Malware Analysis Report

2025-01-22 12:52

Sample ID 240520-tcfpmagh7t
Target 5feee9c9673462dfceb2df85cf8138b5_JaffaCakes118
SHA256 c8fe094489bbbe929b676647dea128e9ef251d7babe7b6b67ee98d503eb33174
Tags
vmprotect
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

c8fe094489bbbe929b676647dea128e9ef251d7babe7b6b67ee98d503eb33174

Threat Level: Shows suspicious behavior

The file 5feee9c9673462dfceb2df85cf8138b5_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

vmprotect

Loads dropped DLL

Checks computer location settings

Drops startup file

Executes dropped EXE

VMProtect packed file

Suspicious use of NtSetInformationThreadHideFromDebugger

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-20 15:54

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-20 15:54

Reported

2024-05-20 15:57

Platform

win7-20240221-en

Max time kernel

150s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5feee9c9673462dfceb2df85cf8138b5_JaffaCakes118.exe"

Signatures

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.lnk C:\Users\Admin\AppData\Local\Temp\5feee9c9673462dfceb2df85cf8138b5_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2992 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\5feee9c9673462dfceb2df85cf8138b5_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 2992 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\5feee9c9673462dfceb2df85cf8138b5_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 2992 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\5feee9c9673462dfceb2df85cf8138b5_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 2992 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\5feee9c9673462dfceb2df85cf8138b5_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 2992 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\5feee9c9673462dfceb2df85cf8138b5_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 2992 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\5feee9c9673462dfceb2df85cf8138b5_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 2992 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\5feee9c9673462dfceb2df85cf8138b5_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 2476 wrote to memory of 2512 N/A C:\Windows\SysWOW64\WScript.exe C:\ProgramData\Windows\csrs.exe
PID 2476 wrote to memory of 2512 N/A C:\Windows\SysWOW64\WScript.exe C:\ProgramData\Windows\csrs.exe
PID 2476 wrote to memory of 2512 N/A C:\Windows\SysWOW64\WScript.exe C:\ProgramData\Windows\csrs.exe
PID 2476 wrote to memory of 2512 N/A C:\Windows\SysWOW64\WScript.exe C:\ProgramData\Windows\csrs.exe
PID 2476 wrote to memory of 2512 N/A C:\Windows\SysWOW64\WScript.exe C:\ProgramData\Windows\csrs.exe
PID 2476 wrote to memory of 2512 N/A C:\Windows\SysWOW64\WScript.exe C:\ProgramData\Windows\csrs.exe
PID 2476 wrote to memory of 2512 N/A C:\Windows\SysWOW64\WScript.exe C:\ProgramData\Windows\csrs.exe
PID 2476 wrote to memory of 2384 N/A C:\Windows\SysWOW64\WScript.exe C:\ProgramData\Windows\csrs.exe
PID 2476 wrote to memory of 2384 N/A C:\Windows\SysWOW64\WScript.exe C:\ProgramData\Windows\csrs.exe
PID 2476 wrote to memory of 2384 N/A C:\Windows\SysWOW64\WScript.exe C:\ProgramData\Windows\csrs.exe
PID 2476 wrote to memory of 2384 N/A C:\Windows\SysWOW64\WScript.exe C:\ProgramData\Windows\csrs.exe
PID 2476 wrote to memory of 2384 N/A C:\Windows\SysWOW64\WScript.exe C:\ProgramData\Windows\csrs.exe
PID 2476 wrote to memory of 2384 N/A C:\Windows\SysWOW64\WScript.exe C:\ProgramData\Windows\csrs.exe
PID 2476 wrote to memory of 2384 N/A C:\Windows\SysWOW64\WScript.exe C:\ProgramData\Windows\csrs.exe
PID 2476 wrote to memory of 2896 N/A C:\Windows\SysWOW64\WScript.exe C:\ProgramData\Windows\csrs.exe
PID 2476 wrote to memory of 2896 N/A C:\Windows\SysWOW64\WScript.exe C:\ProgramData\Windows\csrs.exe
PID 2476 wrote to memory of 2896 N/A C:\Windows\SysWOW64\WScript.exe C:\ProgramData\Windows\csrs.exe
PID 2476 wrote to memory of 2896 N/A C:\Windows\SysWOW64\WScript.exe C:\ProgramData\Windows\csrs.exe
PID 2476 wrote to memory of 2896 N/A C:\Windows\SysWOW64\WScript.exe C:\ProgramData\Windows\csrs.exe
