Malware Analysis Report

2025-08-11 05:04

Sample ID 241230-b4fjtstndp
Target JaffaCakes118_81151e30e9fc06970f3bd5f677d301e8ad9d535aa0c90c460cf573db7936e1a5
SHA256 81151e30e9fc06970f3bd5f677d301e8ad9d535aa0c90c460cf573db7936e1a5
Tags
rat dcrat discovery execution infostealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

81151e30e9fc06970f3bd5f677d301e8ad9d535aa0c90c460cf573db7936e1a5

Threat Level: Known bad

The file JaffaCakes118_81151e30e9fc06970f3bd5f677d301e8ad9d535aa0c90c460cf573db7936e1a5 was found to be: Known bad.

Malicious Activity Summary

rat dcrat discovery execution infostealer

DcRat

Dcrat family

DCRat payload

Process spawned unexpected child process

DCRat payload

Command and Scripting Interpreter: PowerShell

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Legitimate hosting services abused for malware hosting/C2

Drops file in Windows directory

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Unsigned PE

Scheduled Task/Job: Scheduled Task

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-30 01:41

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-30 01:41

Reported

2024-12-30 01:44

Platform

win7-20241010-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_81151e30e9fc06970f3bd5f677d301e8ad9d535aa0c90c460cf573db7936e1a5.exe"

Signatures

DcRat

rat infostealer dcrat

Dcrat family

dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\taskhost.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\b75386f1303e64 C:\providercommon\DllCommonsvc.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_81151e30e9fc06970f3bd5f677d301e8ad9d535aa0c90c460cf573db7936e1a5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\providercommon\DllCommonsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1528 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_81151e30e9fc06970f3bd5f677d301e8ad9d535aa0c90c460cf573db7936e1a5.exe C:\Windows\SysWOW64\WScript.exe
PID 1528 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_81151e30e9fc06970f3bd5f677d301e8ad9d535aa0c90c460cf573db7936e1a5.exe C:\Windows\SysWOW64\WScript.exe
PID 1528 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_81151e30e9fc06970f3bd5f677d301e8ad9d535aa0c90c460cf573db7936e1a5.exe C:\Windows\SysWOW64\WScript.exe
PID 1528 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_81151e30e9fc06970f3bd5f677d301e8ad9d535aa0c90c460cf573db7936e1a5.exe C:\Windows\SysWOW64\WScript.exe
PID 2544 wrote to memory of 1824 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2544 wrote to memory of 1824 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2544 wrote to memory of 1824 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2544 wrote to memory of 1824 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1824 wrote to memory of 2060 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 1824 wrote to memory of 2060 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 1824 wrote to memory of 2060 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 1824 wrote to memory of 2060 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 2060 wrote to memory of 2108 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2060 wrote to memory of 2108 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2060 wrote to memory of 2108 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2060 wrote to memory of 2928 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2060 wrote to memory of 2928 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2060 wrote to memory of 2928 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2060 wrote to memory of 2940 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2060 wrote to memory of 2940 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2060 wrote to memory of 2940 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2060 wrote to memory of 1492 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2060 wrote to memory of 1492 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2060 wrote to memory of 1492 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2060 wrote to memory of 316 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2060 wrote to memory of 316 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2060 wrote to memory of 316 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2060 wrote to memory of 2720 N/A C:\providercommon\DllCommonsvc.exe C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\explorer.exe
PID 2060 wrote to memory of 2720 N/A C:\providercommon\DllCommonsvc.exe C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\explorer.exe
PID 2060 wrote to memory of 2720 N/A C:\providercommon\DllCommonsvc.exe C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\explorer.exe
PID 2720 wrote to memory of 2404 N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\explorer.exe C:\Windows\System32\cmd.exe
PID 2720 wrote to memory of 2404 N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\explorer.exe C:\Windows\System32\cmd.exe
PID 2720 wrote to memory of 2404 N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\explorer.exe C:\Windows\System32\cmd.exe
PID 2404 wrote to memory of 2588 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2404 wrote to memory of 2588 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2404 wrote to memory of 2588 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2404 wrote to memory of 1544 N/A C:\Windows\System32\cmd.exe C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\explorer.exe
PID 2404 wrote to memory of 1544 N/A C:\Windows\System32\cmd.exe C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\explorer.exe
PID 2404 wrote to memory of 1544 N/A C:\Windows\System32\cmd.exe C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\explorer.exe
PID 1544 wrote to memory of 2932 N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\explorer.exe C:\Windows\System32\cmd.exe
PID 1544 wrote to memory of 2932 N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\explorer.exe C:\Windows\System32\cmd.exe
PID 1544 wrote to memory of 2932 N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\explorer.exe C:\Windows\System32\cmd.exe
PID 2932 wrote to memory of 1964 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2932 wrote to memory of 1964 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2932 wrote to memory of 1964 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2932 wrote to memory of 2244 N/A C:\Windows\System32\cmd.exe C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\explorer.exe
PID 2932 wrote to memory of 2244 N/A C:\Windows\System32\cmd.exe C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\explorer.exe
PID 2932 wrote to memory of 2244 N/A C:\Windows\System32\cmd.exe C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\explorer.exe
PID 2244 wrote to memory of 1424 N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\explorer.exe C:\Windows\System32\cmd.exe
PID 2244 wrote to memory of 1424 N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\explorer.exe C:\Windows\System32\cmd.exe
PID 2244 wrote to memory of 1424 N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\explorer.exe C:\Windows\System32\cmd.exe
PID 1424 wrote to memory of 2076 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1424 wrote to memory of 2076 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1424 wrote to memory of 2076 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1424 wrote to memory of 1316 N/A C:\Windows\System32\cmd.exe C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\explorer.exe
PID 1424 wrote to memory of 1316 N/A C:\Windows\System32\cmd.exe C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\explorer.exe
PID 1424 wrote to memory of 1316 N/A C:\Windows\System32\cmd.exe C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\explorer.exe
PID 1316 wrote to memory of 2204 N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\explorer.exe C:\Windows\System32\cmd.exe
PID 1316 wrote to memory of 2204 N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\explorer.exe C:\Windows\System32\cmd.exe
PID 1316 wrote to memory of 2204 N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\explorer.exe C:\Windows\System32\cmd.exe
PID 2204 wrote to memory of 2228 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2204 wrote to memory of 2228 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2204 wrote to memory of 2228 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2204 wrote to memory of 1268 N/A C:\Windows\System32\cmd.exe C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\explorer.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_81151e30e9fc06970f3bd5f677d301e8ad9d535aa0c90c460cf573db7936e1a5.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_81151e30e9fc06970f3bd5f677d301e8ad9d535aa0c90c460cf573db7936e1a5.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\providercommon\1zu9dW.bat" "

