Malware Analysis Report

2025-08-10 11:52

Sample ID 241230-cxrh7avnbp
Target JaffaCakes118_6967526d2772ad9afaf9d37407a183989f72032e43469452d45647e2a281771f
SHA256 6967526d2772ad9afaf9d37407a183989f72032e43469452d45647e2a281771f
Tags
rat dcrat discovery execution infostealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6967526d2772ad9afaf9d37407a183989f72032e43469452d45647e2a281771f

Threat Level: Known bad

The file JaffaCakes118_6967526d2772ad9afaf9d37407a183989f72032e43469452d45647e2a281771f was found to be: Known bad.

Malicious Activity Summary

rat dcrat discovery execution infostealer

Process spawned unexpected child process

DCRat payload

Dcrat family

DcRat

DCRat payload

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Legitimate hosting services abused for malware hosting/C2

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Scheduled Task/Job: Scheduled Task

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-30 02:27

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-30 02:27

Reported

2024-12-30 02:30

Platform

win7-20240903-en

Max time kernel

149s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6967526d2772ad9afaf9d37407a183989f72032e43469452d45647e2a281771f.exe"

Signatures

DcRat

rat infostealer dcrat

Dcrat family

dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Microsoft Office\886983d96e3d3e C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Google\CrashReports\WmiPrvSE.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Google\CrashReports\24dbde2999530e C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Microsoft Office\csrss.exe C:\providercommon\DllCommonsvc.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\PCHEALTH\ERRORREP\QHEADLES\69ddcba757bf72 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\Prefetch\taskhost.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\Prefetch\b75386f1303e64 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\inf\wsearchidxpi\dllhost.exe C:\providercommon\DllCommonsvc.exe N/A
File opened for modification C:\Windows\inf\wsearchidxpi\dllhost.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\inf\wsearchidxpi\5940a34987c991 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\PCHEALTH\ERRORREP\QHEADLES\smss.exe C:\providercommon\DllCommonsvc.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6967526d2772ad9afaf9d37407a183989f72032e43469452d45647e2a281771f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\providercommon\DllCommonsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\inf\wsearchidxpi\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\inf\wsearchidxpi\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\inf\wsearchidxpi\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\inf\wsearchidxpi\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\inf\wsearchidxpi\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\inf\wsearchidxpi\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\inf\wsearchidxpi\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\inf\wsearchidxpi\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\inf\wsearchidxpi\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\inf\wsearchidxpi\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\inf\wsearchidxpi\dllhost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2440 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6967526d2772ad9afaf9d37407a183989f72032e43469452d45647e2a281771f.exe C:\Windows\SysWOW64\WScript.exe
PID 2440 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6967526d2772ad9afaf9d37407a183989f72032e43469452d45647e2a281771f.exe C:\Windows\SysWOW64\WScript.exe
PID 2440 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6967526d2772ad9afaf9d37407a183989f72032e43469452d45647e2a281771f.exe C:\Windows\SysWOW64\WScript.exe
PID 2440 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6967526d2772ad9afaf9d37407a183989f72032e43469452d45647e2a281771f.exe C:\Windows\SysWOW64\WScript.exe
PID 2328 wrote to memory of 2400 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2328 wrote to memory of 2400 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2328 wrote to memory of 2400 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2328 wrote to memory of 2400 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2400 wrote to memory of 2712 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 2400 wrote to memory of 2712 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 2400 wrote to memory of 2712 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 2400 wrote to memory of 2712 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 2712 wrote to memory of 2520 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2712 wrote to memory of 2520 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2712 