Malware Analysis Report

2025-08-05 09:04

Sample ID 241230-v9m1mstpdw
Target JaffaCakes118_91adb63135fe2e2165feef8f8a1a4971041d2efa716fbb1bd751da90221cba9f
SHA256 91adb63135fe2e2165feef8f8a1a4971041d2efa716fbb1bd751da90221cba9f
Tags
rat dcrat discovery execution infostealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

91adb63135fe2e2165feef8f8a1a4971041d2efa716fbb1bd751da90221cba9f

Threat Level: Known bad

The file JaffaCakes118_91adb63135fe2e2165feef8f8a1a4971041d2efa716fbb1bd751da90221cba9f was found to be: Known bad.

Malicious Activity Summary

rat dcrat discovery execution infostealer

DcRat

Process spawned unexpected child process

Dcrat family

DCRat payload

DCRat payload

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Legitimate hosting services abused for malware hosting/C2

Drops file in Windows directory

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Modifies registry class

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-30 17:41

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-30 17:41

Reported

2024-12-30 17:44

Platform

win7-20241010-en

Max time kernel

146s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_91adb63135fe2e2165feef8f8a1a4971041d2efa716fbb1bd751da90221cba9f.exe"

Signatures

DcRat

rat infostealer dcrat

Dcrat family

dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Java\jre7\lib\dwm.exe C:\providercommon\DllCommonsvc.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\dwm.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Java\jre7\lib\6cb0b6c459d5d3 C:\providercommon\DllCommonsvc.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_91adb63135fe2e2165feef8f8a1a4971041d2efa716fbb1bd751da90221cba9f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\providercommon\DllCommonsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\conhost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\conhost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\conhost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\conhost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\conhost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\conhost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\conhost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\conhost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\conhost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2620 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_91adb63135fe2e2165feef8f8a1a4971041d2efa716fbb1bd751da90221cba9f.exe C:\Windows\SysWOW64\WScript.exe
PID 2620 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_91adb63135fe2e2165feef8f8a1a4971041d2efa716fbb1bd751da90221cba9f.exe C:\Windows\SysWOW64\WScript.exe
PID 2620 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_91adb63135fe2e2165feef8f8a1a4971041d2efa716fbb1bd751da90221cba9f.exe C:\Windows\SysWOW64\WScript.exe
PID 2620 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_91adb63135fe2e2165feef8f8a1a4971041d2efa716fbb1bd751da90221cba9f.exe C:\Windows\SysWOW64\WScript.exe
PID 1964 wrote to memory of 2824 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1964 wrote to memory of 2824 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1964 wrote to memory of 2824 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1964 wrote to memory of 2824 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2824 wrote to memory of 2900 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 2824 wrote to memory of 2900 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 2824 wrote to memory of 2900 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 2824 wrote to memory of 2900 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 2900 wrote to memory of 1280 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2900 wrote to memory of 1280 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2900 wrote to memory of 1280 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2900 wrote to memory of 3016 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2900 wrote to memory of 3016 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2900 wrote to memory of 3016 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2900 wrote to memory of 1852 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2900 wrote to memory of 1852 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2900 wrote to memory of 1852 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2900 wrote to memory of 2976 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2900 wrote to memory of 2976 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2900 wrote to memory of 2976 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2900 wrote to memory of 2000 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\cmd.exe
PID 2900 wrote to memory of 2000 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\cmd.exe
PID 2900 wrote to memory of 2000 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\cmd.exe
PID 2000 wrote to memory of 1784 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2000 wrote to memory of 1784 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2000 wrote to memory of 1784 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2000 wrote to memory of 268 N/A C:\Windows\System32\cmd.exe C:\Users\Public\conhost.exe
PID 2000 wrote to memory of 268 N/A C:\Windows\System32\cmd.exe C:\Users\Public\conhost.exe
PID 2000 wrote to memory of 268 N/A C:\Windows\System32\cmd.exe C:\Users\Public\conhost.exe
PID 268 wrote to memory of 1632 N/A C:\Users\Public\conhost.exe C:\Windows\System32\cmd.exe
PID 268 wrote to memory of 1632 N/A C:\Users\Public\conhost.exe C:\Windows\System32\cmd.exe
PID 268 wrote to memory of 1632 N/A C:\Users\Public\conhost.exe C:\Windows\System32\cmd.exe
PID 1632 wrote to memory of 2092 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1632 wrote to memory of 2092 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1632 wrote to memory of 2092 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1632 wrote to memory of 876 N/A C:\Windows\System32\cmd.exe C:\Users\Public\conhost.exe
PID 1632 wrote to memory of 876 N/A C:\Windows\System32\cmd.exe C:\Users\Public\conhost.exe
PID 1632 wrote to memory of 876 N/A C:\Windows\System32\cmd.exe C:\Users\Public\conhost.exe
PID 876 wrote to memory of 1592 N/A C:\Users\Public\conhost.exe C:\Windows\System32\cmd.exe
PID 876 wrote to memory of 1592 N/A C:\Users\Public\conhost.exe C:\Windows\System32\cmd.exe
PID 876 wrote to memory of 1592 N/A C:\Users\Public\conhost.exe C:\Windows\System32\cmd.exe
PID 1592 wrote to memory of 1092 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1592 wrote to memory of 1092 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1592 wrote to memory of 1092 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1592 wrote to memory of 1036 N/A C:\Windows\System32\cmd.exe C:\Users\Public\conhost.exe
PID 1592 wrote to memory of 1036 N/A C:\Windows\System32\cmd.exe C:\Users\Public\conhost.exe
PID 1592 wrote to memory of 1036 N/A C:\Windows\System32\cmd.exe C:\Users\Public\conhost.exe
PID 1036 wrote to memory of 300 N/A C:\Users\Public\conhost.exe C:\Windows\System32\cmd.exe
PID 1036 wrote to memory of 300 N/A C:\Users\Public\conhost.exe C:\Windows\System32\cmd.exe
PID 1036 wrote to memory of 300 N/A C:\Users\Public\conhost.exe C:\Windows\System32\cmd.exe
PID 300 wrote to memory of 2960 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 300 wrote to memory of 2960 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 300 wrote to memory of 2960 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 300 wrote to memory of 2956 N/A C:\Windows\System32\cmd.exe C:\Users\Public\conhost.exe
PID 300 wrote to memory of 2956 N/A C:\Windows\System32\cmd.exe C:\Users\Public\conhost.exe
PID 300 wrote to memory of 2956 N/A C:\Windows\System32\cmd.exe C:\Users\Public\conhost.exe
PID 2956 wrote to memory of 2204 N/A C:\Users\Public\conhost.exe C:\Windows\System32\cmd.exe
PID 2956 wrote to memory of 2204 N/A C:\Users\Public\conhost.exe C:\Windows\System32\cmd.exe
PID 2956 wrote to memory of 2204 N/A C:\Users\Public\conhost.exe C:\Windows\System32\cmd.exe
PID 2204 wrote to memory of 2436 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_91adb63135fe2e2165feef8f8a1a4971041d2efa716fbb1bd751da90221cba9f.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_91adb63135fe2e2165feef8f8a1a4971041d2efa716fbb1bd751da90221cba9f.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\providercommon\1zu9dW.bat" "