C:\providercommon\DllCommonsvc.exe

"C:\providercommon\DllCommonsvc.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\cmd.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\taskhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\taskhost.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsm.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\explorer.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\cmd.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\taskhost.exe'

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\explorer.exe

"C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\explorer.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UJpHfzfs2i.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\explorer.exe

"C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\explorer.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lHuJ4aKJis.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\explorer.exe

"C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\explorer.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GvLkm7sAXX.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\explorer.exe

"C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\explorer.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ktiZWDSHsI.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\explorer.exe

"C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\explorer.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8tyQ25hERL.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\explorer.exe

"C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\explorer.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OPOGTQits7.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\explorer.exe

"C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\explorer.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UTkrWZWekQ.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\explorer.exe

"C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\explorer.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\V3SaMhi525.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\explorer.exe

"C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\explorer.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kYBl3UyOdq.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\explorer.exe

"C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\explorer.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\N4rS0hE0df.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp

Files

C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

MD5 8088241160261560a02c84025d107592
SHA1 083121f7027557570994c9fc211df61730455bb5
SHA256 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA512 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

C:\providercommon\1zu9dW.bat

MD5 6783c3ee07c7d151ceac57f1f9c8bed7
SHA1 17468f98f95bf504cc1f83c49e49a78526b3ea03
SHA256 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512 c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

\providercommon\DllCommonsvc.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/2060-13-0x00000000000B0000-0x00000000001C0000-memory.dmp

memory/2060-14-0x0000000000560000-0x0000000000572000-memory.dmp

memory/2060-15-0x0000000000570000-0x000000000057C000-memory.dmp

memory/2060-16-0x0000000000580000-0x000000000058C000-memory.dmp

memory/2060-17-0x0000000001F30000-0x0000000001F3C000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 126e6c0b32b109c5254d0902e7d1c033
SHA1 efa4c566411b6acb6d30db893461c9ae20d8716e
SHA256 9b00538185356417b70af05e29ef7f267308d03b3b6a66c7116fdfa0b7433809
SHA512 cf16f1db2560dbb013c68ffeaea101d58cdfa2dc2661189982b76f945c68a1061b170328354000d69b31eb1aa5d88e2e00f3d3b79be95ce4fca65d4d6b8f8299

memory/2720-51-0x0000000000DF0000-0x0000000000F00000-memory.dmp

memory/1492-57-0x000000001B660000-0x000000001B942000-memory.dmp

memory/316-58-0x0000000001D70000-0x0000000001D78000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabD1C2.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarD1D5.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\Local\Temp\UJpHfzfs2i.bat

MD5 b0d2865ed890c452071e1a3a53b8c5af
SHA1 fc34a551bc0002557c71b5f6272490ef692f35ad
SHA256 a260c2cf886e64c9378c416bee276d03c0492fa3d76fe0f3dc1f9f8175be4b9e
SHA512 d73c672274983b6876c2c97b81ffc9f0dc69367811ef40f873339d91281d567cc9c26a82d579adc8c1edf74eceedc42651826a644b82c8d608e32ac170894864

memory/1544-117-0x00000000003C0000-0x00000000004D0000-memory.dmp

memory/1544-118-0x00000000003B0000-0x00000000003C2000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 78286e0c8a4b01e9e48bb9eb3ffd30d5
SHA1 18590d510010854f1324df1a9a31c516a8db7d42
SHA256 aa4ac32df6dc6881bd1ec2647b29d242e69cec572901f8e0e49952c64a6a2b3b
SHA512 657eca1973cb255ab87863c2d09361d94df640f7bece1a91f3a7889968e5061bf85e530fc7529f645a5ebddaa819d4b6d94ffc6152547337fbd3f6824a842a4e