wrote to memory of 2520 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2712 wrote to memory of 2172 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2712 wrote to memory of 2172 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2712 wrote to memory of 2172 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2712 wrote to memory of 2268 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2712 wrote to memory of 2268 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2712 wrote to memory of 2268 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2712 wrote to memory of 1912 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2712 wrote to memory of 1912 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2712 wrote to memory of 1912 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2712 wrote to memory of 1936 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2712 wrote to memory of 1936 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2712 wrote to memory of 1936 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2712 wrote to memory of 2368 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2712 wrote to memory of 2368 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2712 wrote to memory of 2368 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2712 wrote to memory of 2380 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2712 wrote to memory of 2380 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2712 wrote to memory of 2380 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2712 wrote to memory of 2508 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2712 wrote to memory of 2508 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2712 wrote to memory of 2508 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2712 wrote to memory of 1460 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\cmd.exe
PID 2712 wrote to memory of 1460 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\cmd.exe
PID 2712 wrote to memory of 1460 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\cmd.exe
PID 1460 wrote to memory of 2548 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1460 wrote to memory of 2548 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1460 wrote to memory of 2548 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1460 wrote to memory of 872 N/A C:\Windows\System32\cmd.exe C:\Windows\inf\wsearchidxpi\dllhost.exe
PID 1460 wrote to memory of 872 N/A C:\Windows\System32\cmd.exe C:\Windows\inf\wsearchidxpi\dllhost.exe
PID 1460 wrote to memory of 872 N/A C:\Windows\System32\cmd.exe C:\Windows\inf\wsearchidxpi\dllhost.exe
PID 872 wrote to memory of 2000 N/A C:\Windows\inf\wsearchidxpi\dllhost.exe C:\Windows\System32\cmd.exe
PID 872 wrote to memory of 2000 N/A C:\Windows\inf\wsearchidxpi\dllhost.exe C:\Windows\System32\cmd.exe
PID 872 wrote to memory of 2000 N/A C:\Windows\inf\wsearchidxpi\dllhost.exe C:\Windows\System32\cmd.exe
PID 2000 wrote to memory of 2332 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2000 wrote to memory of 2332 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2000 wrote to memory of 2332 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2000 wrote to memory of 2820 N/A C:\Windows\System32\cmd.exe C:\Windows\inf\wsearchidxpi\dllhost.exe
PID 2000 wrote to memory of 2820 N/A C:\Windows\System32\cmd.exe C:\Windows\inf\wsearchidxpi\dllhost.exe
PID 2000 wrote to memory of 2820 N/A C:\Windows\System32\cmd.exe C:\Windows\inf\wsearchidxpi\dllhost.exe
PID 2820 wrote to memory of 1500 N/A C:\Windows\inf\wsearchidxpi\dllhost.exe C:\Windows\System32\cmd.exe
PID 2820 wrote to memory of 1500 N/A C:\Windows\inf\wsearchidxpi\dllhost.exe C:\Windows\System32\cmd.exe
PID 2820 wrote to memory of 1500 N/A C:\Windows\inf\wsearchidxpi\dllhost.exe C:\Windows\System32\cmd.exe
PID 1500 wrote to memory of 2132 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1500 wrote to memory of 2132 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1500 wrote to memory of 2132 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1500 wrote to memory of 1872 N/A C:\Windows\System32\cmd.exe C:\Windows\inf\wsearchidxpi\dllhost.exe
PID 1500 wrote to memory of 1872 N/A C:\Windows\System32\cmd.exe C:\Windows\inf\wsearchidxpi\dllhost.exe
PID 1500 wrote to memory of 1872 N/A C:\Windows\System32\cmd.exe C:\Windows\inf\wsearchidxpi\dllhost.exe
PID 1872 wrote to memory of 1584 N/A C:\Windows\inf\wsearchidxpi\dllhost.exe C:\Windows\System32\cmd.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6967526d2772ad9afaf9d37407a183989f72032e43469452d45647e2a281771f.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6967526d2772ad9afaf9d37407a183989f72032e43469452d45647e2a281771f.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\providercommon\1zu9dW.bat" "