PID 2476 wrote to memory of 2896 N/A C:\Windows\SysWOW64\WScript.exe C:\ProgramData\Windows\csrs.exe
PID 2476 wrote to memory of 2896 N/A C:\Windows\SysWOW64\WScript.exe C:\ProgramData\Windows\csrs.exe
PID 2476 wrote to memory of 2716 N/A C:\Windows\SysWOW64\WScript.exe C:\ProgramData\Windows\csrs.exe
PID 2476 wrote to memory of 2716 N/A C:\Windows\SysWOW64\WScript.exe C:\ProgramData\Windows\csrs.exe
PID 2476 wrote to memory of 2716 N/A C:\Windows\SysWOW64\WScript.exe C:\ProgramData\Windows\csrs.exe
PID 2476 wrote to memory of 2716 N/A C:\Windows\SysWOW64\WScript.exe C:\ProgramData\Windows\csrs.exe
PID 2476 wrote to memory of 2716 N/A C:\Windows\SysWOW64\WScript.exe C:\ProgramData\Windows\csrs.exe
PID 2476 wrote to memory of 2716 N/A C:\Windows\SysWOW64\WScript.exe C:\ProgramData\Windows\csrs.exe
PID 2476 wrote to memory of 2716 N/A C:\Windows\SysWOW64\WScript.exe C:\ProgramData\Windows\csrs.exe
PID 2476 wrote to memory of 2200 N/A C:\Windows\SysWOW64\WScript.exe C:\ProgramData\Windows\csrs.exe
PID 2476 wrote to memory of 2200 N/A C:\Windows\SysWOW64\WScript.exe C:\ProgramData\Windows\csrs.exe
PID 2476 wrote to memory of 2200 N/A C:\Windows\SysWOW64\WScript.exe C:\ProgramData\Windows\csrs.exe
PID 2476 wrote to memory of 2200 N/A C:\Windows\SysWOW64\WScript.exe C:\ProgramData\Windows\csrs.exe
PID 2476 wrote to memory of 2200 N/A C:\Windows\SysWOW64\WScript.exe C:\ProgramData\Windows\csrs.exe
PID 2476 wrote to memory of 2200 N/A C:\Windows\SysWOW64\WScript.exe C:\ProgramData\Windows\csrs.exe
PID 2476 wrote to memory of 2200 N/A C:\Windows\SysWOW64\WScript.exe C:\ProgramData\Windows\csrs.exe
PID 2476 wrote to memory of 1408 N/A C:\Windows\SysWOW64\WScript.exe C:\ProgramData\Windows\csrs.exe
PID 2476 wrote to memory of 1408 N/A C:\Windows\SysWOW64\WScript.exe C:\ProgramData\Windows\csrs.exe
PID 2476 wrote to memory of 1408 N/A C:\Windows\SysWOW64\WScript.exe C:\ProgramData\Windows\csrs.exe
PID 2476 wrote to memory of 1408 N/A C:\Windows\SysWOW64\WScript.exe C:\ProgramData\Windows\csrs.exe
PID 2476 wrote to memory of 1408 N/A C:\Windows\SysWOW64\WScript.exe C:\ProgramData\Windows\csrs.exe
PID 2476 wrote to memory of 1408 N/A C:\Windows\SysWOW64\WScript.exe C:\ProgramData\Windows\csrs.exe
PID 2476 wrote to memory of 1408 N/A C:\Windows\SysWOW64\WScript.exe C:\ProgramData\Windows\csrs.exe
PID 2476 wrote to memory of 1700 N/A C:\Windows\SysWOW64\WScript.exe C:\ProgramData\Windows\csrs.exe
PID 2476 wrote to memory of 1700 N/A C:\Windows\SysWOW64\WScript.exe C:\ProgramData\Windows\csrs.exe
PID 2476 wrote to memory of 1700 N/A C:\Windows\SysWOW64\WScript.exe C:\ProgramData\Windows\csrs.exe
PID 2476 wrote to memory of 1700 N/A C:\Windows\SysWOW64\WScript.exe C:\ProgramData\Windows\csrs.exe
PID 2476 wrote to memory of 1700 N/A C:\Windows\SysWOW64\WScript.exe C:\ProgramData\Windows\csrs.exe
PID 2476 wrote to memory of 1700 N/A C:\Windows\SysWOW64\WScript.exe C:\ProgramData\Windows\csrs.exe
PID 2476 wrote to memory of 1700 N/A C:\Windows\SysWOW64\WScript.exe C:\ProgramData\Windows\csrs.exe
PID 2476 wrote to memory of 2080 N/A C:\Windows\SysWOW64\WScript.exe C:\ProgramData\Windows\csrs.exe
PID 2476 wrote to memory of 2080 N/A C:\Windows\SysWOW64\WScript.exe C:\ProgramData\Windows\csrs.exe
PID 2476 wrote to memory of 2080 N/A C:\Windows\SysWOW64\WScript.exe C:\ProgramData\Windows\csrs.exe
PID 2476 wrote to memory of 2080 N/A C:\Windows\SysWOW64\WScript.exe C:\ProgramData\Windows\csrs.exe
PID 2476 wrote to memory of 2080 N/A C:\Windows\SysWOW64\WScript.exe C:\ProgramData\Windows\csrs.exe
PID 2476 wrote to memory of 2080 N/A C:\Windows\SysWOW64\WScript.exe C:\ProgramData\Windows\csrs.exe
PID 2476 wrote to memory of 2080 N/A C:\Windows\SysWOW64\WScript.exe C:\ProgramData\Windows\csrs.exe
PID 2476 wrote to memory of 784 N/A C:\Windows\SysWOW64\WScript.exe C:\ProgramData\Windows\csrs.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5feee9c9673462dfceb2df85cf8138b5_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\5feee9c9673462dfceb2df85cf8138b5_JaffaCakes118.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\svchost.VBS"