C:\providercommon\DllCommonsvc.exe

"C:\providercommon\DllCommonsvc.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Java\jre7\lib\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Java\jre7\lib\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Program Files\Java\jre7\lib\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Users\Public\conhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Public\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Users\Public\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\providercommon\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\jre7\lib\dwm.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\conhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OQU2DA9XHb.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Public\conhost.exe

"C:\Users\Public\conhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4rzlnKig63.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Public\conhost.exe

"C:\Users\Public\conhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7JTBpj7DN0.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Public\conhost.exe

"C:\Users\Public\conhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iIDKKqsGny.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Public\conhost.exe

"C:\Users\Public\conhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CL2HVdYORd.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Public\conhost.exe

"C:\Users\Public\conhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iVu5YTRuDT.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Public\conhost.exe

"C:\Users\Public\conhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vhtd8auDHa.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Public\conhost.exe

"C:\Users\Public\conhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6qhkY4Aj1y.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Public\conhost.exe

"C:\Users\Public\conhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HKL0gj8mBn.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Public\conhost.exe

"C:\Users\Public\conhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\T3kbcxG26A.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp

Files

C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

MD5 8088241160261560a02c84025d107592
SHA1 083121f7027557570994c9fc211df61730455bb5
SHA256 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA512 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

C:\providercommon\1zu9dW.bat

MD5 6783c3ee07c7d151ceac57f1f9c8bed7
SHA1 17468f98f95bf504cc1f83c49e49a78526b3ea03
SHA256 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512 c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

C:\providercommon\DllCommonsvc.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/2900-13-0x0000000000360000-0x0000000000470000-memory.dmp

memory/2900-14-0x0000000000340000-0x0000000000352000-memory.dmp

memory/2900-15-0x0000000000570000-0x000000000057C000-memory.dmp

memory/2900-16-0x0000000000350000-0x000000000035C000-memory.dmp

memory/2900-17-0x0000000000580000-0x000000000058C000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 88c3fbf3cf3155b53abd0df659725513
SHA1 7e6fd35da35009a9c5abe9bce41284941df5e30f
SHA256 f0eaea9352df2222d2a58c80d0490d1e73284317231a56957db4fd8de60e0380
SHA512 1d70d97937bd22c30521ca3470eff929503fd944a6e7fad8ff28ccd91a23a8e0eca0877b20df77e361cda28c030b93643b0d23d41a18a0260ab1b9edb706e58e

memory/1280-48-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

memory/1280-47-0x000000001B6B0000-0x000000001B992000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\OQU2DA9XHb.bat

MD5 1af63a59674c69077b54c2e9ba323b1b
SHA1 515dc133b7f3f25be4bf3412d3833aa80de81ddd
SHA256 9c4df6956c244c22dcadcfb20e3554b319cc1421b73407fc6d15988c18406a7a
SHA512 69e3bb163660e9a1f1b39a806bb5cd606b6cef4309710a29c7a05f0152274401263c33513cc4d36904208cd306be68cf2a0454211a8bce37723d12f6c047f441

memory/268-52-0x00000000010D0000-0x00000000011E0000-memory.dmp

memory/268-53-0x00000000004B0000-0x00000000004C2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab175A.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar177C.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\Local\Temp\4rzlnKig63.bat