C:\Users\Admin\AppData\Local\Temp\lHuJ4aKJis.bat

MD5 472c0ea65b807df0e9b37f640bd158d3
SHA1 87c106a434f5a4520b02f34d1197a38e9cf74818
SHA256 fa08da76a872c2a39748922206ee6f0a934fe1e3dc0fb3770b492e693e6e5b19
SHA512 c69de0e04e0bf42bc2191a02b39499e679c75830948f78d9199197a1d7279695874ab2bbe43b016f7659f0832fae2b2d1935c1c23246bd0c7da89e0d723c4ac3

memory/2244-178-0x0000000000D80000-0x0000000000E90000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c7f26c57ed899be46bfcc07b6d020180
SHA1 3559e143bda44d894a1cefc16cead9bdf63db702
SHA256 97b565b7e4941e27dccd4065df5583791f2e2349f79d4aa71f77b5fb6a1e474d
SHA512 a8d812c71b98f7c77c063d692f316dd3ad5eea722ea78f488838e9092720eb91cf46ec3187cbbe5bffd5e1004005264eb498ce0e1651907e684b77cef239ae6d

C:\Users\Admin\AppData\Local\Temp\GvLkm7sAXX.bat

MD5 1fc1435fff5321f84f7266de8a075eb1
SHA1 24321999642c2d5177ad145a5f19754b2a46de8f
SHA256 fd1d2c0c89a1a4fb9c69935e6b793e905f5966b7924d3138dca64102baf4315e
SHA512 d054be38646a0882cf283b3f3fa65af09c116b4d18771198773d23c759fb1c06d371674976f5e1bc5dfe585d9a3a1de5cafe0bb0356552d685390091940b38e1

memory/1316-238-0x0000000000E00000-0x0000000000F10000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3f586a5c8714df71b0c89c944466a38a
SHA1 cc7d1828fd9eca8fb96bfd14c015557d4077057f
SHA256 7f34d703bbdbc795760d6bcb51525a966905713691acf5cc8fbae300170af80c
SHA512 e16f3e1af547d938569bdd2bfc41ed30828ed5a79f0f20540240e4adcb3e061359a44e1d6476d5021510dd47c436e003cfefb92a12a941530fd160454e98dbb0

C:\Users\Admin\AppData\Local\Temp\ktiZWDSHsI.bat

MD5 9ecec34ca06e648442fe31a0fa10ce0e
SHA1 5edefe6613d84df11722d2cc76dc3a5a9fd2b85a
SHA256 d70daf05213b97240a1ed73b31d1afa152ebc6bca8ece7f378313a31f3a73623
SHA512 1ae7653339caef9a6d82657bfd47a2472b5f4ab0267def89050201309fd66c6e0936e8dfcb6f7285a473a8fe07a74e5ac31048eb698c3c585067ad8ac89d4e67

memory/1268-298-0x0000000000F30000-0x0000000001040000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9348318beb3c1fad9ac95ee81ab6654a
SHA1 ec13ac95925f716d036edac05f69b96e2807ded5
SHA256 583ac9e55a9e5c94ba33e4720295297ae5bfe39daa7d595976f188e341cec9e1
SHA512 9971f51dcec0c4d4abad859f96d7a6a1fd68e7d513ff1fe139cbf221cfa4136d2763c5f84e72fed24dc0dc710b2069f78832bf2eab5a93d7ea286457cc342b45

C:\Users\Admin\AppData\Local\Temp\8tyQ25hERL.bat

MD5 8de5a3d808411c354347d6594a8058b4
SHA1 f33ef86b329ba00d95e3afeb8ecff4e2e035d3a8
SHA256 52978cebde5e9cb75db9290379399e86d0d947f5cc514e368ac3a5f96f2d47c6
SHA512 a90814a837999326f568bd8494ef2461b2854e6507c5f7c350d1678c0cb3f893e0b60e58ddc58d2c5a9ec9d8824f1d3c23f8d00adb1463e2975e0a1335f39ea4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0530c3fab368340fa4535e0db9d0b43b
SHA1 662a8840dce83f9fc64e11f0adaa533c35bceb39
SHA256 fa72dffbea4eb51dff0fae7e704eeeda5c82ce2496773b83212388973b8c7c4e
SHA512 90e901adea4cc7af425b3f38d6214450ed653e1cdbf3d7b22c116f3e4ed399c8c8e4a781214168e780e329075da1e8f11fd382ea409ef9b4530acd597d2b1744

C:\Users\Admin\AppData\Local\Temp\OPOGTQits7.bat

MD5 6fcca29d206a4434128f03d31e0e9cf8
SHA1 0d71d5fe9f17be0ecc02de473fad2c9678114474
SHA256 c3940a7a26c67b6fb4a9d8872f8889a5d5c21d85e41be578b391fb6a0ec99088
SHA512 2f5a528450700f2ac17b55e2f83dcca7b10e0d73fbf8b12185688bfccb4908144fcdac6f8a0b8f0606778ae8c6e181005652e1a6a0476bc020ebbfd47cc49043

memory/1924-417-0x00000000002D0000-0x00000000002E2000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 203d007f5aa5573c209518832d71d251
SHA1 f5de79977adb8897dc8af5bb9d79153af16ff71d
SHA256 dfafbe63690f72f092f7c7753f48cc936db6ddb37fd952d27e9a13c1c7ae12e2
SHA512 83afe4df19ef7f4d490e668e26373e502c64e22954b666596baf4acf6bcfe5e3ea847be77f0b5604e45498c177ca7f0ea5f72bdbf065193d6f66d1b1d8c4f6ba