C:\ProgramData\Windows\csrs.exe

"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 15

C:\ProgramData\Windows\csrs.exe

"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 15

C:\ProgramData\Windows\csrs.exe

"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 15

C:\ProgramData\Windows\csrs.exe

"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 15

C:\ProgramData\Windows\csrs.exe

"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 15

C:\ProgramData\Windows\csrs.exe

"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 15

C:\ProgramData\Windows\csrs.exe

"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 15

C:\ProgramData\Windows\csrs.exe

"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 15

C:\ProgramData\Windows\csrs.exe

"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 15

C:\ProgramData\Windows\csrs.exe

"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 15

C:\ProgramData\Windows\csrs.exe

"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 15

C:\ProgramData\Windows\csrs.exe

"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 15

C:\ProgramData\Windows\csrs.exe

"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 15

C:\ProgramData\Windows\csrs.exe

"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 15

C:\ProgramData\Windows\csrs.exe

"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 15

C:\ProgramData\Windows\csrs.exe

"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 15

C:\ProgramData\Windows\csrs.exe

"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 15

C:\ProgramData\Windows\csrs.exe

"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 15

C:\ProgramData\Windows\csrs.exe

"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 15

C:\ProgramData\Windows\csrs.exe

"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 15

C:\ProgramData\Windows\csrs.exe

"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 15

C:\ProgramData\Windows\csrs.exe

"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 15

C:\ProgramData\Windows\csrs.exe

"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 15

C:\ProgramData\Windows\csrs.exe

"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 15

C:\ProgramData\Windows\csrs.exe

"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 15

C:\ProgramData\Windows\csrs.exe

"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 15

C:\ProgramData\Windows\csrs.exe

"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 15

C:\ProgramData\Windows\csrs.exe

"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 15

C:\ProgramData\Windows\csrs.exe

"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 15

C:\ProgramData\Windows\csrs.exe

"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 15

C:\ProgramData\Windows\csrs.exe

"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 15

C:\ProgramData\Windows\csrs.exe

"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 15

C:\ProgramData\Windows\csrs.exe

"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 15

C:\ProgramData\Windows\csrs.exe

"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 15

C:\ProgramData\Windows\csrs.exe

"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 15

C:\ProgramData\Windows\csrs.exe

"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 15

C:\ProgramData\Windows\csrs.exe

"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 15

C:\ProgramData\Windows\csrs.exe

"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 15

C:\ProgramData\Windows\csrs.exe

"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 15

C:\ProgramData\Windows\csrs.exe

"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 15

C:\ProgramData\Windows\csrs.exe

"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 15

C:\ProgramData\Windows\csrs.exe

"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 15

C:\ProgramData\Windows\csrs.exe

"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 15

C:\ProgramData\Windows\csrs.exe

"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 15

C:\ProgramData\Windows\csrs.exe

"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 15

Network

N/A

Files

C:\ProgramData\Windows\svchost.vbs

MD5 f4b667fe8d75278dffe4fa57d5b7212c
SHA1 05bc96683ea77d081fedcd810c4de7e9c5bb833a
SHA256 4f1a7ce0e5031763d94e774ce4fbe096e9ad0058abb5d209988dbf375a5ec922
SHA512 52e2113bf234ea03c933d57030326e850847558ad7b195f74a99fa0d23e9857cb0e273a52a45602663462ee0bd9fee017e76e67b5a68c748e286b36d60ba6d41