C:\providercommon\DllCommonsvc.exe

"C:\providercommon\DllCommonsvc.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Windows\inf\wsearchidxpi\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\inf\wsearchidxpi\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Windows\inf\wsearchidxpi\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Microsoft\Assistance\Client\1.0\fr-FR\audiodg.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft\Assistance\Client\1.0\fr-FR\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Microsoft\Assistance\Client\1.0\fr-FR\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Windows\PCHEALTH\ERRORREP\QHEADLES\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\PCHEALTH\ERRORREP\QHEADLES\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Windows\PCHEALTH\ERRORREP\QHEADLES\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Office\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Windows\Prefetch\taskhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\Prefetch\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Windows\Prefetch\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Google\CrashReports\WmiPrvSE.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\CrashReports\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Google\CrashReports\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\inf\wsearchidxpi\dllhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\spoolsv.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Microsoft\Assistance\Client\1.0\fr-FR\audiodg.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PCHEALTH\ERRORREP\QHEADLES\smss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\csrss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Prefetch\taskhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\CrashReports\WmiPrvSE.exe'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\J4Xd3ofT6n.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\inf\wsearchidxpi\dllhost.exe

"C:\Windows\inf\wsearchidxpi\dllhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\00pP7nIBMq.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\inf\wsearchidxpi\dllhost.exe

"C:\Windows\inf\wsearchidxpi\dllhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2Oj9OucH8K.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\inf\wsearchidxpi\dllhost.exe

"C:\Windows\inf\wsearchidxpi\dllhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\15yWIDpGaf.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\inf\wsearchidxpi\dllhost.exe

"C:\Windows\inf\wsearchidxpi\dllhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VG36Hwy0Lv.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\inf\wsearchidxpi\dllhost.exe

"C:\Windows\inf\wsearchidxpi\dllhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qUPyb5cGVE.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\inf\wsearchidxpi\dllhost.exe

"C:\Windows\inf\wsearchidxpi\dllhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RnBkS9jGYw.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\inf\wsearchidxpi\dllhost.exe

"C:\Windows\inf\wsearchidxpi\dllhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WVE2eLfZN7.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\inf\wsearchidxpi\dllhost.exe

"C:\Windows\inf\wsearchidxpi\dllhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IMpAoVHioU.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\inf\wsearchidxpi\dllhost.exe

"C:\Windows\inf\wsearchidxpi\dllhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5eI0Zh92hY.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\inf\wsearchidxpi\dllhost.exe

"C:\Windows\inf\wsearchidxpi\dllhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\blOcFVMglb.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\inf\wsearchidxpi\dllhost.exe

"C:\Windows\inf\wsearchidxpi\dllhost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp

Files

C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

MD5 8088241160261560a02c84025d107592
SHA1 083121f7027557570994c9fc211df61730455bb5
SHA256 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA512 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

C:\providercommon\1zu9dW.bat

MD5 6783c3ee07c7d151ceac57f1f9c8bed7
SHA1 17468f98f95bf504cc1f83c49e49a78526b3ea03
SHA256 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512 c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

\providercommon\DllCommonsvc.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/2712-13-0x00000000010E0000-0x00000000011F0000-memory.dmp

memory/2712-14-0x0000000000140000-0x0000000000152000-memory.dmp

memory/2712-15-0x0000000000560000-0x000000000056C000-memory.dmp

memory/2712-16-0x0000000000440000-0x000000000044C000-memory.dmp

memory/2712-17-0x0000000000570000-0x000000000057C000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 7de5f8f4d9992fec2bfc8945af0ba54f
SHA1 501f9b86ef8a18c709e1e7177847600fdfb9e5c1
SHA256 7367818e0a1e0e35f5f43a40ff82ad70ac66592251605f1a06e39f2579baad70
SHA512 c174131464492260c430603da5e41efac2e0179d81a6c4f4a4c899ca7f827447538a979048c399d6da515c1231a6c18061d37fd853b65d014de80a103f8e6bbb

memory/2520-46-0x000000001B670000-0x000000001B952000-memory.dmp

memory/2520-47-0x0000000002770000-0x0000000002778000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\J4Xd3ofT6n.bat