C:\Users\Admin\AppData\Local\Temp\UTkrWZWekQ.bat

MD5 7a3fc26456409eed88b6c8b543723806
SHA1 9ff030343345a0f3f38c03cbccf72a004db9bca4
SHA256 7a20c0187ba4ea95cadda49ceb07b2142b849be8fc9ef565c786d9022c953ffa
SHA512 5629fb9e07fb35fedac7a9d9404dca24e37e827f55cd4e6e5ff89f5ac16112dfa4e3ae2475e960b7169f1bb0484a58764cc2894ef72f8a6ac4759064e35f840c

memory/1772-477-0x0000000000070000-0x0000000000180000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 be6486c2254f5fa5bb0d35e66b8280db
SHA1 a0b081dc850b0a6912b2d9459efee46398d7198f
SHA256 ee57220a44d337e255c8d4c2b4933af2332a9149a5852a4db1998782ef341690
SHA512 9c2449da3062ba524cbf49927db7752ca4030f43a9e04b30ff7ab4973356b880bb29174cff1f3cbd722c38ea199f677f9266c7706f9f924b33829e0af1bdf0ed

C:\Users\Admin\AppData\Local\Temp\V3SaMhi525.bat

MD5 b1a3654189d57024580a32020ed2ab0a
SHA1 42e2041670fa251c387f58972f058f0fa39e3559
SHA256 74aa38cd06ee13507643d511d5fb3079197b148f61f28cd5a160503f474be370
SHA512 393ec2269914826b04debc422c0663efcd1c8228f51d4318afd1193ee0b6d9494e67b1af04e57169d87e9baf7395bfbc851b1c6587fea03fc1623d06a8e72f50

memory/2760-537-0x00000000001D0000-0x00000000002E0000-memory.dmp

memory/2760-538-0x00000000001C0000-0x00000000001D2000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 02453c22c7f943b949b90a7103e81a02
SHA1 19d566d51481eff58590a844212278d8620e936b
SHA256 b1e33164dd67eeb251b0047677f7a3ef4cc17b0dd604d261d54b6dc8df7cf687
SHA512 bac0c05cabfbec2cdc0956cd439c758603aa81f7138c3055285ea4a4d182493471a05e95544e6423020d6dcad438c65983b196bc4478a64855c2f0db43f22062

C:\Users\Admin\AppData\Local\Temp\kYBl3UyOdq.bat

MD5 5cda677f2fd62064b2059dad88946bdf
SHA1 d751e83a28def0fde7f8f7b5a2d1ba9339d439ac
SHA256 3a49f4dc2c5b061a87e05c05a6b2f89e52115e82c720983d4d879db46ed2b051
SHA512 1b352fea0efad045d05bd106858c12d660c4ec37cc46a8d5d23340c92d13c28153abe500c16e9dbe69bef565d52fd75324054c2a7dc700091d68fe66483c2ed4

memory/1632-598-0x0000000000930000-0x0000000000A40000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2a48aef2202dfc439ac05dfe94aa24f9
SHA1 839208aef4132ea029e45a2b04f446dbf8c3709f
SHA256 91e21bb3d96dcb2efeba9e49826c5cf00e1053945cec9f11484294b30a8036f2
SHA512 c5645df64d9746a3797257a81d231ef2c251ef198800270dca27beb2c1714e4ff4fab86a9ea94da39adf0c9e144cde31ab28c38a3fe419349fa852e408fc427f

C:\Users\Admin\AppData\Local\Temp\N4rS0hE0df.bat

MD5 7fdf02d6aeed442ecf69e222dec747f7
SHA1 f97b153bc48cb063eeb351d099cf7cea4e5c5a30
SHA256 9bac172d3abb4ad3be11007f7f024153c8008674737db3a5981232590e2f8f71
SHA512 f34279bedf26dcd93a0fbe9577be5387ba11a7556f9dcb1cc12925ac35a28e048e839b6176b9e1cb8c95a47c8a47b0965427c3900ca5cd023c9a16b54c60a756

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-30 01:41

Reported

2024-12-30 01:44

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_81151e30e9fc06970f3bd5f677d301e8ad9d535aa0c90c460cf573db7936e1a5.exe"