C:\ProgramData\Windows\csrs.exe

MD5 e3427d9f439aebefa3d9c299e2a94af3
SHA1 ffff4672790378677ec30d3634fc593c10dfd37e
SHA256 7374051e75ae97ba687cd153927faccd21fcdcc0b41a42867d38ac62064f6aba
SHA512 a9ffc1a3436a26b162b8933f628b6f5014b7cd5678625a479ddf6ad0ff32a50b916c2041265fa0fc6cc99fcf0c63e30eb4811cf8099cc0baf2b718647ce4160b

memory/2476-11-0x0000000004490000-0x00000000047FB000-memory.dmp

memory/2512-13-0x0000000000E70000-0x00000000011DB000-memory.dmp

memory/2512-14-0x0000000000E70000-0x00000000011DB000-memory.dmp

memory/2512-23-0x0000000000E70000-0x00000000011DB000-memory.dmp

memory/2384-26-0x0000000000E70000-0x00000000011DB000-memory.dmp

memory/2384-27-0x0000000000E70000-0x00000000011DB000-memory.dmp

memory/2384-36-0x0000000000E70000-0x00000000011DB000-memory.dmp

memory/2896-39-0x0000000000E70000-0x00000000011DB000-memory.dmp

memory/2896-40-0x0000000000E70000-0x00000000011DB000-memory.dmp

memory/2896-49-0x0000000000E70000-0x00000000011DB000-memory.dmp

memory/2716-52-0x0000000001190000-0x00000000014FB000-memory.dmp

memory/2716-53-0x0000000001190000-0x00000000014FB000-memory.dmp

memory/2716-62-0x0000000001190000-0x00000000014FB000-memory.dmp

memory/2200-65-0x0000000001190000-0x00000000014FB000-memory.dmp

memory/2200-74-0x0000000001190000-0x00000000014FB000-memory.dmp

memory/1408-77-0x0000000001190000-0x00000000014FB000-memory.dmp

memory/1408-86-0x0000000001190000-0x00000000014FB000-memory.dmp

memory/1700-89-0x0000000001190000-0x00000000014FB000-memory.dmp

memory/1700-90-0x0000000001190000-0x00000000014FB000-memory.dmp

memory/1700-99-0x0000000001190000-0x00000000014FB000-memory.dmp

memory/2476-101-0x0000000004490000-0x00000000047FB000-memory.dmp

memory/2080-103-0x0000000001190000-0x00000000014FB000-memory.dmp

memory/2080-112-0x0000000001190000-0x00000000014FB000-memory.dmp

memory/784-115-0x0000000000330000-0x000000000069B000-memory.dmp

memory/784-116-0x0000000000330000-0x000000000069B000-memory.dmp

memory/2476-122-0x0000000004490000-0x00000000047FB000-memory.dmp

memory/784-126-0x0000000000330000-0x000000000069B000-memory.dmp

memory/2476-128-0x0000000004690000-0x00000000049FB000-memory.dmp

memory/1720-130-0x0000000000820000-0x0000000000B8B000-memory.dmp

memory/1720-139-0x0000000000820000-0x0000000000B8B000-memory.dmp

memory/1108-142-0x00000000010D0000-0x000000000143B000-memory.dmp

memory/1108-143-0x00000000010D0000-0x000000000143B000-memory.dmp

memory/1108-152-0x00000000010D0000-0x000000000143B000-memory.dmp

memory/2476-156-0x0000000004490000-0x00000000047FB000-memory.dmp

memory/2476-155-0x0000000004490000-0x00000000047FB000-memory.dmp

memory/3012-157-0x0000000001170000-0x00000000014DB000-memory.dmp

memory/3012-166-0x0000000001170000-0x00000000014DB000-memory.dmp

memory/1160-169-0x0000000001170000-0x00000000014DB000-memory.dmp

memory/1160-178-0x0000000001170000-0x00000000014DB000-memory.dmp

memory/2476-180-0x0000000004690000-0x00000000049FB000-memory.dmp

memory/2240-182-0x00000000000C0000-0x000000000042B000-memory.dmp

memory/2240-183-0x00000000000C0000-0x000000000042B000-memory.dmp

memory/2240-192-0x00000000000C0000-0x000000000042B000-memory.dmp

memory/2476-195-0x0000000004610000-0x000000000497B000-memory.dmp

memory/2940-196-0x0000000001180000-0x00000000014EB000-memory.dmp

memory/1900-207-0x0000000001180000-0x00000000014EB000-memory.dmp

memory/2888-218-0x0000000001180000-0x00000000014EB000-memory.dmp

memory/2960-229-0x0000000000210000-0x000000000057B000-memory.dmp

memory/2476-231-0x0000000004490000-0x00000000047FB000-memory.dmp

memory/2748-241-0x0000000000AB0000-0x0000000000E1B000-memory.dmp

memory/340-252-0x0000000000E50000-0x00000000011BB000-memory.dmp

memory/1516-263-0x0000000000230000-0x000000000059B000-memory.dmp

memory/544-274-0x0000000000DD0000-0x000000000113B000-memory.dmp

memory/772-285-0x0000000000160000-0x00000000004CB000-memory.dmp

memory/1740-296-0x00000000012A0000-0x000000000160B000-memory.dmp

memory/2764-307-0x00000000012A0000-0x000000000160B000-memory.dmp

memory/2808-318-0x0000000000180000-0x00000000004EB000-memory.dmp

memory/1576-329-0x0000000000F10000-0x000000000127B000-memory.dmp

memory/3048-340-0x0000000000F10000-0x000000000127B000-memory.dmp

memory/2192-351-0x0000000001090000-0x00000000013FB000-memory.dmp

memory/1520-366-0x00000000011D0000-0x000000000153B000-memory.dmp

memory/2940-375-0x00000000000C0000-0x000000000042B000-memory.dmp

memory/2288-384-0x00000000013A0000-0x000000000170B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-20 15:54

