Malware Analysis Report

2025-08-11 05:04

Sample ID 241230-cfn2qstqay
Target JaffaCakes118_b4d1df831ef65d1fc8458a43bdfa047510b3ea9569cac8a35809f0a3140cdca2
SHA256 b4d1df831ef65d1fc8458a43bdfa047510b3ea9569cac8a35809f0a3140cdca2
Tags
rat dcrat discovery execution infostealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b4d1df831ef65d1fc8458a43bdfa047510b3ea9569cac8a35809f0a3140cdca2

Threat Level: Known bad

The file JaffaCakes118_b4d1df831ef65d1fc8458a43bdfa047510b3ea9569cac8a35809f0a3140cdca2 was found to be: Known bad.

Malicious Activity Summary

rat dcrat discovery execution infostealer

Dcrat family

Process spawned unexpected child process

DCRat payload

DcRat

DCRat payload

Command and Scripting Interpreter: PowerShell

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Legitimate hosting services abused for malware hosting/C2

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Scheduled Task/Job: Scheduled Task

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-30 02:01

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-30 02:01

Reported

2024-12-30 02:03

Platform

win7-20240903-en

Max time kernel

146s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b4d1df831ef65d1fc8458a43bdfa047510b3ea9569cac8a35809f0a3140cdca2.exe"

Signatures

DcRat

rat infostealer dcrat

Dcrat family

dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\886983d96e3d3e C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\dllhost.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Windows Photo Viewer\de-DE\taskhost.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Windows Photo Viewer\de-DE\b75386f1303e64 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Windows Media Player\5940a34987c991 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\csrss.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Google\Chrome\WmiPrvSE.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Google\Chrome\24dbde2999530e C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\5940a34987c991 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\csrss.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\886983d96e3d3e C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Windows Media Player\dllhost.exe C:\providercommon\DllCommonsvc.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\PLA\Rules\en-US\smss.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\PLA\Rules\en-US\69ddcba757bf72 C:\providercommon\DllCommonsvc.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b4d1df831ef65d1fc8458a43bdfa047510b3ea9569cac8a35809f0a3140cdca2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\Windows Media Player\dllhost.exe N/A
N/A N/A C:\Program Files (x86)\Windows Media Player\dllhost.exe N/A
N/A N/A C:\Program Files (x86)\Windows Media Player\dllhost.exe N/A
N/A N/A C:\Program Files (x86)\Windows Media Player\dllhost.exe N/A
N/A N/A C:\Program Files (x86)\Windows Media Player\dllhost.exe N/A
N/A N/A C:\Program Files (x86)\Windows Media Player\dllhost.exe N/A
N/A N/A C:\Program Files (x86)\Windows Media Player\dllhost.exe N/A
N/A N/A C:\Program Files (x86)\Windows Media Player\dllhost.exe N/A
N/A N/A C:\Program Files (x86)\Windows Media Player\dllhost.exe N/A
N/A N/A C:\Program Files (x86)\Windows Media Player\dllhost.exe N/A
N/A N/A C:\Program Files (x86)\Windows Media Player\dllhost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\providercommon\DllCommonsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows Media Player\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows Media Player\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows Media Player\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows Media Player\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows Media Player\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows Media Player\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows Media Player\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows Media Player\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows Media Player\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows Media Player\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows Media Player\dllhost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2224 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b4d1df831ef65d1fc8458a43bdfa047510b3ea9569cac8a35809f0a3140cdca2.exe C:\Windows\SysWOW64\WScript.exe
PID 2224 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b4d1df831ef65d1fc8458a43bdfa047510b3ea9569cac8a35809f0a3140cdca2.exe C:\Windows\SysWOW64\WScript.exe
PID 2224 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b4d1df831ef65d1fc8458a43bdfa047510b3ea9569cac8a35809f0a3140cdca2.exe C:\Windows\SysWOW64\WScript.exe
PID 2224 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b4d1df831ef65d1fc8458a43bdfa047510b3ea9569cac8a35809f0a3140cdca2.exe C:\Windows\SysWOW64\WScript.exe
PID 2544 wrote to memory of 2744 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2544 wrote to memory of 2744 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2544 wrote to memory of 2744 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2544 wrote to memory of 2744 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2744 wrote to memory of 2860 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 2744 wrote to memory of 2860 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 2744 wrote to memory of 2860 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 2744 wrote to memory of 2860 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 2860 wrote to memory of 2876 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2860 wrote to memory of 2876 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2860 wrote to memory of 2876 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2860 wrote to memory of 2760 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2860 wrote to memory of 2760 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2860 wrote to memory of 2760 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2860 wrote to memory of 2720 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2860 wrote to memory of 2720 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2860 wrote to memory of 2720 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2860 wrote to memory of 2808 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2860 wrote to memory of 2808 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2860 wrote to memory of 2808 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2860 wrote to memory of 2772 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2860 wrote to memory of 2772 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2860 wrote to memory of 2772 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2860 wrote to memory of 2636 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2860 wrote to memory of 2636 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2860 wrote to memory of 2636 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2860 wrote to memory of 1992 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2860 wrote to memory of 1992 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2860 wrote to memory of 1992 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2860 wrote to memory of 1144 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2860 wrote to memory of 1144 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2860 wrote to memory of 1144 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2860 wrote to memory of 1724 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2860 wrote to memory of 1724 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2860 wrote to memory of 1724 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2860 wrote to memory of 1740 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2860 wrote to memory of 1740 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2860 wrote to memory of 1740 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2860 wrote to memory of 1892 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2860 wrote to memory of 1892 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2860 wrote to memory of 1892 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2860 wrote to memory of 2660 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2860 wrote to memory of 2660 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2860 wrote to memory of 2660 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2860 wrote to memory of 2548 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2860 wrote to memory of 2548 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2860 wrote to memory of 2548 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2860 wrote to memory of 2004 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2860 wrote to memory of 2004 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2860 wrote to memory of 2004 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2860 wrote to memory of 1924 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2860 wrote to memory of 1924 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2860 wrote to memory of 1924 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2860 wrote to memory of 2656 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2860 wrote to memory of 2656 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2860 wrote to memory of 2656 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2860 wrote to memory of 1912 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2860 wrote to memory of 1912 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2860 wrote to memory of 1912 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2860 wrote to memory of 2508 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b4d1df831ef65d1fc8458a43bdfa047510b3ea9569cac8a35809f0a3140cdca2.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b4d1df831ef65d1fc8458a43bdfa047510b3ea9569cac8a35809f0a3140cdca2.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\providercommon\1zu9dW.bat" "