MD5 fbafd5eacee8522161dbfc0bf6b6977a
SHA1 f85e6ca3f0f1918be8ec360be90f472b5338c8b4
SHA256 674d37b41c0a65253f4c4bb0685eeb8e715a3d6a49c197b338b66d1906072824
SHA512 bc047254c46b8163cb6074d794eacd0a112f951fee85550d82774be956d797b185bff32d8d258f5a6620be931f9f103f57bbb93f8d86646dbad9c7325cac542c

memory/872-80-0x0000000000CA0000-0x0000000000DB0000-memory.dmp

memory/872-81-0x0000000000140000-0x0000000000152000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab437.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar459.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\Local\Temp\00pP7nIBMq.bat

MD5 e94b3d1358aaab6ff355e44c51caff36
SHA1 6938744953f009b657f58ee4fb207627bb8f0a78
SHA256 bdd285f1fabd3b53968571c277e7f99c484fa862d8fcd3c6adb2b6644df287b2
SHA512 53ab2c9a9d23ce27176cce1ef3c8d9f6be32e4d1a8bdb6b036c99211493ce9b995e5ef8afddcbe2f60f861f762d8be17d09e75ffaf30414893e6a81432b9df6e

memory/2820-140-0x0000000000E60000-0x0000000000F70000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ed663a74a6c8385c54cd242f041d23e1
SHA1 04ac82b8d3e08c9bd6488c4fb54079205d15b3cc
SHA256 dcee90960705bdd63a11c48ab439c2c7b5026e8e0209ec70a50e6a51c5e58725
SHA512 f87ca0c7a08ee91d44a1c433397f0fa5e0023d74e6a9c7b76061f89f5db81c72a0a4c0a43a21cc31a46e853216908ee9227f2696835225d9c65a95f7f1b67baa

C:\Users\Admin\AppData\Local\Temp\2Oj9OucH8K.bat

MD5 61b6e49a06a213f69adc3bb8eca23fe8
SHA1 d32bda1de220e635192150a5659dbee2809d438f
SHA256 b3fa8d6389bdb39908fda328dc3a2acddab99f8349d0c3b2cfb9ad3dad2faba7
SHA512 598d4c27cf0955bf047b5807fdd586911f69d9007dcbb90426f8ddaf27b99a7e7951665e630ea41cc428173229c9c9781b8c6733e9d037fa5d6b80ad96e37415

memory/1872-200-0x0000000000EE0000-0x0000000000FF0000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f8e2530019d4237fb00c40bff068cd95
SHA1 559286907e4fab310de2a0bb693d6e97bd36e788
SHA256 fd2798a7aa2ff5f4a5493f7d442544f077b055d98ef2687fb9106f4852cb238a
SHA512 f14e7781f760e7f95c81b1a524cf2ecd7edf4a1e3610b8702c989f31fe5e84623987ddb0f6da2ef3f3b069a64503489d3666f44341d709a66083ab4b969ec855

C:\Users\Admin\AppData\Local\Temp\15yWIDpGaf.bat

MD5 98e37877a1e74ad495f25a0401627820
SHA1 12b5498308f9140d0e285506c22f0a8339a65c3b
SHA256 4f1ce7e70914c78cc9e72cf103545088410e1ceadffbe64521e0767a7161ca19
SHA512 c33b950f29cae7cac08176c42ce80219dc649ccb0fc340ada7ddf0e65bd9496b4421b5a0a4456d8b0cdd792a729e8fbe786be531c391abde8d2f1d79c304569e

memory/2164-260-0x0000000000110000-0x0000000000220000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8c3e978d09dee946c971a646bd359a73
SHA1 38ba645d11aa63993e3c8017c2518cfacb7548cd
SHA256 4c1a268856091a13cb8f8baef7758007be56462b7559b9591d45e767004c8fd1
SHA512 44616728470f16373c176eedcb6260e82520fae31971dd0f7186fc8b9880868c440765038f24294fa09826603064455d84c2dc259915a6aa400161eddb535596