MD5 0f524ac0f3a0c697432448ff7fec3586
SHA1 f7a338653d619117f36cd119c0be15273bffd990
SHA256 52e6a829d139a7991a5b3f4d8daec1ba1fe7ed7b501c805d6a567ead09e00de0
SHA512 1e0e94be6d2c872817b833080f30f6d340055e6dfc61e85c455f7effc7fe7b359d2c10d45902dff83b6478a659c9391db196515ba1f47156e0ba9a44199b3cbd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b7bd80ab39c3f40ce1af13891e0d6d74
SHA1 a7a90cde4e69df8d22a4c345ec6c87a7442fe50e
SHA256 784615b9627f55d23728d8b2f4783e59863699c77b53fea192643ea99924a145
SHA512 abbf9b31ba076ea8dff3b23ccf298ffb9502e08c8a2ee95cabf3d8c066816b63bd0e7c012dd32ff62da93ca88119c8c0af33989023645be4b00b4066037871fb

C:\Users\Admin\AppData\Local\Temp\7JTBpj7DN0.bat

MD5 bcde3c384bcb412c191dcfc4dd17a9ab
SHA1 0f84d41a8b40f8582c395da63a0afdf50a58089e
SHA256 f2761518fdef1af599bcd5238971f697739ac6bb89186e04a50aeb4d01b0d846
SHA512 e4543af1fafbeab9c4b53fc17412928923d044b1b196d320045c9d36c9fc3ee8aec0ec0f6d18b2f7b87bf54d3501a34e6c6ae01a501217f534c7b18021955e42

memory/1036-171-0x00000000011C0000-0x00000000012D0000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ce7d1dcef286c5f24df9cf5fa33a5fa5
SHA1 c2761cead4b306f2893e35141528ae117e817f77
SHA256 c02c0c997975fb046efddace60edba906093ed4f131952bbd18f0e48615a30b8
SHA512 a72d92f0b3e633d9781f0db074ffbe7c1a8b150c7d7e5900f9f8a2c647992d698cfa685095b0249405abad2b6fbdf367fdec6175e4ef34521bd8bec462bfa1ac

C:\Users\Admin\AppData\Local\Temp\iIDKKqsGny.bat

MD5 ee3bd24977de1a3c69023d9aa144960f
SHA1 bfb718ef7b0f6770b0560e0a73e5a4b641e62ac1
SHA256 a8cbaa9ae0e3e6b93bff66102f079eca21ac12136146d4af98e0608ef7afc3a5
SHA512 6641c41b67b80a6a8ee2826ebd2fbb45f7020e95690db745d54f1efce4817c3c7ce938eeb2d41163e54a50763ce8b38a3505459ffeb8ca84c3037d4aeaf86024

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cf104165f6bfa2c19150fb7a769bdcd7
SHA1 72eedf37b438aea62b54181229a2bc284f477e36
SHA256 ab1668ca15af6c14640ca05578dc656f248de1e326450f760d2694b914daa98b
SHA512 f935dd5407994c354e544d01004b61df4446bb6d8fc06dbde5a2ccd658bbd5813781119c634327f6a78afab83cfe20f64b5dad0d1243ab249caae5ee03184fa8

C:\Users\Admin\AppData\Local\Temp\CL2HVdYORd.bat

MD5 dfa6335f98791e851c8697102f24e6c1
SHA1 168a0a8f38b4add1a0decf7667d98ea4e50c0fc8
SHA256 677a84165e17d53252d5ab00f86b3b2d8d5bca36914f03441c3d800a16878818
SHA512 00cd606d9c28253189f98cdf1bbedf5802ae5ed115472b02360427b64b49c4023e2329bd9e5d1452b61e8118baddbd4e2eb2b6182ef0a66391badd159a699889

memory/448-290-0x00000000012F0000-0x0000000001400000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 53835cbd1484c80590001dc9bffb430a
SHA1 c995f00c5a30a6fcc10fb6ecbf301ac6cdf48599
SHA256 49b272c6cb672d9dce1cf394e5ede244c5b7b780d60140fdc4a3dd0ce483b772
SHA512 47cafbc94617f78d02c0853094a5d426ba9e13272d50d8f8961cd8b3d14fe6ca87401dbcb3875c5a7cd7d266f27b0e3fda0e5137158803f8f57031d2305f0eb3

C:\Users\Admin\AppData\Local\Temp\iVu5YTRuDT.bat

MD5 8a8baf893b85300b1e4d02b19291b71f
SHA1 8fcb80633569ac2bcc5b9ea2e9db5da53fe004d3
SHA256 da92fa876ed969839f20db79eec73bf5b828c12992ebf049eeaae3caba1f2e5b
SHA512 51c39ccea4b69832cfadb2859bfd7e22f26f7bb8851bbbe82a6b4284e460536e949d1767e07a6eee5085434cece4d7c48e29af932f199bc14578baa66da832e4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2e4fd0dd72c66e9cefd7d46cb55f5b32
SHA1 6c979d2cfd14d9eb64669acef39590f6382c20fc
SHA256 01cfd9d24cdfd0e4cfa2e233b382607ff1e7a1e3b4e26a487b6805e0ab8b2c60
SHA512 beb51b799b98d613f87ced53e0f7aef027abb68a37f7ce641feaf30da0b7db99de4e0f5d51606076cd0d8f102f574b0e722e7f52c6d0c158d7098aea13cdcd10