C:\providercommon\DllCommonsvc.exe

"C:\providercommon\DllCommonsvc.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\providercommon\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\providercommon\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 7 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\DllCommonsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\DllCommonsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 10 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\DllCommonsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Program Files\Google\Chrome\WmiPrvSE.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Program Files\Google\Chrome\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\providercommon\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 9 /tr "'C:\Users\Public\DllCommonsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Users\Public\DllCommonsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 8 /tr "'C:\Users\Public\DllCommonsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\cmd.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\Default User\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\taskhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Media Player\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Media Player\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Favorites\lsm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Public\Favorites\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Favorites\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Windows\PLA\Rules\en-US\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\PLA\Rules\en-US\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Windows\PLA\Rules\en-US\smss.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sppsvc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\services.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\csrss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\DllCommonsvc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\Chrome\WmiPrvSE.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\winlogon.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsass.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\dllhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\csrss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\DllCommonsvc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\cmd.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\Framework\csrss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dllhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\de-DE\taskhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\dllhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Favorites\lsm.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PLA\Rules\en-US\smss.exe'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\D7EBp90Pxg.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Windows Media Player\dllhost.exe

"C:\Program Files (x86)\Windows Media Player\dllhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6qhkY4Aj1y.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Windows Media Player\dllhost.exe

"C:\Program Files (x86)\Windows Media Player\dllhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RjWoOVK6wo.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Windows Media Player\dllhost.exe

"C:\Program Files (x86)\Windows Media Player\dllhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QqrgVo7Q94.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Windows Media Player\dllhost.exe

"C:\Program Files (x86)\Windows Media Player\dllhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xm2kK1SIVO.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Windows Media Player\dllhost.exe

"C:\Program Files (x86)\Windows Media Player\dllhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ys8lvSze9b.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Windows Media Player\dllhost.exe

"C:\Program Files (x86)\Windows Media Player\dllhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QVLs15dYuc.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Windows Media Player\dllhost.exe

"C:\Program Files (x86)\Windows Media Player\dllhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LBVLNHYHv1.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Windows Media Player\dllhost.exe

"C:\Program Files (x86)\Windows Media Player\dllhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cSLzsZ1i8q.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Windows Media Player\dllhost.exe

"C:\Program Files (x86)\Windows Media Player\dllhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Q3ZRkRg4YZ.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Windows Media Player\dllhost.exe

"C:\Program Files (x86)\Windows Media Player\dllhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AMKHlt6LWj.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Windows Media Player\dllhost.exe

"C:\Program Files (x86)\Windows Media Player\dllhost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp

Files

C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

MD5 8088241160261560a02c84025d107592
SHA1 083121f7027557570994c9fc211df61730455bb5
SHA256 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA512 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