Reported

2024-05-20 15:57

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

106s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5feee9c9673462dfceb2df85cf8138b5_JaffaCakes118.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\5feee9c9673462dfceb2df85cf8138b5_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.lnk C:\Users\Admin\AppData\Local\Temp\5feee9c9673462dfceb2df85cf8138b5_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A
N/A N/A C:\ProgramData\Windows\csrs.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\5feee9c9673462dfceb2df85cf8138b5_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2084 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\5feee9c9673462dfceb2df85cf8138b5_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 2084 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\5feee9c9673462dfceb2df85cf8138b5_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 2084 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\5feee9c9673462dfceb2df85cf8138b5_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 3044 wrote to memory of 1716 N/A C:\Windows\SysWOW64\WScript.exe C:\ProgramData\Windows\csrs.exe
PID 3044 wrote to memory of 1716 N/A C:\Windows\SysWOW64\WScript.exe C:\ProgramData\Windows\csrs.exe
PID 3044 wrote to memory of 1716 N/A C:\Windows\SysWOW64\WScript.exe C:\ProgramData\Windows\csrs.exe
PID 3044 wrote to memory of 2016 N/A C:\Windows\SysWOW64\WScript.exe C:\ProgramData\Windows\csrs.exe
PID 3044 wrote to memory of 2016 N/A C:\Windows\SysWOW64\WScript.exe C:\ProgramData\Windows\csrs.exe
PID 3044 wrote to memory of 2016 N/A C:\Windows\SysWOW64\WScript.exe C:\ProgramData\Windows\csrs.exe
PID 3044 wrote to memory of 936 N/A C:\Windows\SysWOW64\WScript.exe C:\ProgramData\Windows\csrs.exe
PID 3044 wrote to memory of 936 N/A C:\Windows\SysWOW64\WScript.exe C:\ProgramData\Windows\csrs.exe
PID 3044 wrote to memory of 936 N/A C:\Windows\SysWOW64\WScript.exe C:\ProgramData\Windows\csrs.exe
PID 3044 wrote to memory of 2452 N/A C:\Windows\SysWOW64\WScript.exe C:\ProgramData\Windows\csrs.exe
PID 3044 wrote to memory of 2452 N/A C:\Windows\SysWOW64\WScript.exe C:\ProgramData\Windows\csrs.exe
PID 3044 wrote to memory of 2452 N/A C:\Windows\SysWOW64\WScript.exe C:\ProgramData\Windows\csrs.exe
PID 3044 wrote to memory of 4512 N/A C:\Windows\SysWOW64\WScript.exe C:\ProgramData\Windows\csrs.exe
PID 3044 wrote to memory of 4512 N/A C:\Windows\SysWOW64\WScript.exe C:\ProgramData\Windows\csrs.exe
PID 3044 wrote to memory of 4512 N/A C:\Windows\SysWOW64\WScript.exe C:\ProgramData\Windows\csrs.exe
PID 3044 wrote to memory of 1944 N/A C:\Windows\SysWOW64\WScript.exe C:\ProgramData\Windows\csrs.exe
PID 3044 wrote to memory of 1944 N/A C:\Windows\SysWOW64\WScript.exe C:\ProgramData\Windows\csrs.exe
PID 3044 wrote to memory of 1944 N/A C:\Windows\SysWOW64\WScript.exe C:\ProgramData\Windows\csrs.exe
PID 3044 wrote to memory of 1980 N/A C:\Windows\SysWOW64\WScript.exe C:\ProgramData\Windows\csrs.exe
PID 3044 wrote to memory of 1980 N/A C:\Windows\SysWOW64\WScript.exe C:\ProgramData\Windows\csrs.exe
PID 3044 wrote to memory of 1980 N/A C:\Windows\SysWOW64\WScript.exe C:\ProgramData\Windows\csrs.exe
PID 3044 wrote to memory of 1960 N/A C:\Windows\SysWOW64\WScript.exe C:\ProgramData\Windows\csrs.exe
PID 3044 wrote to memory of 1960 N/A C:\Windows\SysWOW64\WScript.exe C:\ProgramData\Windows\csrs.exe
PID 3044 wrote to memory of 1960 N/A C:\Windows\SysWOW64\WScript.exe C:\ProgramData\Windows\csrs.exe
PID 3044 wrote to memory of 4540 N/A C:\Windows\SysWOW64\WScript.exe C:\ProgramData\Windows\csrs.exe
PID 3044 wrote to memory of 4540 N/A C:\Windows\SysWOW64\WScript.exe C:\ProgramData\Windows\csrs.exe