C:\Users\Admin\AppData\Local\Temp\vhtd8auDHa.bat

MD5 f6bd6ae0c40fedb64b6f3dcd8816cf69
SHA1 2643c11c0d33a0925376c7742e5eac306de20d21
SHA256 8064f73523cb886d74c2f564e14906c32838e3912fe58a7a10cfd903c9e16d1a
SHA512 e58d98ddfd7ee05c493c99d16a17e3d7648aa2f29309a8c349ba71d2709ce97b883ad926c76a93d12cf5dbf7f3232ab8636e612fd0dd35f4183c1512698aa7cc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cf3438ad04b98698c067cd942f69369b
SHA1 98252c91f5a067bfe5a6cec7fa8391821e9a4f6d
SHA256 550efc932ecf982ae308f389d49c1b70fab78a3b1e1bec10073751dc5e233391
SHA512 ed13404530d62b861a57070ece6d1653722d449ced0b31ae8486db4e559c5ae3c695293fb0324409e193a3075c68f508f439e468ab8a80d78dd812deac316fb9

C:\Users\Admin\AppData\Local\Temp\6qhkY4Aj1y.bat

MD5 8251d7504eb80f7ef21f46d22bbde465
SHA1 236e5ab35f2f81df5cc0d1365d46821b66f4b0cc
SHA256 27619be3a4a7176bf0f70e0dde9d9451e1bfe3311b77d4b685936a7620229790
SHA512 9c90e3c8d7a2ffcd4b30be81a76564c629188b2a47345969312eeb6995c7a13e7f2fc8019af5f5d9526fd004260c62654749d55b408558f1e045f11f9aad8ea0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 96ac62e4f9c34824e5c776fdf09ba1f4
SHA1 7ea24703ed9ca4354426c1a92255bd34a774d2e6
SHA256 60f807d8ee1af55159af7769b6ebf5e9a56b9d1e9b9ea6bb66130b9161e4f84a
SHA512 65554d04da1a43f6ba56ea3aade9eecf576bbcf7c1e677d92bc9f9d4411b258560ae65f6d99bb48b28a8721b6a9310235eb528dcd3f35ce0c547501700347702

C:\Users\Admin\AppData\Local\Temp\HKL0gj8mBn.bat

MD5 a71f6ad1c633718cf50743d8ac8540e6
SHA1 77fbc5d402215993f26c07016663bb6e2031b208
SHA256 eb72cfec116de201e48b83a65f375bb0950405e45d86f95fea25185c43c903c7
SHA512 48fc6e19d809ba7cb93e89d27aa3b50cbde345487417715c89a81232372cba1d173073b97d9062ff0360610eb7667cca110418cab79cc10c860215dd83c9823d

memory/2856-527-0x0000000000630000-0x0000000000642000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f4f76cb8622c9979f6212e6509cce804
SHA1 c975d749780362edb56d4f21c7a79e84f74e88db
SHA256 3fa7674e0cb730b0e5bcabbbf5b41faf11a8a300447c2b221aaccd2f162c2aff
SHA512 8a8d3602a8986b338f93cb26da2f1322faead6ef58a8b2c21f397200fe9615d52cf3b51d5f57fbe7cdaf63b6a9650e52cda132146ee847b723eec8ca40857772

C:\Users\Admin\AppData\Local\Temp\T3kbcxG26A.bat

MD5 413198e4275aa9e8c822e3c6556f2cc5
SHA1 60918ce2779aa2b4eef30721de88500660090333
SHA256 e4d660f6b61fb9facd01f5220be31981d15076bcc4a89d5decd0004371a79796
SHA512 b6a7796e75b8d517087d738643297d9a696d4f651ddcd96911c832555662217d19fb9a2161c59351c230f24db0b5e26fc6343b93d35472ca4c36f084481b3636

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-30 17:41

Reported

2024-12-30 17:44

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_91adb63135fe2e2165feef8f8a1a4971041d2efa716fbb1bd751da90221cba9f.exe"