C:\providercommon\1zu9dW.bat

MD5 6783c3ee07c7d151ceac57f1f9c8bed7
SHA1 17468f98f95bf504cc1f83c49e49a78526b3ea03
SHA256 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512 c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

C:\providercommon\DllCommonsvc.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/2860-13-0x0000000001380000-0x0000000001490000-memory.dmp

memory/2860-14-0x0000000000350000-0x0000000000362000-memory.dmp

memory/2860-15-0x0000000000470000-0x000000000047C000-memory.dmp

memory/2860-16-0x0000000000360000-0x000000000036C000-memory.dmp

memory/2860-17-0x0000000000480000-0x000000000048C000-memory.dmp

memory/2760-75-0x0000000002790000-0x0000000002798000-memory.dmp

memory/1992-73-0x000000001B640000-0x000000001B922000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 abeca5e9c2df995ec43df1ca199cdbfe
SHA1 9d378f1aa57361c6279469983039c01ac8522e1e
SHA256 d6e9866ffef01d8ad79f2d2820998a25c04d2cb0a998699437cbd4e9e0364b1e
SHA512 c22e92c90c074a829f90b9f3aac5b0eea2fb022e1c393f6d717281d6c9d880872c195af4350fa7a9f00d334956622914d27a26cdd07a6549a4e15c7ccfd01a2f

C:\Users\Admin\AppData\Local\Temp\D7EBp90Pxg.bat

MD5 a0558142895798c915fe2d9cb05cbebd
SHA1 fb81470aa959b2df364537a80860afdf56ced571
SHA256 d6bbb9e469dd4f09fb50b394c635716a6461d088338e1dbf24cf13c500f542d9
SHA512 4f1b27bdafa3e4644382f22c1f3d3e2bdbad276a39a34deb9f5d016bfe3ebcef1cdbced0d6e0fd344583ec63c0bce0417393a8a9bfc14217cba8863fe6549461

memory/2920-148-0x0000000001090000-0x00000000011A0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab2DB7.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar2DC9.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\Local\Temp\6qhkY4Aj1y.bat

MD5 6ee65545091c107f727103b4c3b7de31
SHA1 bbd1e8efa11a098a8583e436f9b99618b6d992bb
SHA256 23cb4c1a521cfee2889993e24e7611ab41db6fb78ecf81d0c3dc682788601959
SHA512 89e6c28b2b3702b68e5a7da248030ddec13bdc1dcac1cdb03fb233ee83164b0166aa02907d1207799a58c849a5208cec852def48e1b7998ab66b47d0879931c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 59072839ee960dd04a327d4332531a5e
SHA1 a0ab9f4fd04b54b7c2b83e993477a9abcd93b644
SHA256 59c442a94f4962ba78df88959a1298d735e53af53e261efe1e79d675d7c289a5
SHA512 61a9fca060a7de3ebbdac86725f9f7b808c2fc0328341d7c1956bc28301a8e7711d6b90cefd8e9a03dffdbcbda6e610b213923b5b4dd21123220162b3a323bd2

C:\Users\Admin\AppData\Local\Temp\RjWoOVK6wo.bat

MD5 b229017f22310c8b9d1f05c30991eb8a
SHA1 8232d20339b18a485f2481e690337bd283ffd6b9
SHA256 62de0373a7b35d7f726e253f7c6eb631eceff0ae1fb281abc79795499dc45a87
SHA512 04cb78c127131efef93bc3e70f599a18c00fbc824362472272e81c24e0bcb2fbcd31a167c990e5c5a77e376f5aa63f5120ab0631f8f6224a217b419fa4afc0fe

memory/2184-266-0x0000000001320000-0x0000000001430000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1c67805f76357bf4fa91c74cfa94499f
SHA1 381195862024d5f40d7241000e088dbbbdc95403
SHA256 3747082d873e2c751708ff3b99d5801e22e645872fde6d8060d69a555775e374
SHA512 ef0d35f60dac27cbafa49a3ce9b49e9d3850bba2e684ab4c457ed48e6f15742e90d2adcbfe75526ad910ff2d06a7ad3c7215bcbb319fc9ba17f70215c63d0e4c

C:\Users\Admin\AppData\Local\Temp\QqrgVo7Q94.bat

MD5 ab8410fe35ea6a38c02b067a1b6b178c
SHA1 fa35205f4f0107a6f9e48a6c391aa6bcf1a37c04
SHA256 94c526622f287da4e6f6fc06ccc71c5e39f353ac4a69f73242108a1be228cd01
SHA512 bba8dcb837afc78e2c19b63681cb770f44a70e42de70b6d20095559142c620cf3bd0e4f2b0cbc264048d66e043821544d2fb8b93374ec3794c2800587e49b25b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f75b5a569b26b5ed80c717cb0a9aa2ef
SHA1 9bc911f8ee950beb616665cdb8d51924918890e5
SHA256 ab3b154c405d1d8e5188326dcf9f7f2cb33ca119a42ecc080ea9deb86c9b722b
SHA512 f178b19f70d17875b2d0a0cf61ec5d69d6c95f9e116085db511de3ca3d9f411805ae9d6ebd89474c18fdcffa9caa122323103ce2254a3bcd35747390c9edf110