C:\Users\Admin\AppData\Local\Temp\VG36Hwy0Lv.bat

MD5 295b3c5d09437036984dd384cafb01c9
SHA1 8cd07fd36b26a239bf58aa8e89144fe8493e0996
SHA256 517ceef23de6e8c59914906df00dad51153ca57e4086ad58e76b2120920b28ac
SHA512 c07a477b78da8d9c77a9ef4e79bed87f5fb596cdcd92b065ef1a3a6fe0a2409ad7870233d5975b8b5bde00ea0061e6cecf6ba223db8d70a73046f4a01277243d

memory/2328-320-0x0000000000820000-0x0000000000930000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 60d92203dc53d1d7a439651e2a199c96
SHA1 3eca80ff09e9f48755940c196c24b92543b7fc04
SHA256 9b8ba49486e13af402cd7ea9359bac6d6d4e18466e0d5f05801d77b321bf8c09
SHA512 859394dc4b73aa10056d262e5ccf0f7d71423cf7ec706360aa43e51cb5c9ddcb4897a08d3bbabee6f41b9246fd80d37ee634b5288a7897a6de05bf2676f98d87

C:\Users\Admin\AppData\Local\Temp\qUPyb5cGVE.bat

MD5 9db7491acf8c3f5362ecef787c82b133
SHA1 526d2b0fa076ace625a6408c329a7b8110f4e52e
SHA256 cd1a7d8dfd5f363dfd40d59b2c1bb2ebe4238d2bd970b17eca5ef299646e20a8
SHA512 6aa5b49d17fe82ad0a71fa311b73df3f9f2e0f676ee133200d1ff3d421e2c63928fd56fae81a043b40741de2b7590c952e43e3f29cbf5bf8db16dc58801e01c0

memory/2096-380-0x00000000003A0000-0x00000000004B0000-memory.dmp

memory/2096-381-0x0000000000240000-0x0000000000252000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cadd657d3208d921b8efa4328ca53d5b
SHA1 953078ef2c5cb4beb6218f05c06ee5e4ded6050b
SHA256 bb28900f9e0f9a212ee5ceb4f200ecca741b700b0226353c106d122c7c7cfb27
SHA512 d8db2b0fb7023c4b4013bff8597bfadf50bbfd40c2bd041e1b74b4e01a12aeaca30b44ccf70419aa2c27139ac5ff633879c0a2766f6350037fd9eafa827924c4

C:\Users\Admin\AppData\Local\Temp\RnBkS9jGYw.bat

MD5 ca29dee26e5e46fdcc4509ed27dacd45
SHA1 df9653370fe8bf8d892c7954df3ffb1c67dd3060
SHA256 c963e3c2cfbfa229ff017e5fb129d07f65d76c9b096a7feddf991f4a6fec7f99
SHA512 7d3e6b730591cf9c9702a4be37c8b96974f7c51c942b3105abc841e708c8f48315fcdfde071f4b6af92361277b7759377768aa19ce31aa67f53fb50c4940231c

memory/564-441-0x0000000000B50000-0x0000000000C60000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 432d646cfc792250118cfebf830965d8
SHA1 c5703f4878337842fc6cce0ea4dffd6b1fc73075
SHA256 38d451f9428fbd27921b8fd440e7944cef12a8238e5c7baf6fa95eb93ea25149
SHA512 a2e581e8669e7eca2450f567ae59fb06d88db206f208731530594c40dca5a8d4c9a779d559625cabfeeaacfdda15cc3ca22ea5a4a4440f5191c76fc50b230264

C:\Users\Admin\AppData\Local\Temp\WVE2eLfZN7.bat

MD5 ecbb1cf5c7784cdf9fdd7f0ad4197255
SHA1 36ca5f45d43c3416121b56e7b63b2169363b2c40
SHA256 204bb9bd66e99fa0d2499640e54f6e782adb53cdd2288a1c4a4cc9214b5b1bfe
SHA512 4ce7bc5138e886790dc441c5e2e6f53bc2022bcd2ad9e020f7658c3a6383f5d2e81f81b27f3d8516313cd174af2a264cc9d10edb25b97ec81b74d32cdf7cfbcf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c962bb8dee6e6481e801773bcc8b3458
SHA1 ea0cdd394d42f8a500eb96e46af3115ec72cb206
SHA256 fcb7d560316622e5bf4ddefad6de706f4c7af408885fd08ad57e10f52734c1b5
SHA512 4352823ed96c298479fc317c2c76b653dc5a9bfdd1ce7f8fd33a400fa7473c083d53d9423a404bca4c9e147c4708c163c1bdae64eddfa723ab532dd954330f9e