Signatures

DcRat

rat infostealer dcrat

Dcrat family

dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Default\Documents\My Videos\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Default\Documents\My Videos\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Default\Documents\My Videos\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Default\Documents\My Videos\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Default\Documents\My Videos\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_91adb63135fe2e2165feef8f8a1a4971041d2efa716fbb1bd751da90221cba9f.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\providercommon\DllCommonsvc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Default\Documents\My Videos\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Default\Documents\My Videos\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Default\Documents\My Videos\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Default\Documents\My Videos\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Default\Documents\My Videos\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Default\Documents\My Videos\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Default\Documents\My Videos\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Default\Documents\My Videos\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Default\Documents\My Videos\cmd.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Windows NT\Accessories\en-US\sppsvc.exe C:\providercommon\DllCommonsvc.exe N/A
File opened for modification C:\Program Files (x86)\Windows NT\Accessories\en-US\sppsvc.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Windows NT\Accessories\en-US\0a1fd5f707cd16 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\MSBuild\Microsoft\StartMenuExperienceHost.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\MSBuild\Microsoft\55b276f4edf653 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Microsoft.NET\RedistList\cmd.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Microsoft.NET\RedistList\ebf1f9fa8afd6d C:\providercommon\DllCommonsvc.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Registration\CRMLog\sihost.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\Registration\CRMLog\66fc9ff0ee96c2 C:\providercommon\DllCommonsvc.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_91adb63135fe2e2165feef8f8a1a4971041d2efa716fbb1bd751da90221cba9f.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_91adb63135fe2e2165feef8f8a1a4971041d2efa716fbb1bd751da90221cba9f.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings C:\Users\Default\Documents\My Videos\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings C:\Users\Default\Documents\My Videos\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings C:\Users\Default\Documents\My Videos\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings C:\Users\Default\Documents\My Videos\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings C:\Users\Default\Documents\My Videos\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings C:\Users\Default\Documents\My Videos\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings C:\Users\Default\Documents\My Videos\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings C:\Users\Default\Documents\My Videos\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings C:\Users\Default\Documents\My Videos\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings C:\Users\Default\Documents\My Videos\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings C:\Users\Default\Documents\My Videos\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings C:\Users\Default\Documents\My Videos\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings C:\Users\Default\Documents\My Videos\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings C:\Users\Default\Documents\My Videos\cmd.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Default\Documents\My Videos\cmd.exe N/A
N/A N/A C:\Users\Default\Documents\My Videos\cmd.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Default\Documents\My Videos\cmd.exe N/A
N/A N/A C:\Users\Default\Documents\My Videos\cmd.exe N/A
N/A N/A C:\Users\Default\Documents\My Videos\cmd.exe N/A
N/A N/A C:\Users\Default\Documents\My Videos\cmd.exe N/A
N/A N/A C:\Users\Default\Documents\My Videos\cmd.exe N/A
N/A N/A C:\Users\Default\Documents\My Videos\cmd.exe N/A
N/A N/A C:\Users\Default\Documents\My Videos\cmd.exe N/A
N/A N/A C:\Users\Default\Documents\My Videos\cmd.exe N/A
N/A N/A C:\Users\Default\Documents\My Videos\cmd.exe N/A
N/A N/A C:\Users\Default\Documents\My Videos\cmd.exe N/A
N/A N/A C:\Users\Default\Documents\My Videos\cmd.exe N/A
N/A N/A C:\Users\Default\Documents\My Videos\cmd.exe N/A
N/A N/A C:\Users\Default\Documents\My Videos\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\providercommon\DllCommonsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default\Documents\My Videos\cmd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default\Documents\My Videos\cmd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default\Documents\My Videos\cmd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default\Documents\My Videos\cmd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default\Documents\My Videos\cmd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default\Documents\My Videos\cmd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default\Documents\My Videos\cmd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default\Documents\My Videos\cmd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default\Documents\My Videos\cmd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default\Documents\My Videos\cmd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default\Documents\My Videos\cmd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default\Documents\My Videos\cmd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default\Documents\My Videos\cmd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default\Documents\My Videos\cmd.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4072 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_91adb63135fe2e2165feef8f8a1a4971041d2efa716fbb1bd751da90221cba9f.exe C:\Windows\SysWOW64\WScript.exe
PID 4072 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_91adb63135fe2e2165feef8f8a1a4971041d2efa716fbb1bd751da90221cba9f.exe C:\Windows\SysWOW64\WScript.exe
PID 4072 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_91adb63135fe2e2165feef8f8a1a4971041d2efa716fbb1bd751da90221cba9f.exe C:\Windows\SysWOW64\WScript.exe
PID 2112 wrote to memory of 4636 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2112 wrote to memory of 4636 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2112 wrote to memory of 4636 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4636 wrote to memory of 1748 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 4636 wrote to memory of 1748 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 1748 wrote to memory of 4516 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1748 wrote to memory of 4516 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1748 wrote to memory of 4900 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1748 wrote to memory of 4900 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1748 wrote to memory of 384 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1748 wrote to memory of 384 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1748 wrote to memory of 3968 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1748 wrote to memory of 3968 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1748 wrote to memory of 2984 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1748 wrote to memory of 2984 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1748 wrote to memory of 4576 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1748 wrote to memory of 4576 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1748 wrote to memory of 4568 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1748 wrote to memory of 4568 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1748 wrote to memory of 2380 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1748 wrote to memory of 2380 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1748 wrote to memory of 3944 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1748 wrote to memory of 3944 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1748 wrote to memory of 4816 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1748 wrote to memory of 4816 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1748 wrote to memory of 4368 N/A C:\providercommon\DllCommonsvc.exe C:\Users\Default\Documents\My Videos\cmd.exe
PID 1748 wrote to memory of 4368 N/A C:\providercommon\DllCommonsvc.exe C:\Users\Default\Documents\My Videos\cmd.exe
PID 4368 wrote to memory of 4016 N/A C:\Users\Default\Documents\My Videos\cmd.exe C:\Windows\System32\cmd.exe
PID 4368 wrote to memory of 4016 N/A C:\Users\Default\Documents\My Videos\cmd.exe C:\Windows\System32\cmd.exe
PID 4016 wrote to memory of 3532 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4016 wrote to memory of 3532 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4016 wrote to memory of 3764 N/A C:\Windows\System32\cmd.exe C:\Users\Default\Documents\My Videos\cmd.exe
PID 4016 wrote to memory of 3764 N/A C:\Windows\System32\cmd.exe C:\Users\Default\Documents\My Videos\cmd.exe
PID 3764 wrote to memory of 4756 N/A C:\Users\Default\Documents\My Videos\cmd.exe C:\Windows\System32\cmd.exe
PID 3764 wrote to memory of 4756 N/A C:\Users\Default\Documents\My Videos\cmd.exe C:\Windows\System32\cmd.exe
PID 4756 wrote to memory of 1548 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4756 wrote to memory of 1548 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4756 wrote to memory of 2732 N/A C:\Windows\System32\cmd.exe C:\Users\Default\Documents\My Videos\cmd.exe
PID 4756 wrote to memory of 2732 N/A C:\Windows\System32\cmd.exe C:\Users\Default\Documents\My Videos\cmd.exe
PID 2732 wrote to memory of 3064 N/A C:\Users\Default\Documents\My Videos\cmd.exe C:\Windows\System32\cmd.exe
PID 2732 wrote to memory of 3064 N/A C:\Users\Default\Documents\My Videos\cmd.exe C:\Windows\System32\cmd.exe
PID 3064 wrote to memory of 1500 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3064 wrote to memory of 1500 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3064 wrote to memory of 2084 N/A C:\Windows\System32\cmd.exe C:\Users\Default\Documents\My Videos\cmd.exe
PID 3064 wrote to memory of 2084 N/A C:\Windows\System32\cmd.exe C:\Users\Default\Documents\My Videos\cmd.exe
PID 2084 wrote to memory of 3860 N/A C:\Users\Default\Documents\My Videos\cmd.exe C:\Windows\System32\cmd.exe
PID 2084 wrote to memory of 3860 N/A C:\Users\Default\Documents\My Videos\cmd.exe C:\Windows\System32\cmd.exe
PID 3860 wrote to memory of 3708 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3860 wrote to memory of 3708 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3860 wrote to memory of 3500 N/A C:\Windows\System32\cmd.exe C:\Users\Default\Documents\My Videos\cmd.exe
PID 3860 wrote to memory of 3500 N/A C:\Windows\System32\cmd.exe C:\Users\Default\Documents\My Videos\cmd.exe
PID 3500 wrote to memory of 1520 N/A C:\Users\Default\Documents\My Videos\cmd.exe C:\Windows\System32\cmd.exe
PID 3500 wrote to memory of 1520 N/A C:\Users\Default\Documents\My Videos\cmd.exe C:\Windows\System32\cmd.exe
PID 1520 wrote to memory of 2392 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1520 wrote to memory of 2392 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1520 wrote to memory of 1048 N/A C:\Windows\System32\cmd.exe C:\Users\Default\Documents\My Videos\cmd.exe
PID 1520 wrote to memory of 1048 N/A C:\Windows\System32\cmd.exe C:\Users\Default\Documents\My Videos\cmd.exe
PID 1048 wrote to memory of 4884 N/A C:\Users\Default\Documents\My Videos\cmd.exe C:\Windows\System32\cmd.exe
PID 1048 wrote to memory of 4884 N/A C:\Users\Default\Documents\My Videos\cmd.exe C:\Windows\System32\cmd.exe
PID 4884 wrote to memory of 548 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4884 wrote to memory of 548 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_91adb63135fe2e2165feef8f8a1a4971041d2efa716fbb1bd751da90221cba9f.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_91adb63135fe2e2165feef8f8a1a4971041d2efa716fbb1bd751da90221cba9f.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "

C:\providercommon\DllCommonsvc.exe

"C:\providercommon\DllCommonsvc.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\Program Files\MSBuild\Microsoft\StartMenuExperienceHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 9 /tr "'C:\Program Files\MSBuild\Microsoft\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Users\Default\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Users\Default\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\providercommon\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\cmd.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 10 /tr "'C:\Windows\Registration\CRMLog\sihost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\Registration\CRMLog\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\Windows\Registration\CRMLog\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Documents\My Videos\cmd.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\Default\Documents\My Videos\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Documents\My Videos\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\conhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Admin\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\Accessories\en-US\sppsvc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\StartMenuExperienceHost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\wininit.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dllhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\RedistList\cmd.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Registration\CRMLog\sihost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Documents\My Videos\cmd.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\conhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\unsecapp.exe'

C:\Users\Default\Documents\My Videos\cmd.exe

"C:\Users\Default\Documents\My Videos\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\o0FbW2pZd9.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default\Documents\My Videos\cmd.exe

"C:\Users\Default\Documents\My Videos\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KRs2fZV4we.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default\Documents\My Videos\cmd.exe

"C:\Users\Default\Documents\My Videos\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3dopRv074r.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default\Documents\My Videos\cmd.exe

"C:\Users\Default\Documents\My Videos\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uugdhbmYnk.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default\Documents\My Videos\cmd.exe

"C:\Users\Default\Documents\My Videos\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\l4DYpxlgJN.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default\Documents\My Videos\cmd.exe

"C:\Users\Default\Documents\My Videos\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rm9ahlPG2t.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default\Documents\My Videos\cmd.exe

"C:\Users\Default\Documents\My Videos\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QO5FEA9wo1.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default\Documents\My Videos\cmd.exe

"C:\Users\Default\Documents\My Videos\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ixgWq8OOYW.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default\Documents\My Videos\cmd.exe