PID 3044 wrote to memory of 4540 N/A C:\Windows\SysWOW64\WScript.exe C:\ProgramData\Windows\csrs.exe
PID 3044 wrote to memory of 1200 N/A C:\Windows\SysWOW64\WScript.exe C:\ProgramData\Windows\csrs.exe
PID 3044 wrote to memory of 1200 N/A C:\Windows\SysWOW64\WScript.exe C:\ProgramData\Windows\csrs.exe
PID 3044 wrote to memory of 1200 N/A C:\Windows\SysWOW64\WScript.exe C:\ProgramData\Windows\csrs.exe
PID 3044 wrote to memory of 2352 N/A C:\Windows\SysWOW64\WScript.exe C:\ProgramData\Windows\csrs.exe
PID 3044 wrote to memory of 2352 N/A C:\Windows\SysWOW64\WScript.exe C:\ProgramData\Windows\csrs.exe
PID 3044 wrote to memory of 2352 N/A C:\Windows\SysWOW64\WScript.exe C:\ProgramData\Windows\csrs.exe
PID 3044 wrote to memory of 552 N/A C:\Windows\SysWOW64\WScript.exe C:\ProgramData\Windows\csrs.exe
PID 3044 wrote to memory of 552 N/A C:\Windows\SysWOW64\WScript.exe C:\ProgramData\Windows\csrs.exe
PID 3044 wrote to memory of 552 N/A C:\Windows\SysWOW64\WScript.exe C:\ProgramData\Windows\csrs.exe
PID 3044 wrote to memory of 4316 N/A C:\Windows\SysWOW64\WScript.exe C:\ProgramData\Windows\csrs.exe
PID 3044 wrote to memory of 4316 N/A C:\Windows\SysWOW64\WScript.exe C:\ProgramData\Windows\csrs.exe
PID 3044 wrote to memory of 4316 N/A C:\Windows\SysWOW64\WScript.exe C:\ProgramData\Windows\csrs.exe
PID 3044 wrote to memory of 5104 N/A C:\Windows\SysWOW64\WScript.exe C:\ProgramData\Windows\csrs.exe
PID 3044 wrote to memory of 5104 N/A C:\Windows\SysWOW64\WScript.exe C:\ProgramData\Windows\csrs.exe
PID 3044 wrote to memory of 5104 N/A C:\Windows\SysWOW64\WScript.exe C:\ProgramData\Windows\csrs.exe
PID 3044 wrote to memory of 3024 N/A C:\Windows\SysWOW64\WScript.exe C:\ProgramData\Windows\csrs.exe
PID 3044 wrote to memory of 3024 N/A C:\Windows\SysWOW64\WScript.exe C:\ProgramData\Windows\csrs.exe
PID 3044 wrote to memory of 3024 N/A C:\Windows\SysWOW64\WScript.exe C:\ProgramData\Windows\csrs.exe
PID 3044 wrote to memory of 4448 N/A C:\Windows\SysWOW64\WScript.exe C:\ProgramData\Windows\csrs.exe
PID 3044 wrote to memory of 4448 N/A C:\Windows\SysWOW64\WScript.exe C:\ProgramData\Windows\csrs.exe
PID 3044 wrote to memory of 4448 N/A C:\Windows\SysWOW64\WScript.exe C:\ProgramData\Windows\csrs.exe
PID 3044 wrote to memory of 3428 N/A C:\Windows\SysWOW64\WScript.exe C:\ProgramData\Windows\csrs.exe
PID 3044 wrote to memory of 3428 N/A C:\Windows\SysWOW64\WScript.exe C:\ProgramData\Windows\csrs.exe
PID 3044 wrote to memory of 3428 N/A C:\Windows\SysWOW64\WScript.exe C:\ProgramData\Windows\csrs.exe
PID 3044 wrote to memory of 2028 N/A C:\Windows\SysWOW64\WScript.exe C:\ProgramData\Windows\csrs.exe
PID 3044 wrote to memory of 2028 N/A C:\Windows\SysWOW64\WScript.exe C:\ProgramData\Windows\csrs.exe
PID 3044 wrote to memory of 2028 N/A C:\Windows\SysWOW64\WScript.exe C:\ProgramData\Windows\csrs.exe
PID 3044 wrote to memory of 4528 N/A C:\Windows\SysWOW64\WScript.exe C:\ProgramData\Windows\csrs.exe
PID 3044 wrote to memory of 4528 N/A C:\Windows\SysWOW64\WScript.exe C:\ProgramData\Windows\csrs.exe
PID 3044 wrote to memory of 4528 N/A C:\Windows\SysWOW64\WScript.exe C:\ProgramData\Windows\csrs.exe
PID 3044 wrote to memory of 4600 N/A C:\Windows\SysWOW64\WScript.exe C:\ProgramData\Windows\csrs.exe
PID 3044 wrote to memory of 4600 N/A C:\Windows\SysWOW64\WScript.exe C:\ProgramData\Windows\csrs.exe
PID 3044 wrote to memory of 4600 N/A C:\Windows\SysWOW64\WScript.exe C:\ProgramData\Windows\csrs.exe
PID 3044 wrote to memory of 984 N/A C:\Windows\SysWOW64\WScript.exe C:\ProgramData\Windows\csrs.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5feee9c9673462dfceb2df85cf8138b5_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\5feee9c9673462dfceb2df85cf8138b5_JaffaCakes118.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\svchost.VBS"

