023D0000-0x00000000023E2000-memory.dmp

memory/3012-130-0x000000001BD00000-0x000000001BE6A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\hANH4lx1y1.bat

MD5 dad2419179b4553d95f25bd40988a2a3
SHA1 242dbf3be913277ff41c7b71f762794683168d51
SHA256 a421f25254fe7ba6438712cbca6cb3d8c2f19f83a36d54f47c77fc3a9a45ee2a
SHA512 55efb38a7f3474b7ab2f518518a0d49f3e897e2d16b01ec2a80b271dbfaa82e19d2bef8144c40c7651091263601114cd578be8896d48c8d5244fb31980290378

memory/1436-133-0x0000000001720000-0x0000000001732000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\qzqLwOyuSO.bat

MD5 14bcd2c3a094a65c8ea47bc1df59df78
SHA1 115b67cf82185af4cc9ec2be412d10ccc99f0046
SHA256 d94dbdf6d36b82be13b20287ef8e4c4bc94d9e5b8892295ce958e16ddc1bfcd4
SHA512 39dae8cc4f8f856d2a2bde40fa2077804d6b7ad4af169f0bd526b67379d631f64f17ae46fa00aef22246465583f9bec63033d8375d642d4cf6bceab553b406e3

memory/4284-144-0x000000001C3C0000-0x000000001C569000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Pbn0SniZDX.bat

MD5 fde93361114af9100811aa53ed907dc8
SHA1 2647418737295b041d614cd0cd2ac43dddacc1f3
SHA256 24db742d87f0b8bf08f2076a2152bc7c8216b03e3555d79e965acff93c04af6d
SHA512 9088fe6b6277262bce432b0997cb20895c73f116b181cb73da909db8824772bf81ca5878ae9fcf8bd49debbd056c1aa0c0f8be14aabb5990e65a0edce87e4bd0

C:\Users\Admin\AppData\Local\Temp\YKuCD7w8Ue.bat

MD5 f049a949edb28c4e668e35f3ae4b88e9
SHA1 9fa82ebc75827e04bfb3c88e03cad4bac4b3a116
SHA256 b412e1ae57f8dcb3da9bb83e591c800790432efbc73838ee293d185240b1395c
SHA512 72854263550c99d2758ff8f6396abc39f304c1db702419af45cb9290187db10f55656c2b28314499fbc59d26a3a8b3be465cd40f4ca322d8c487dc7077821b55

memory/3088-152-0x000000001C0F0000-0x000000001C299000-memory.dmp

memory/4788-154-0x0000000000B20000-0x0000000000B32000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\QSfwyRFOJU.bat

MD5 b6f0cdeb5ee37ad03c60bd3e1c71a707
SHA1 c57beef34f025759fa2d725104d009e7193c1879
SHA256 2dd484ffae5235caf2829bf204acd9d65a0f4979197f26d91fd26657ba56fb6e
SHA512 fb7f562387c009e5ac154a5e5dc18e0ba6a03dd002c03dd2b78f57ac24949d341b981611cb2981eb373df1f3fb7438ae5ed4701bbcb4920cfe8c97def927329b