Signatures

DcRat

rat infostealer dcrat

Dcrat family

dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_81151e30e9fc06970f3bd5f677d301e8ad9d535aa0c90c460cf573db7936e1a5.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Windows\IME\IMETC\HELP\RuntimeBroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Windows\IME\IMETC\HELP\RuntimeBroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Windows\IME\IMETC\HELP\RuntimeBroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Windows\IME\IMETC\HELP\RuntimeBroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Windows\IME\IMETC\HELP\RuntimeBroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Windows\IME\IMETC\HELP\RuntimeBroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\providercommon\DllCommonsvc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Windows\IME\IMETC\HELP\RuntimeBroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Windows\IME\IMETC\HELP\RuntimeBroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Windows\IME\IMETC\HELP\RuntimeBroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Windows\IME\IMETC\HELP\RuntimeBroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Windows\IME\IMETC\HELP\RuntimeBroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Windows\IME\IMETC\HELP\RuntimeBroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Windows\IME\IMETC\HELP\RuntimeBroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Windows\IME\IMETC\HELP\RuntimeBroker.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Internet Explorer\RuntimeBroker.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Internet Explorer\9e8d7a4ca61bd9 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Microsoft Office 15\ClientX64\wininit.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Microsoft Office 15\ClientX64\56085415360792 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Internet Explorer\RuntimeBroker.exe C:\providercommon\DllCommonsvc.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Downloaded Program Files\6cb0b6c459d5d3 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\GameBarPresenceWriter\dllhost.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\GameBarPresenceWriter\5940a34987c991 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\IME\IMETC\HELP\RuntimeBroker.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\IME\IMETC\HELP\9e8d7a4ca61bd9 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\Downloaded Program Files\dwm.exe C:\providercommon\DllCommonsvc.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_81151e30e9fc06970f3bd5f677d301e8ad9d535aa0c90c460cf573db7936e1a5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings C:\Windows\IME\IMETC\HELP\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings C:\providercommon\DllCommonsvc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings C:\Windows\IME\IMETC\HELP\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings C:\Windows\IME\IMETC\HELP\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings C:\Windows\IME\IMETC\HELP\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings C:\Windows\IME\IMETC\HELP\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_81151e30e9fc06970f3bd5f677d301e8ad9d535aa0c90c460cf573db7936e1a5.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings C:\Windows\IME\IMETC\HELP\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings C:\Windows\IME\IMETC\HELP\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings C:\Windows\IME\IMETC\HELP\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings C:\Windows\IME\IMETC\HELP\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings C:\Windows\IME\IMETC\HELP\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings C:\Windows\IME\IMETC\HELP\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings C:\Windows\IME\IMETC\HELP\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings C:\Windows\IME\IMETC\HELP\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings C:\Windows\IME\IMETC\HELP\RuntimeBroker.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\IME\IMETC\HELP\RuntimeBroker.exe N/A
N/A N/A C:\Windows\IME\IMETC\HELP\RuntimeBroker.exe N/A
N/A N/A C:\Windows\IME\IMETC\HELP\RuntimeBroker.exe N/A
N/A N/A C:\Windows\IME\IMETC\HELP\RuntimeBroker.exe N/A
N/A N/A C:\Windows\IME\IMETC\HELP\RuntimeBroker.exe N/A
N/A N/A C:\Windows\IME\IMETC\HELP\RuntimeBroker.exe N/A
N/A N/A C:\Windows\IME\IMETC\HELP\RuntimeBroker.exe N/A
N/A N/A C:\Windows\IME\IMETC\HELP\RuntimeBroker.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\providercommon\DllCommonsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\IME\IMETC\HELP\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\IME\IMETC\HELP\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\IME\IMETC\HELP\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\IME\IMETC\HELP\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\IME\IMETC\HELP\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\IME\IMETC\HELP\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\IME\IMETC\HELP\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\IME\IMETC\HELP\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\IME\IMETC\HELP\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\IME\IMETC\HELP\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\IME\IMETC\HELP\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\IME\IMETC\HELP\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\IME\IMETC\HELP\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\IME\IMETC\HELP\RuntimeBroker.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2268 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_81151e30e9fc06970f3bd5f677d301e8ad9d535aa0c90c460cf573db7936e1a5.exe C:\Windows\SysWOW64\WScript.exe
PID 2268 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_81151e30e9fc06970f3bd5f677d301e8ad9d535aa0c90c460cf573db7936e1a5.exe C:\Windows\SysWOW64\WScript.exe
PID 2268 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_81151e30e9fc06970f3bd5f677d301e8ad9d535aa0c90c460cf573db7936e1a5.exe C:\Windows\SysWOW64\WScript.exe
PID 3268 wrote to memory of 2356 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3268 wrote to memory of 2356 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3268 wrote to memory of 2356 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2356 wrote to memory of 4908 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 2356 wrote to memory of 4908 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 4908 wrote to memory of 4576 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4908 wrote to memory of 4576 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4908 wrote to memory of 2012 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4908 wrote to memory of 2012 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4908 wrote to memory of 2488 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4908 wrote to memory of 2488 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4908 wrote to memory of 2324 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4908 wrote to memory of 2324 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4908 wrote to memory of 3448 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4908 wrote to memory of 3448 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4908 wrote to memory of 2612 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4908 wrote to memory of 2612 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4908 wrote to memory of 3812 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4908 wrote to memory of 3812 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4908 wrote to memory of 3728 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4908 wrote to memory of 3728 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4908 wrote to memory of 3264 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4908 wrote to memory of 3264 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4908 wrote to memory of 1724 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4908 wrote to memory of 1724 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4908 wrote to memory of 1544 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4908 wrote to memory of 1544 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4908 wrote to memory of 2576 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4908 wrote to memory of 2576 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4908 wrote to memory of 4244 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4908 wrote to memory of 4244 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4908 wrote to memory of 3588 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4908 wrote to memory of 3588 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4908 wrote to memory of 2964 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4908 wrote to memory of 2964 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4908 wrote to memory of 1924 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4908 wrote to memory of 1924 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4908 wrote to memory of 2424 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\cmd.exe
PID 4908 wrote to memory of 2424 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\cmd.exe
PID 2424 wrote to memory of 3612 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2424 wrote to memory of 3612 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2424 wrote to memory of 5668 N/A C:\Windows\System32\cmd.exe C:\Windows\IME\IMETC\HELP\RuntimeBroker.exe
PID 2424 wrote to memory of 5668 N/A C:\Windows\System32\cmd.exe C:\Windows\IME\IMETC\HELP\RuntimeBroker.exe
PID 5668 wrote to memory of 5836 N/A C:\Windows\IME\IMETC\HELP\RuntimeBroker.exe C:\Windows\System32\cmd.exe
PID 5668 wrote to memory of 5836 N/A C:\Windows\IME\IMETC\HELP\RuntimeBroker.exe C:\Windows\System32\cmd.exe
PID 5836 wrote to memory of 5896 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 5836 wrote to memory of 5896 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 5836 wrote to memory of 5988 N/A C:\Windows\System32\cmd.exe C:\Windows\IME\IMETC\HELP\RuntimeBroker.exe
PID 5836 wrote to memory of 5988 N/A C:\Windows\System32\cmd.exe C:\Windows\IME\IMETC\HELP\RuntimeBroker.exe
PID 5988 wrote to memory of 5024 N/A C:\Windows\IME\IMETC\HELP\RuntimeBroker.exe C:\Windows\System32\cmd.exe
PID 5988 wrote to memory of 5024 N/A C:\Windows\IME\IMETC\HELP\RuntimeBroker.exe C:\Windows\System32\cmd.exe
PID 5024 wrote to memory of 2152 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 5024 wrote to memory of 2152 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 5024 wrote to memory of 2876 N/A C:\Windows\System32\cmd.exe C:\Windows\IME\IMETC\HELP\RuntimeBroker.exe
PID 5024 wrote to memory of 2876 N/A C:\Windows\System32\cmd.exe C:\Windows\IME\IMETC\HELP\RuntimeBroker.exe
PID 2876 wrote to memory of 1612 N/A C:\Windows\IME\IMETC\HELP\RuntimeBroker.exe C:\Windows\System32\cmd.exe
PID 2876 wrote to memory of 1612 N/A C:\Windows\IME\IMETC\HELP\RuntimeBroker.exe C:\Windows\System32\cmd.exe
PID 1612 wrote to memory of 728 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1612 wrote to memory of 728 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1612 wrote to memory of 4784 N/A C:\Windows\System32\cmd.exe C:\Windows\IME\IMETC\HELP\RuntimeBroker.exe
PID 1612 wrote to memory of 4784 N/A C:\Windows\System32\cmd.exe C:\Windows\IME\IMETC\HELP\RuntimeBroker.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_81151e30e9fc06970f3bd5f677d301e8ad9d535aa0c90c460cf573db7936e1a5.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_81151e30e9fc06970f3bd5f677d301e8ad9d535aa0c90c460cf573db7936e1a5.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "

C:\providercommon\DllCommonsvc.exe

"C:\providercommon\DllCommonsvc.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Program Files\Internet Explorer\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files\Internet Explorer\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Windows\Downloaded Program Files\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Windows\Downloaded Program Files\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Windows\GameBarPresenceWriter\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\GameBarPresenceWriter\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Windows\GameBarPresenceWriter\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Microsoft OneDrive\setup\TextInputHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft OneDrive\setup\TextInputHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Microsoft OneDrive\setup\TextInputHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\Public\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Public\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\Public\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Desktop\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\All Users\Desktop\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Desktop\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\providercommon\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Users\Default\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Users\Default\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 8 /tr "'C:\Users\Default\My Documents\Registry.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Users\Default\My Documents\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 13 /tr "'C:\Users\Default\My Documents\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Music\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Public\Music\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Music\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Windows\IME\IMETC\HELP\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\IME\IMETC\HELP\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Windows\IME\IMETC\HELP\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\DllCommonsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\DllCommonsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\DllCommonsvc.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\RuntimeBroker.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Downloaded Program Files\dwm.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\backgroundTaskHost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\GameBarPresenceWriter\dllhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Microsoft OneDrive\setup\TextInputHost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\csrss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Desktop\RuntimeBroker.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\taskhostw.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\wininit.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\My Documents\Registry.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office 15\ClientX64\wininit.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Music\csrss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\IME\IMETC\HELP\RuntimeBroker.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\DllCommonsvc.exe'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sfHy2UGJBc.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\IME\IMETC\HELP\RuntimeBroker.exe

"C:\Windows\IME\IMETC\HELP\RuntimeBroker.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kYBl3UyOdq.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\IME\IMETC\HELP\RuntimeBroker.exe

"C:\Windows\IME\IMETC\HELP\RuntimeBroker.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tbw0avzYF4.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\IME\IMETC\HELP\RuntimeBroker.exe

"C:\Windows\IME\IMETC\HELP\RuntimeBroker.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BHs9KC1JDp.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\IME\IMETC\HELP\RuntimeBroker.exe

"C:\Windows\IME\IMETC\HELP\RuntimeBroker.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\T3kbcxG26A.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\IME\IMETC\HELP\RuntimeBroker.exe

"C:\Windows\IME\IMETC\HELP\RuntimeBroker.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\K00M4WFsUw.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\IME\IMETC\HELP\RuntimeBroker.exe

"C:\Windows\IME\IMETC\HELP\RuntimeBroker.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WqeaogqjWu.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\IME\IMETC\HELP\RuntimeBroker.exe

"C:\Windows\IME\IMETC\HELP\RuntimeBroker.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rfuxuqwfwI.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\IME\IMETC\HELP\RuntimeBroker.exe