C:\ProgramData\Windows\csrs.exe

"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 11

C:\ProgramData\Windows\csrs.exe

"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 11

C:\ProgramData\Windows\csrs.exe

"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 11

C:\ProgramData\Windows\csrs.exe

"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 11

C:\ProgramData\Windows\csrs.exe

"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 11

C:\ProgramData\Windows\csrs.exe

"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 11

C:\ProgramData\Windows\csrs.exe

"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 11

C:\ProgramData\Windows\csrs.exe

"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 11

C:\ProgramData\Windows\csrs.exe

"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 11

C:\ProgramData\Windows\csrs.exe

"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 11

C:\ProgramData\Windows\csrs.exe

"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 11

C:\ProgramData\Windows\csrs.exe

"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 11

C:\ProgramData\Windows\csrs.exe

"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 11

C:\ProgramData\Windows\csrs.exe

"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 11

C:\ProgramData\Windows\csrs.exe

"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 11

C:\ProgramData\Windows\csrs.exe

"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 11

C:\ProgramData\Windows\csrs.exe

"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 11

C:\ProgramData\Windows\csrs.exe

"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 11

C:\ProgramData\Windows\csrs.exe

"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 11

C:\ProgramData\Windows\csrs.exe

"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 11

C:\ProgramData\Windows\csrs.exe

"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 11

C:\ProgramData\Windows\csrs.exe

"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 11

C:\ProgramData\Windows\csrs.exe

"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 11

C:\ProgramData\Windows\csrs.exe

"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 11

C:\ProgramData\Windows\csrs.exe

"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 11

C:\ProgramData\Windows\csrs.exe

"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 11

C:\ProgramData\Windows\csrs.exe

"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 11

C:\ProgramData\Windows\csrs.exe

"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 11

C:\ProgramData\Windows\csrs.exe

"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 11

C:\ProgramData\Windows\csrs.exe

"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 11

C:\ProgramData\Windows\csrs.exe

"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 11

C:\ProgramData\Windows\csrs.exe

"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 11

C:\ProgramData\Windows\csrs.exe

"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 11

C:\ProgramData\Windows\csrs.exe

"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 11

C:\ProgramData\Windows\csrs.exe

"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 11

C:\ProgramData\Windows\csrs.exe

"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 11

C:\ProgramData\Windows\csrs.exe

"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 11

C:\ProgramData\Windows\csrs.exe

"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 11

C:\ProgramData\Windows\csrs.exe

"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 11

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

C:\ProgramData\Windows\svchost.vbs

MD5 f4b667fe8d75278dffe4fa57d5b7212c
SHA1 05bc96683ea77d081fedcd810c4de7e9c5bb833a
SHA256 4f1a7ce0e5031763d94e774ce4fbe096e9ad0058abb5d209988dbf375a5ec922
SHA512 52e2113bf234ea03c933d57030326e850847558ad7b195f74a99fa0d23e9857cb0e273a52a45602663462ee0bd9fee017e76e67b5a68c748e286b36d60ba6d41

C:\ProgramData\Windows\csrs.exe

MD5 e3427d9f439aebefa3d9c299e2a94af3
SHA1 ffff4672790378677ec30d3634fc593c10dfd37e
SHA256 7374051e75ae97ba687cd153927faccd21fcdcc0b41a42867d38ac62064f6aba
SHA512 a9ffc1a3436a26b162b8933f628b6f5014b7cd5678625a479ddf6ad0ff32a50b916c2041265fa0fc6cc99fcf0c63e30eb4811cf8099cc0baf2b718647ce4160b