"C:\Users\Default\Documents\My Videos\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4oJokgKWVw.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default\Documents\My Videos\cmd.exe

"C:\Users\Default\Documents\My Videos\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Y23Kn3rQqK.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default\Documents\My Videos\cmd.exe

"C:\Users\Default\Documents\My Videos\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SK7IuFDp7o.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default\Documents\My Videos\cmd.exe

"C:\Users\Default\Documents\My Videos\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uugdhbmYnk.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default\Documents\My Videos\cmd.exe

"C:\Users\Default\Documents\My Videos\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PJw82jcrZC.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default\Documents\My Videos\cmd.exe

"C:\Users\Default\Documents\My Videos\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\c0TJHXkWh8.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 182.129.81.91.in-addr.arpa udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 22.49.80.91.in-addr.arpa udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp

Files

C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

MD5 8088241160261560a02c84025d107592
SHA1 083121f7027557570994c9fc211df61730455bb5
SHA256 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA512 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

C:\providercommon\1zu9dW.bat

MD5 6783c3ee07c7d151ceac57f1f9c8bed7
SHA1 17468f98f95bf504cc1f83c49e49a78526b3ea03
SHA256 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512 c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

C:\providercommon\DllCommonsvc.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/1748-12-0x00007FFC5A1D3000-0x00007FFC5A1D5000-memory.dmp

memory/1748-13-0x0000000000300000-0x0000000000410000-memory.dmp

memory/1748-14-0x000000001B000000-0x000000001B012000-memory.dmp

memory/1748-15-0x000000001B140000-0x000000001B14C000-memory.dmp

memory/1748-16-0x000000001B120000-0x000000001B12C000-memory.dmp

memory/1748-17-0x000000001B130000-0x000000001B13C000-memory.dmp

memory/4900-48-0x0000027627FD0000-0x0000027627FF2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tlhugpsf.igw.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4368-139-0x0000000003170000-0x0000000003182000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 bd5940f08d0be56e65e5f2aaf47c538e
SHA1 d7e31b87866e5e383ab5499da64aba50f03e8443
SHA256 2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6
SHA512 c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 cadef9abd087803c630df65264a6c81c
SHA1 babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256 cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA512 7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 2e907f77659a6601fcc408274894da2e
SHA1 9f5b72abef1cd7145bf37547cdb1b9254b4efe9d
SHA256 385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233
SHA512 34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e243a38635ff9a06c87c2a61a2200656
SHA1 ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc
SHA256 af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f
SHA512 4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

C:\Users\Admin\AppData\Local\Temp\o0FbW2pZd9.bat

MD5 f25b976ac68cfeca921719c326186be1
SHA1 17b772a61d3417e15705742db668e13fc56f778e
SHA256 7fa777efd57b02bb6b4dded1c70d7541af0376e0a945369575a95481d1fd677f
SHA512 09f18c11b1136432ec0c331d9292bb2815870dd1695e3b0476d15abb9f92598fb1df87d586009962b5cd7208e522529e83cceea07421bd5edfd746e7662fd56f

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\cmd.exe.log

MD5 baf55b95da4a601229647f25dad12878
SHA1 abc16954ebfd213733c4493fc1910164d825cac8
SHA256 ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA512 24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

memory/3764-169-0x000000001BAB0000-0x000000001BAC2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\KRs2fZV4we.bat

MD5 e7c8c16b7e363c6e93ddb2acb6334dfe
SHA1 a8f5f3c32bd090c04067e89794f2615e98b2f04b
SHA256 638838b323f0f225b0cea7d3357b9c9cccea276dee2a8035433d77506fc9ecf1
SHA512 95e9e5aa6518baa689896125e6ba50fffc64ec2190c3919abd0b10716e30ab01430aa6401f2572cff6a1017acfcedcb77cdc27f1da37b0fb3cb24d62fdac29d5

memory/2732-176-0x0000000002530000-0x0000000002542000-memory.dmp

memory/2732-181-0x000000001B8C0000-0x000000001B9C2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3dopRv074r.bat

MD5 a70b4c1188cb3e8174c2a501fc925636
SHA1 668bd3766da7019b1bf9f45109f6fbb66c4677dc
SHA256 ce997816ca15a30ae636c63401c90ded3cf65b1206f5b58d1f7a23fe0e4b1fb9
SHA512 1ecc4d091e717371bc36b9ab89b14ae59b82d82bb7b65e617742f0816e0f83a8c004c78c403a2b058bc203d091e2cf1c98ade68f835a9ae5d994a351393f0071

memory/2084-188-0x000000001C1E0000-0x000000001C2E2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\uugdhbmYnk.bat

MD5 3b6245a62a38f75e888c49e323d3ba82
SHA1 519c25aa1212e12bbef870cea5668855502791db
SHA256 2fe24dcccfd3c961d0f03b1e89065bf63f3f967edbde0c70ef163960e9e6942e
SHA512 134e9f1567faf03ef37597458e23f1f31da2bcb6eaf112ff7b86e88279b1ac6bad17820e64e7c7903c0a942daba4092a929ff0fbce9d2525e2d5bee59829c856

memory/3500-191-0x0000000001440000-0x0000000001452000-memory.dmp

memory/3500-196-0x000000001C2B0000-0x000000001C3B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\l4DYpxlgJN.bat