"C:\Windows\IME\IMETC\HELP\RuntimeBroker.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rfuxuqwfwI.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\IME\IMETC\HELP\RuntimeBroker.exe

"C:\Windows\IME\IMETC\HELP\RuntimeBroker.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hlHmrlOhE6.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\IME\IMETC\HELP\RuntimeBroker.exe

"C:\Windows\IME\IMETC\HELP\RuntimeBroker.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kYBl3UyOdq.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\IME\IMETC\HELP\RuntimeBroker.exe

"C:\Windows\IME\IMETC\HELP\RuntimeBroker.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WqeaogqjWu.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\IME\IMETC\HELP\RuntimeBroker.exe

"C:\Windows\IME\IMETC\HELP\RuntimeBroker.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AQ0EpYUV7r.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\IME\IMETC\HELP\RuntimeBroker.exe

"C:\Windows\IME\IMETC\HELP\RuntimeBroker.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uSow6ZWML2.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\IME\IMETC\HELP\RuntimeBroker.exe

"C:\Windows\IME\IMETC\HELP\RuntimeBroker.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EH4KCibIlQ.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 133.110.199.185.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp

Files

C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

MD5 8088241160261560a02c84025d107592
SHA1 083121f7027557570994c9fc211df61730455bb5
SHA256 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA512 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

C:\providercommon\1zu9dW.bat

MD5 6783c3ee07c7d151ceac57f1f9c8bed7
SHA1 17468f98f95bf504cc1f83c49e49a78526b3ea03
SHA256 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512 c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

C:\providercommon\DllCommonsvc.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/4908-12-0x00007FFF752F3000-0x00007FFF752F5000-memory.dmp

memory/4908-13-0x0000000000130000-0x0000000000240000-memory.dmp

memory/4908-14-0x0000000000BA0000-0x0000000000BB2000-memory.dmp

memory/4908-15-0x0000000000BD0000-0x0000000000BDC000-memory.dmp

memory/4908-16-0x0000000000BB0000-0x0000000000BBC000-memory.dmp

memory/4908-17-0x0000000000BC0000-0x0000000000BCC000-memory.dmp

memory/2576-58-0x000001E93F8B0000-0x000001E93F8D2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_my2rzbwl.xdq.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Temp\sfHy2UGJBc.bat

MD5 7979976358e0eaa4781c3d67319d5cf2
SHA1 154a0705fbae58df96ab3daf3c0464bc43db0ce3
SHA256 2206d0b60775ba1f80c02f1fea9f5114581cf6f2633b24ee0b8e57db37be190c
SHA512 f1637eb5aaf3548025fa430d18bde9899befceec750471d6b92e071e3dd629b896f83bd124b68b4731f5861b0fccb64dd4bd69c90df06ccd9dd838a1bc9e04df

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 77d622bb1a5b250869a3238b9bc1402b
SHA1 d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256 f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512 d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6d3e9c29fe44e90aae6ed30ccf799ca8
SHA1 c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA256 2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA512 60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d28a889fd956d5cb3accfbaf1143eb6f
SHA1 157ba54b365341f8ff06707d996b3635da8446f7
SHA256 21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA512 0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 62623d22bd9e037191765d5083ce16a3
SHA1 4a07da6872672f715a4780513d95ed8ddeefd259
SHA256 95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010
SHA512 9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e448fe0d240184c6597a31d3be2ced58
SHA1 372b8d8c19246d3e38cd3ba123cc0f56070f03cd
SHA256 c660f0db85a1e7f0f68db19868979bf50bd541531babf77a701e1b1ce5e6a391
SHA512 0b7f7eae7700d32b18eee3677cb7f89b46ace717fa7e6b501d6c47d54f15dff7e12b49f5a7d36a6ffe4c16165c7d55162db4f3621db545b6af638035752beab4

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3a6bad9528f8e23fb5c77fbd81fa28e8
SHA1 f127317c3bc6407f536c0f0600dcbcf1aabfba36
SHA256 986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05
SHA512 846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a8e8360d573a4ff072dcc6f09d992c88
SHA1 3446774433ceaf0b400073914facab11b98b6807
SHA256 bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b
SHA512 4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

C:\Users\Admin\AppData\Local\Temp\kYBl3UyOdq.bat

MD5 59e72e2c5c63316c7ee592dc5ee6cb10
SHA1 5b22eeb82ce2435f61daf4716b5340e8bcefb84d
SHA256 1196d3f55dbc5ae44f8d3a7e352bae84a4a9b1ff3fe5e54ad270d41dea58b506
SHA512 7dd6ec9fdf8c5733cde39dd1953c5f7b8a2941cffc33f42b7c4c214ffe454b0132f4eebebc2c54365c4f50bca19ba0d60261572101faade43540ccd4b89edcfb

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RuntimeBroker.exe.log

MD5 baf55b95da4a601229647f25dad12878
SHA1 abc16954ebfd213733c4493fc1910164d825cac8
SHA256 ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA512 24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

C:\Users\Admin\AppData\Local\Temp\tbw0avzYF4.bat

MD5 8c15c3ebb6c050eb017896477dc195ea
SHA1 9e1263a66983826575d2e1c9fc3bc088f17be00b
SHA256 7ab9f3a5b552e171919f3fc4cbc19f692a8b31cba40a23309972c2a051f20705
SHA512 c1cbee440f31e4919938e11e328200d9f6b8ed16a4aacb156e51028b020385f13f864f0d092ca6466204034430af57b965c0bcf49e60bd3411d7205c1237be5e