C:\Users\Admin\AppData\Local\Temp\xm2kK1SIVO.bat

MD5 2d68adc297ba15436f12f0aaae2d4071
SHA1 d0797bca48cb12826935cf1c0dfa9ab436aa641a
SHA256 a1cb3a3a7a4b06f4649b8f6e41ebacc014e44c6902e83683082b96dc15409175
SHA512 f07b7e95c4a3f505165f709d31557e74a4d7bb90cef8586454f75007169e278cfc8fb77383eaf6c25e246cab94bf55f718b4acd181eb00c59e0ff3a6795eec1e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4067748b2bf4b4a51410977e261807b8
SHA1 9c71032e4f8886a416c8ba89e1b34c9c9c9f46bc
SHA256 6aa02f0a2c19b668e80813faca68fcb562afa8ed4306fbf1feb81f69298c4620
SHA512 dbe9901658e571400b225f84e35713fd7ea43a979631b61466c47ed0b513c7b16b1029bead2aa3a83e015c5a5ff1a377aaddf9b3aa7f5915fea6d1d7ef597b47

C:\Users\Admin\AppData\Local\Temp\Ys8lvSze9b.bat

MD5 5929c883abe77a485cd673712e6157cd
SHA1 6c4350f263841285bdb4151f15f8826214e35db6
SHA256 5aa35028cc6760b422be3fcecfdbe1596b7696a08bccfbf1ee895b21ae48db9d
SHA512 285854de724bacb90aa4f8ba536766759a93befe609150daabd5afd75c89f60065e325b1f8c3545c86bc48225f7bf1c77ade8854abf779a7e2224ab16717c308

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 330c57bd87c17d42ee4e2788d2ea4029
SHA1 df9a8ab8defd407563acc26a33c48d5898b0afa7
SHA256 dce7945e04bb9cc21f600e962449583aee6623801565aaecd2564033e0395aa4
SHA512 d42a9d7ed1f2830136e8403a121054dc5ad7a78c1ac499563a8a28c6f8174c8909f116baf40d9bdad85375f05fcf42fc1e51f40f2ddf49e8be26b4a1f1c95be9

C:\Users\Admin\AppData\Local\Temp\QVLs15dYuc.bat

MD5 396b6bdcd5e5069f244b1eeb16bfa7d6
SHA1 6868e291ee94ca91fc2da6bdfa1dc31033941904
SHA256 5395f9b7a648022efc5cd8b8eddbf5468b3de092104f646de5766d8a7b3899b5
SHA512 12371ba9f02fee6efc156e1f8eabfd33d2088d6c6a1c9837fa1ddeb59add8d1c211796d457a20b7d56d8cc90e873f05975b3c9fe9f3a7cfad7bd9caad28c8644

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bc0c286438eb45cb50c6231cefbf8738
SHA1 7882d0d80d1b8f92c0a8fb6a84a2a8b017072a35
SHA256 c7e15bb3f1549d4e78fe540189860fb36502ab7e1417d2fe8ad3ae6f17ba6bae
SHA512 6467e3b56280584081e8304cbf169f6dee47ef09a1566f57d92f11fdef9483382bccd56877446f11662dc96efcc6ec874520a21ca5a7b0f2d650829322f17cad

C:\Users\Admin\AppData\Local\Temp\LBVLNHYHv1.bat

MD5 f399cc4c701a67a4c565fbdb8b728b64
SHA1 f7ea9b60c123fe32534f92a8619bd73d3e510461
SHA256 3e52c028ff897d02ca40b85d3eccf2d9e72acd273c5a3f02e89e203361d7f394
SHA512 3da43f4275fe93047bbdf4226fbb4bdda058fe9de7a9c2f2ea293009f3f91ba41cb760368cc3ac629ce6390ba41c85784178b595a2b0b7f3a3dd76008025d79e

memory/1184-562-0x0000000000280000-0x0000000000390000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7169006b1ec248d66b375dbb38cde3c5
SHA1 8b51c871e56bba2736cd211ca5167e0f747ca24f
SHA256 e689ec16271e1907f83234ab7a085b3913f94dd7af2a42d950e62b986f5301a1
SHA512 b8b4a198b85996bd749ed9e37bafef7c9af89ce90be02248e7b4640514ef6c281092d108073fdf3ade0439680266477a61de0531cf51f19d53ea1b75df44356a