MD5 da2dff7279d5118e58540b644111d642
SHA1 9d85b9ac5bf84ed887924f2e2d8ddf73fecc0cc7
SHA256 20d77629e931019e576b261be53b9f3c16113f47fb0a619d65c417cd06f92af4
SHA512 c1e9876a2c6187eb0472edb7e9bec3a0a9769f64e672b8e5edfc9f1a4d01c73a4b0fbdade300e97353d30aadff1d73df68a3b1ca6007ec315b6a5556060cd917

memory/1048-203-0x000000001BB00000-0x000000001BC02000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\rm9ahlPG2t.bat

MD5 3badf7ab622429c4d5bec60e0ead82da
SHA1 a0b3bbff39ee17aaae0d3252fc472e6f322597d3
SHA256 02c40bd3cfc92cf5f31fb6db70fef7571e1106dd4536cde5a31d76b5e8b68082
SHA512 f76c185fcab4d04d336ef5fed1c4d3b4699b90b5453be66450790d21fcd3b263c445e84589238e0c6f396f1384f89b536e847ca9277bec20b78ce4706e38a9c5

memory/1728-206-0x0000000001530000-0x0000000001542000-memory.dmp

memory/1728-211-0x000000001C1A0000-0x000000001C2A2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\QO5FEA9wo1.bat

MD5 a044669517dea07dcef55748b394355d
SHA1 90996fa7be272f307b926016bdecc1b161b156fb
SHA256 ff75718391b22ab9bf54fa8d2d01dabd924f73d21cbdc29ba3ba560c98172abd
SHA512 712c664e6d9a964346c8965531eaf2cc17bbe9893c79fe4f64942641189d92875df97c687a2c1ff901403dd5a5cc00f147315d7ac140b62a0ae3a0862034b4ce

C:\Users\Admin\AppData\Local\Temp\ixgWq8OOYW.bat

MD5 c24bfbc266228c31608d09e5aaa1b2b8
SHA1 fa33639b9e07729a283f4ee452b1b9fbf16c7ff2
SHA256 30e543fd94aebbd865148913859d89e2afe81c1446cd0d12ae91805c82f4fa45
SHA512 89c1a5874c49c55c68e2a85fc925a62da787992a68bda28805833a888ad71cfa97b81cd463862305ba62aa9bb294eaec9b85f8e8b72a1e04a517362b0b59c437

C:\Users\Admin\AppData\Local\Temp\4oJokgKWVw.bat

MD5 49deed557c1315590d5cd05a80090546
SHA1 7a6c6dc56fab946a94a883a2eda0ba7e36d2f4c0
SHA256 e23bb47cb34b6c8888b3f0d6b5eb1eabef5dc94ce7ddee5bef3ef2468acc584d
SHA512 078404b2ce099da79b78a66f9967db4ddbf77dad7c1c75c6083c34b8449eafe9aec9f14489c380ca839b93954ac481f4834946f031e76908b1cc465b4e2450ae

C:\Users\Admin\AppData\Local\Temp\Y23Kn3rQqK.bat

MD5 1b284bf2b4ebd640f966815efba3d621
SHA1 44cd46fa40daab12f41d9539faf10015c63a7070
SHA256 fa3a3e703a32d0c3a3ad3563eecf316ce39b7e93e6dd6750478f8531e9cbcc2a
SHA512 c197ce549efd72c9ac7f7730367f87b2054116d3d92dabd3975939b617e54f715c3e54aee4cd4e013e53212317a6edef979c47e3c49d483aa35e37be0f2e682b

C:\Users\Admin\AppData\Local\Temp\SK7IuFDp7o.bat

MD5 97bb59281d36475a43b4b64bbeaae3d6
SHA1 a2f107fe9c995bec143286d67f3c3dff1a4bba18
SHA256 edfb547c70c160684128802d47f1f660484695e0910c81cbb8771158a82f3188
SHA512 e2b05f1e2ce64a161ea560b03f29f656f82c9493352dab382f0821cfa6b035bd261bf46035b467daeba9a96cb3683d7bc420427d4c38cfc93302c856a04ce6c1

memory/768-238-0x0000000002A90000-0x0000000002AA2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\PJw82jcrZC.bat

MD5 abc1a467416810212b726f1be7bd6aaa
SHA1 98750c60ae91d84d4a8116f8e634fda0c8dbb3cf
SHA256 de2585ab8b3c9294b4ada06ee913c55b6359758630c3d2f73f0484938a65e791
SHA512 d93c9d6912eaf3f03735829d797d6b8068c5dac9a3601bd1737fc1bc6801e88ce7372f6c2f8a548854be549f1217b953edc1656e3df8465b65726ba06e787a84

memory/2900-251-0x0000000002AD0000-0x0000000002AE2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\c0TJHXkWh8.bat

MD5 e0b11e9ef9e04eb45acaf683668d96fc
SHA1 cf39822d09d4a0d6605d06975a2bd40d648edf40
SHA256 a6975e5c046670262915710d6b9fe73efb63ce6ce825397f3cff3ca1971ca258
SHA512 5e47399734e0c41478fe8830b103b3bdf23afe61db2837298e7fce5ec2941ba5377cf279ab403bd415f8f687829eaa949d45c4d5161af08721830eb781dbe4d6