C:\Users\Admin\AppData\Local\Temp\BHs9KC1JDp.bat

MD5 2f173021f0aa587cc3d68e44d209d14b
SHA1 091a0ad396d2a4efd453986a595bba62bd315c54
SHA256 ca6bea57eac6bea5e191f79ca1afff57abbe2ed2b18668ec07363cdf8b418427
SHA512 3a63ec78957de46a736e978577e83f598c83429f21337e1b92ca0b503c270bd7f33dbd6d94f7dca42a4adb68e09ccd698a1cb2bf565df27de670154b479842d7

memory/4784-255-0x000000001AFF0000-0x000000001B002000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\T3kbcxG26A.bat

MD5 32235155bb5e2cc2d4dec354dfd5731a
SHA1 6d76b5651ce23e6d5247bdf7c5a99d42f5391acd
SHA256 68933ca515645d5c8ccd971b84138787df8b0049b8adda1806858877b57ea8b9
SHA512 fe3925808149c6cbf58b0b5401376b7dd35e642f4568f6b8aca3162c3a81f162f4ff3e0f7c9dffce380773b02c71e68e2246a0fada497745d0a8fd88a50f2a69

C:\Users\Admin\AppData\Local\Temp\K00M4WFsUw.bat

MD5 98b015a979896ac45b838712a48da014
SHA1 57429a401dfbf8866da1ed1d88fe4f3a1a84180b
SHA256 a569ad74d435d7904affb138b40820d3c4806759eb112ecc1cbbd09445538141
SHA512 058353166d4f502b91e6b19fab5647f3a6068632096dad8b6b332a297e1feb8f4e53fd53940ee1a0395834f32ea1ee4e9d2c9f4ee072c69761d32c8ead4ed4ca

memory/1532-268-0x00000000013F0000-0x0000000001402000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\WqeaogqjWu.bat

MD5 967f0910e8dff7d775b9b8bfff26bb31
SHA1 c54b119a3b93d046634b31cc6acc35338b721a63
SHA256 91da0ae86e63c47b709f333ec56cd934f0aa0d215bc135d07b4b2c3d578a04e9
SHA512 6b157a7123f1ba620beb199d73b6f0763e2fc7b509f49190753992904e62e9d987ff6a4c0135d8a3bdf5713149e55b041c8bec07e0e76c156657b8f1bffe0062

memory/2592-275-0x00000000015F0000-0x0000000001602000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\rfuxuqwfwI.bat

MD5 911a80f02d8124ec7097b20c08e6847e
SHA1 577fe2563105c2ec75b4f64e60a555f824922bce
SHA256 1964abe8a09ec835b816f2bb52ab124437bd07b5e3794f4c079cb2eee2ad26b0
SHA512 7e6d1040a133a37a21b703412e387f3417449c64a1decf9feb7370f459ffb6fa5e676b208b77059e2e56de76ca92bf69cb918daf301f9885ff4c4e9929777232

C:\Users\Admin\AppData\Local\Temp\hlHmrlOhE6.bat

MD5 ab04cecf9c619d8a1dbfe0ea9c7168b6
SHA1 b09580ff6f8009cc19131c5bcef9fd35e606d2e2
SHA256 5aafb6d0c5aa11cd4e74690085187ff0796d25f43a9fbcb1cb91a1563fb44e3a
SHA512 0e30edc39cf54ac4cc303bdd16ed8dc7a8333a5e9f5770e05f4116d7e7d5beb5c31b5fbb366d9e0e26dc71fbd8397680bd120b7b161d095542ba2b3fa998fba7

memory/3308-306-0x000000001BFF0000-0x000000001C002000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AQ0EpYUV7r.bat

MD5 1172b415d0c06374b94281acbebbc375
SHA1 93628ac7f2b3116d184aa14c6bf35655988139b0
SHA256 6722647860fb2fe956ac834833bab205f45922882cf4950c02be1ea40a297bc1
SHA512 073237607deb1d5124948510b610d0e3e5d8232e03e2618b70efa5fdef912405ef0624f320cfd3eca9b6ab21f57645653659388714e1d8d49cc9436e5b9d6fe3

C:\Users\Admin\AppData\Local\Temp\uSow6ZWML2.bat

MD5 44caf628e48306d15c84f33d75f0c681
SHA1 bcdd3456f494edcad51ecc0f1e891ad217485da3
SHA256 fe65db719117fd42ed2aff9e45c1afe92cb7a0af970c7485fbcfd7362dd7769a
SHA512 02dd876dd0a179c9e99423677565e069ef9ee8189fa72d2cd9d2a2fd831ba67dccca8e9efa92cc9bbb81d00828299141b5f4da624a98a86239f9f20148b0ca16

memory/4120-319-0x0000000000FF0000-0x0000000001002000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EH4KCibIlQ.bat

MD5 a856023f82d769a45c2682a3fb7c4207
SHA1 786699c4b9732436f0730849e97559a38b113180
SHA256 bd361b27f24b73f6f4d6bb4d4acbae769b0d8a044d14b570afc7103b25f615b6
SHA512 4686cec79038cfe03ab4f00ca36ed50d1da0f6473038cc8f00166dfecaa9461c60b7837c1f6fe3315685ab942edb13747c0949ca345271832bac5326143d6de2