C:\Users\Admin\AppData\Local\Temp\cSLzsZ1i8q.bat

MD5 d53357e2c8f39eac0ee58f6caba60b60
SHA1 5b16748f2e5dcc8d9714f3c1a6bf843ea8eb0ab7
SHA256 edfc7335e0e4196748346280d5865d72efd608ce4407d2cfa9754c43adc0d62b
SHA512 18721a834a756bad3b6412c4d851546eecd33cd034da5d176db426bbbe34b12de639924985a4e5f206e1448823eebde2e3b52f8cfbef89d45f943b74debb11c4

memory/2132-622-0x0000000000BE0000-0x0000000000CF0000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7871f69675f7bb8654e370bfc71122b3
SHA1 77c63486edceaaf5c03c16f5a0c0accda09936c5
SHA256 0be4af2a40ae102387b565377b04d2a8c2573de8f7ffecf2e83edd8643a2b0d6
SHA512 304ebb07a698334afd21c7885b325024e38cc94fbe04e072b98b41aed79964d0e67c08ce41580568c73741c77a5484ea3ea04728e71f872d65531d1bc45791d0

C:\Users\Admin\AppData\Local\Temp\Q3ZRkRg4YZ.bat

MD5 56a20d8878cd3cb9bca7f9d37d280423
SHA1 cde388d248f1b59223da6d1b9aa3d51fa2ecdf89
SHA256 a063a5b4352e62309c9311051b8299f62e33621739c5e8797b6ed83e399be1b1
SHA512 e75a43b1701c5692b09dfc3f8fc827049d3dbc463a4eb697489f2f39be51d3e806cd6d79f82041ee4eb1b5f8e2930c67793d1f03534a1d76db14b6accc3d5d18

memory/2868-682-0x0000000000260000-0x0000000000370000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f9e3d6c5e88ebe264bf1ffff4303f839
SHA1 60da5d11b95d5655dc365a53306efc5f002cbe64
SHA256 f26f04f0c736e8fdf3163d38371748a2e0b0b9a019f9b284a0d4ac10eecab73f
SHA512 0ef7487237bcf4ceb0a841934421bb4e1048b3d2aee6ab1487bb6f2a0ebe37061e7444fdd6f19d64041d05ae4c6869822e3c01af40a7d7b563b9a96cd25fb2cd

C:\Users\Admin\AppData\Local\Temp\AMKHlt6LWj.bat

MD5 9df396c5e0d7a57e38d8ae4bb6264236
SHA1 47916441423647a4032ec84a73b39ed0263eb0de
SHA256 32aff5481abb5f3efa3f61b234fa0ea96978863d3730902d80ec35fe5276685a
SHA512 ee82d31bbc2c202f7642eafc88b95dca4c2ab51a4e19c81af9fd0e3a6a5d210ab2812bc7475662c578bf2ee1a446ef6263741a8de9c332b17b0cac1fd4bb5672

memory/2460-742-0x0000000000960000-0x0000000000A70000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-30 02:01

Reported

2024-12-30 02:03

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b4d1df831ef65d1fc8458a43bdfa047510b3ea9569cac8a35809f0a3140cdca2.exe"