memory/1716-11-0x00000000004D0000-0x000000000083B000-memory.dmp

memory/1716-12-0x00000000004D0000-0x000000000083B000-memory.dmp

memory/1716-21-0x00000000004D0000-0x000000000083B000-memory.dmp

memory/2016-23-0x00000000004D0000-0x000000000083B000-memory.dmp

memory/2016-32-0x00000000004D0000-0x000000000083B000-memory.dmp

memory/936-34-0x00000000004D0000-0x000000000083B000-memory.dmp

memory/936-43-0x00000000004D0000-0x000000000083B000-memory.dmp

memory/2452-45-0x00000000004D0000-0x000000000083B000-memory.dmp

memory/2452-54-0x00000000004D0000-0x000000000083B000-memory.dmp

memory/4512-56-0x00000000004D0000-0x000000000083B000-memory.dmp

memory/4512-65-0x00000000004D0000-0x000000000083B000-memory.dmp

memory/1944-68-0x00000000004D0000-0x000000000083B000-memory.dmp

memory/1944-76-0x00000000004D0000-0x000000000083B000-memory.dmp

memory/1980-78-0x00000000004D0000-0x000000000083B000-memory.dmp

memory/1980-87-0x00000000004D0000-0x000000000083B000-memory.dmp

memory/1960-89-0x00000000004D0000-0x000000000083B000-memory.dmp

memory/1960-98-0x00000000004D0000-0x000000000083B000-memory.dmp

memory/4540-100-0x00000000004D0000-0x000000000083B000-memory.dmp

memory/4540-109-0x00000000004D0000-0x000000000083B000-memory.dmp

memory/1200-111-0x00000000004D0000-0x000000000083B000-memory.dmp

memory/1200-120-0x00000000004D0000-0x000000000083B000-memory.dmp

memory/2352-122-0x00000000004D0000-0x000000000083B000-memory.dmp

memory/2352-131-0x00000000004D0000-0x000000000083B000-memory.dmp

memory/552-133-0x00000000004D0000-0x000000000083B000-memory.dmp

memory/552-142-0x00000000004D0000-0x000000000083B000-memory.dmp

memory/4316-144-0x00000000004D0000-0x000000000083B000-memory.dmp

memory/4316-153-0x00000000004D0000-0x000000000083B000-memory.dmp

memory/5104-155-0x00000000004D0000-0x000000000083B000-memory.dmp

memory/5104-164-0x00000000004D0000-0x000000000083B000-memory.dmp

memory/3024-166-0x00000000004D0000-0x000000000083B000-memory.dmp

memory/3024-175-0x00000000004D0000-0x000000000083B000-memory.dmp

memory/4448-177-0x00000000004D0000-0x000000000083B000-memory.dmp

memory/4448-186-0x00000000004D0000-0x000000000083B000-memory.dmp

memory/3428-188-0x00000000004D0000-0x000000000083B000-memory.dmp

memory/3428-197-0x00000000004D0000-0x000000000083B000-memory.dmp

memory/2028-199-0x00000000004D0000-0x000000000083B000-memory.dmp

memory/2028-208-0x00000000004D0000-0x000000000083B000-memory.dmp

memory/4528-210-0x00000000004D0000-0x000000000083B000-memory.dmp

memory/4528-219-0x00000000004D0000-0x000000000083B000-memory.dmp

memory/4600-221-0x00000000004D0000-0x000000000083B000-memory.dmp

memory/4600-230-0x00000000004D0000-0x000000000083B000-memory.dmp

memory/984-232-0x00000000004D0000-0x000000000083B000-memory.dmp

memory/984-241-0x00000000004D0000-0x000000000083B000-memory.dmp

memory/2352-243-0x00000000004D0000-0x000000000083B000-memory.dmp

memory/2352-252-0x00000000004D0000-0x000000000083B000-memory.dmp

memory/2576-254-0x00000000004D0000-0x000000000083B000-memory.dmp

memory/2576-263-0x00000000004D0000-0x000000000083B000-memory.dmp

memory/424-265-0x00000000004D0000-0x000000000083B000-memory.dmp

memory/424-274-0x00000000004D0000-0x000000000083B000-memory.dmp

memory/3828-276-0x00000000004D0000-0x000000000083B000-memory.dmp

memory/3828-285-0x00000000004D0000-0x000000000083B000-memory.dmp

memory/2792-287-0x00000000004D0000-0x000000000083B000-memory.dmp

memory/2792-296-0x00000000004D0000-0x000000000083B000-memory.dmp

memory/3412-298-0x00000000004D0000-0x000000000083B000-memory.dmp

memory/3412-307-0x00000000004D0000-0x000000000083B000-memory.dmp

memory/3008-309-0x00000000004D0000-0x000000000083B000-memory.dmp

memory/3008-318-0x00000000004D0000-0x000000000083B000-memory.dmp

memory/1796-320-0x00000000004D0000-0x000000000083B000-memory.dmp

memory/1796-329-0x00000000004D0000-0x000000000083B000-memory.dmp

memory/4560-331-0x00000000004D0000-0x000000000083B000-memory.dmp

memory/3288-341-0x00000000004D0000-0x000000000083B000-memory.dmp

memory/2252-351-0x00000000004D0000-0x000000000083B000-memory.dmp