Signatures

DcRat

rat infostealer dcrat

Dcrat family

dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b4d1df831ef65d1fc8458a43bdfa047510b3ea9569cac8a35809f0a3140cdca2.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\providercommon\DllCommonsvc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Windows Sidebar\Gadgets\5940a34987c991 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Uninstall Information\winlogon.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Uninstall Information\cc11b995f2a76d C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\RuntimeBroker.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe C:\providercommon\DllCommonsvc.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe C:\providercommon\DllCommonsvc.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b4d1df831ef65d1fc8458a43bdfa047510b3ea9569cac8a35809f0a3140cdca2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings C:\providercommon\DllCommonsvc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b4d1df831ef65d1fc8458a43bdfa047510b3ea9569cac8a35809f0a3140cdca2.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
N/A N/A C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
N/A N/A C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
N/A N/A C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
N/A N/A C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
N/A N/A C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
N/A N/A C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
N/A N/A C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
N/A N/A C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
N/A N/A C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
N/A N/A C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
N/A N/A C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
N/A N/A C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\providercommon\DllCommonsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1140 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b4d1df831ef65d1fc8458a43bdfa047510b3ea9569cac8a35809f0a3140cdca2.exe C:\Windows\SysWOW64\WScript.exe
PID 1140 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b4d1df831ef65d1fc8458a43bdfa047510b3ea9569cac8a35809f0a3140cdca2.exe C:\Windows\SysWOW64\WScript.exe
PID 1140 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b4d1df831ef65d1fc8458a43bdfa047510b3ea9569cac8a35809f0a3140cdca2.exe C:\Windows\SysWOW64\WScript.exe
PID 3884 wrote to memory of 1988 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3884 wrote to memory of 1988 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3884 wrote to memory of 1988 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1988 wrote to memory of 4256 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 1988 wrote to memory of 4256 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 4256 wrote to memory of 4220 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4256 wrote to memory of 4220 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4256 wrote to memory of 1456 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4256 wrote to memory of 1456 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4256 wrote to memory of 1196 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4256 wrote to memory of 1196 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4256 wrote to memory of 3488 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4256 wrote to memory of 3488 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4256 wrote to memory of 3424 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\cmd.exe
PID 4256 wrote to memory of 3424 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\cmd.exe
PID 3424 wrote to memory of 2996 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3424 wrote to memory of 2996 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3424 wrote to memory of 4720 N/A C:\Windows\System32\cmd.exe C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe
PID 3424 wrote to memory of 4720 N/A C:\Windows\System32\cmd.exe C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe
PID 4720 wrote to memory of 2276 N/A C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe C:\Windows\System32\cmd.exe
PID 4720 wrote to memory of 2276 N/A C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe C:\Windows\System32\cmd.exe
PID 2276 wrote to memory of 4280 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2276 wrote to memory of 4280 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2276 wrote to memory of 1652 N/A C:\Windows\System32\cmd.exe C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe
PID 2276 wrote to memory of 1652 N/A C:\Windows\System32\cmd.exe C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe
PID 1652 wrote to memory of 2360 N/A C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe C:\Windows\System32\cmd.exe
PID 1652 wrote to memory of 2360 N/A C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe C:\Windows\System32\cmd.exe
PID 2360 wrote to memory of 3180 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2360 wrote to memory of 3180 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2360 wrote to memory of 4524 N/A C:\Windows\System32\cmd.exe C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe
PID 2360 wrote to memory of 4524 N/A C:\Windows\System32\cmd.exe C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe
PID 4524 wrote to memory of 2792 N/A C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe C:\Windows\System32\cmd.exe
PID 4524 wrote to memory of 2792 N/A C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe C:\Windows\System32\cmd.exe
PID 2792 wrote to memory of 3388 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2792 wrote to memory of 3388 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2792 wrote to memory of 4536 N/A C:\Windows\System32\cmd.exe C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe
PID 2792 wrote to memory of 4536 N/A C:\Windows\System32\cmd.exe C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe
PID 4536 wrote to memory of 884 N/A C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe C:\Windows\System32\cmd.exe
PID 4536 wrote to memory of 884 N/A C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe C:\Windows\System32\cmd.exe
PID 884 wrote to memory of 4544 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 884 wrote to memory of 4544 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 884 wrote to memory of 3172 N/A C:\Windows\System32\cmd.exe C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe
PID 884 wrote to memory of 3172 N/A C:\Windows\System32\cmd.exe C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe
PID 3172 wrote to memory of 1196 N/A C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe C:\Windows\System32\cmd.exe
PID 3172 wrote to memory of 1196 N/A C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe C:\Windows\System32\cmd.exe
PID 1196 wrote to memory of 460 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1196 wrote to memory of 460 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1196 wrote to memory of 1268 N/A C:\Windows\System32\cmd.exe C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe
PID 1196 wrote to memory of 1268 N/A C:\Windows\System32\cmd.exe C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe
PID 1268 wrote to memory of 3396 N/A C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe C:\Windows\System32\cmd.exe
PID 1268 wrote to memory of 3396 N/A C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe C:\Windows\System32\cmd.exe
PID 3396 wrote to memory of 4000 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3396 wrote to memory of 4000 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3396 wrote to memory of 4200 N/A C:\Windows\System32\cmd.exe C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe
PID 3396 wrote to memory of 4200 N/A C:\Windows\System32\cmd.exe C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe
PID 4200 wrote to memory of 2896 N/A C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe C:\Windows\System32\cmd.exe
PID 4200 wrote to memory of 2896 N/A C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe C:\Windows\System32\cmd.exe
PID 2896 wrote to memory of 1248 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2896 wrote to memory of 1248 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2896 wrote to memory of 2992 N/A C:\Windows\System32\cmd.exe C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe
PID 2896 wrote to memory of 2992 N/A C:\Windows\System32\cmd.exe C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b4d1df831ef65d1fc8458a43bdfa047510b3ea9569cac8a35809f0a3140cdca2.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b4d1df831ef65d1fc8458a43bdfa047510b3ea9569cac8a35809f0a3140cdca2.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "

C:\providercommon\DllCommonsvc.exe

"C:\providercommon\DllCommonsvc.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Local Settings\sihost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\Default\Local Settings\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Local Settings\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Program Files\Uninstall Information\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files\Uninstall Information\winlogon.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Local Settings\sihost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\winlogon.exe'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6kHtwRJ3KO.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe

"C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9gNv7qRJ8U.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe

"C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KRs2fZV4we.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe

"C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\or7X1gMNi7.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe

"C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7bDnwPuEug.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe

"C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7bDnwPuEug.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe

"C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZDYK5nApHO.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe

"C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2sHl3bGdB9.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe

"C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SQTB2Yz9K3.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe

"C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4oJokgKWVw.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe

"C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QUR8LTwG0H.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe

"C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QO5FEA9wo1.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe

"C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MNu5MeZyGQ.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe

"C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 133.110.199.185.in-addr.arpa udp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 31.73.42.20.in-addr.arpa udp

Files

C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

MD5 8088241160261560a02c84025d107592
SHA1 083121f7027557570994c9fc211df61730455bb5
SHA256 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA512 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

C:\providercommon\1zu9dW.bat

MD5 6783c3ee07c7d151ceac57f1f9c8bed7
SHA1 17468f98f95bf504cc1f83c49e49a78526b3ea03
SHA256 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512 c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

C:\providercommon\DllCommonsvc.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/4256-12-0x00007FFDF1813000-0x00007FFDF1815000-memory.dmp

memory/4256-13-0x00000000000C0000-0x00000000001D0000-memory.dmp

memory/4256-14-0x0000000002290000-0x00000000022A2000-memory.dmp

memory/4256-15-0x000000001ACF0000-0x000000001ACFC000-memory.dmp

memory/4256-16-0x00000000023B0000-0x00000000023BC000-memory.dmp

memory/4256-17-0x00000000023C0000-0x00000000023CC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cgjg3jmg.bpd.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1196-34-0x0000020C4C340000-0x0000020C4C362000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6kHtwRJ3KO.bat

MD5 2f00d970324926e019257770114abf9d
SHA1 9aa3ebe152f3730e8ac1d89cb3f7f91d4d1921cf
SHA256 3c21286ae39f5065784042fa96683614f4c41a25d1946c2426faf8c6069494b5
SHA512 d78a7fdba18e47c7c8356c12adfab458aa85b8c29f559a5a3ae5200887bad84a80f75e76ab679375b8a538bcf10bcc0a8529b1528db6721d94fc493cde1aead3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6d3e9c29fe44e90aae6ed30ccf799ca8
SHA1 c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA256 2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA512 60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/4720-79-0x0000000002350000-0x0000000002362000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9gNv7qRJ8U.bat

MD5 dcd7c1166dbf6182c727a27d18c1be7d
SHA1 7d04a10517933952ead697514a64be24a10c3919
SHA256 047f472434ba5b4852e88ff2a077d34102421e9923290bace95832072d305123
SHA512 4cfabec7695d46532c3e4e3273c4b3c2381cd4e856bd2d4382170e0bbf5d3a055335773061e9f1d586d3acfa67ad007139ce90382762e2355ae8a6f06953b95c

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dllhost.exe.log

MD5 baf55b95da4a601229647f25dad12878
SHA1 abc16954ebfd213733c4493fc1910164d825cac8
SHA256 ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA512 24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

memory/1652-88-0x0000000002250000-0x0000000002262000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\KRs2fZV4we.bat

MD5 5bb96bf6328de313d299638f01192e5b
SHA1 1b04693ae73dd2e57f4bd9b454c6601dded80973
SHA256 50e20e01ef779868980a2123f4ea04eb9ec642010c5b11b4241a3a232f561b40
SHA512 29687b1df8de94796f3df4a9c5477d59109761eee6c8a28b40dcf450306ac9f04ff93dafa2db42afe98cf79eaf30dfc01ca179b57e6bfbd661796331754d2101

memory/4524-95-0x0000000003010000-0x0000000003022000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\or7X1gMNi7.bat

MD5 8cf869d8ac0b9f0f7072e30ef243caa7
SHA1 363107f124ac71bb261f69419fb027cfa4dd789a
SHA256 b5755586eebbfbed973453bf38a28cbe201a0467b929c9a9dd2ed92c904e4053
SHA512 cb023648ffcbaa345035460865aba28e2a5b9fd5669bc64ef5c2035b5bc3f183a2d11196504262482013935d9fd33261f94ecddd9d540873f08912aa2d20bd75

C:\Users\Admin\AppData\Local\Temp\7bDnwPuEug.bat

MD5 0b68816464a3130b1ccebc1dbc42dda2
SHA1 ff5eac6e35d2e9bc4f9cb38ba98e7bfbe61b807e
SHA256 5ac3259613379e0dde45cc4e0945c31e2660c65dc1ac8575aad1ba9c4684fa42
SHA512 c8b2531baf8b59b728a1ba16593767ad5e05db5caa95c2f5c2c009d851c2149f79d21a1a60df877b95c140b08dbb6e43625c8f426cc083939bd933546eca3137

C:\Users\Admin\AppData\Local\Temp\ZDYK5nApHO.bat

MD5 93fe14af2ec2a9cf697ee9d79ca83afa
SHA1 1caea778544cf597d70a28868a73536197cd29aa
SHA256 0eb08f15a004a90aeafc565b4d0a844bceefd916100ba9018d3bb8607b2fd50a
SHA512 9b0e122ac5acfe75a497b916f874048c5050b0ffdc86040d95a30896567de43fa5197778bee2964cb7f0ff3e3fa53e0f9ebb0248c4b83fae963df95e5b5484bf

C:\Users\Admin\AppData\Local\Temp\2sHl3bGdB9.bat

MD5 d20df6e4d4ad860dd339e157dca06d59
SHA1 1cda8136ec8345069b6349d4a60c9be990ced39f
SHA256 2d43a4b5ebb84fc3c26a2431cf375c4075d9f0cd4ab85d2650c2be1091c6f25c
SHA512 db88574cedfaf74e1ac9a88e962d1f3e2a7aff44427c5aa965b85f3b7646ab4ea91fa4506f6408150ab97e7c9d072e15aab7a57d7d59ee593e290d4b7263d994

C:\Users\Admin\AppData\Local\Temp\SQTB2Yz9K3.bat

MD5 75337f8691dc9c196dd1856836c92305
SHA1 faf6af7f9a63851584e78ff28b61f82f713b8ade
SHA256 1c4fabf8bdda2d82b421c65ad2483e0c9c8616213268fef2ad4cfb957cacf484
SHA512 be5a3bd4cd74aae4a45ee62ca0bdd7f89d7aa9f3bb20d19e8b6dd807ca13c2df32121add344df72f1992c7006324b3615130a34ed56c80c857fbb19d4052aeb5

memory/984-132-0x0000000001680000-0x0000000001692000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4oJokgKWVw.bat

MD5 d078d08efe29118ad576173b8a5570d7
SHA1 764384ba347058307e3caf3c141b81aa89de6479
SHA256 5ac284d0b3bda9f5ab3aaef9bb49b76c9ae4f1d1bdb3a1174daaff7fe76216c7
SHA512 3f6809f14bfa0922f7fcfb29c25e6226e7cc8ab7f3c79895340b4c50357b5dac9141c9116cf1ab080f2d91f08ccf1588fa0fc1dcbdbfff71b80534dc4a5e21eb

C:\Users\Admin\AppData\Local\Temp\QUR8LTwG0H.bat

MD5 0bc81441f2cbd90177888a5a4d4f7986
SHA1 9e4648eda84b29bbdeaed6cac6917b2cc4cdd139
SHA256 ad6d5e229659dec7e6219051bb932f8bdbce86276a2ef7dca1a7922fb12fa7cf
SHA512 3155850f209927c606191ea364b052ed4a2434fe6eff0404a1b1c8f0552b44881282316662908a185c45841d4aa65f0a8b23a760f0ecdb5e561a9650772b06cf

memory/3404-145-0x0000000000C40000-0x0000000000C52000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\QO5FEA9wo1.bat

MD5 a5b3eac5a5094cc3498ddac4be8cafc3
SHA1 0757b15acc8d09c0ea6bfc57919fe0b51863db91
SHA256 f894dddf2ddc660649ef050fa1b3ae7707b8593620831f8f3ddfabacbcb3b48d
SHA512 04dd6bae14205b5957852d3bdb3ec1c190d960144fd5d927973e0d223543f9f24f44672a362cbd83cffe51f570524b2f4423315c1ee0de633414ced3872755ba

C:\Users\Admin\AppData\Local\Temp\MNu5MeZyGQ.bat

MD5 ebc3b1b3deeccee588ac6b63002cfd66
SHA1 1d93e65168a15d87ff63083608e9b608aa5a4d9d
SHA256 49946d8dc79103a10902140b13011659545990a883f6a22b2697ce7f7d090c0c
SHA512 551c32a6debea76832d83fdb4720aa66626fe73b789ee16bb5cec52aa4f1175d91cb539e1e3a004b4b29306c19175ca02cc1f1c529652725d0bc7bc1cd9aaae2