C:\Users\Admin\AppData\Local\Temp\IMpAoVHioU.bat

MD5 b5d721c1632f079362ee6e5ed603e23e
SHA1 5806ae0c52493dd60d44736b1082bdb8a72bbf1a
SHA256 4f15b73ea1f8fbbc4e87c50c9b1a313353f4f59dc1aba0789cce304200b4a8af
SHA512 2a9370def70798003eee7986d8cec4daa0eb3aad2e5c8976e016c48b5b39ea668b08eb6e7e102ecc0875c19bfd559c5020a12a2026ac79d08e49c7b4953f0b64

memory/2100-560-0x00000000013C0000-0x00000000014D0000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bc3877d18af98dce50a54330f94139eb
SHA1 8bc4fa0a9152f1b5005c44e22af83fa6ac8cb2d3
SHA256 78896088086d2e2bba55c50cab2f577c715f24c9e3645b0c0e191e4dd73105f0
SHA512 c1a1caf5a0b6ece150950f2485fc24f189e4812197475c04aa00702396f1f1e1263cf59a1f57b1255c8edb8e43491bccd74ba0a529918ffd68cb03f7c38c2c05

C:\Users\Admin\AppData\Local\Temp\5eI0Zh92hY.bat

MD5 022732bee0662cbd2b4b38e4d149f956
SHA1 6efa018cf78ec32468aac0113f06f25f92a94adb
SHA256 dd474b47b4575e54079725c362bbf5c7b14afd2b84707907f7938c05808b1f01
SHA512 d16f3a96f0839873b935b6a638c20f80c2eb243caa8eecbb867d0e28bf091f4588e688aaa40f70eeeaf0fa66c73b627598a691f2ae6d92478c7968f45420266c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5f4641de2e4344d0136a7c5cf2da05b7
SHA1 98610daff13dacdc7f09c4c0dad2bf018bc98dbe
SHA256 282d26e7f3246844f19af7a8506f3994a62fb4edade917d0b9dcedac2bcc9f0c
SHA512 98e9fda6777bd7acb2fdb9174eb996030b0f977f6eaec7cb62a2adc78c189dd7f48de2204c5f86022082063f7fbf72d4f75287e093615d7a47e2ca070552e652

C:\Users\Admin\AppData\Local\Temp\blOcFVMglb.bat

MD5 e2d4c0f3c8ae9b2e14c9a24ad97296e1
SHA1 67e30a3838c9f38489fedcc044b98369dde64ca7
SHA256 07e11a2c46b62b08ac55ecfa495025c78ef9977e7e93ba9728ef6d9696decebe
SHA512 bebec1ab7c05b9b58a3bebbd69591726c6640b1c106e1059b50c61e0f511137f1797792daf64de042baf68b7cb0a961c7f368eb54aab4f3dc54c7b1367414bdf

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-30 02:27

Reported

2024-12-30 02:30

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6967526d2772ad9afaf9d37407a183989f72032e43469452d45647e2a281771f.exe"

Signatures

DcRat

rat infostealer dcrat

Dcrat family

dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Windows\RemotePackages\RemoteDesktops\RuntimeBroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Windows\RemotePackages\RemoteDesktops\RuntimeBroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Windows\RemotePackages\RemoteDesktops\RuntimeBroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Windows\RemotePackages\RemoteDesktops\RuntimeBroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6967526d2772ad9afaf9d37407a183989f72032e43469452d45647e2a281771f.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\providercommon\DllCommonsvc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Windows\RemotePackages\RemoteDesktops\RuntimeBroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Windows\RemotePackages\RemoteDesktops\RuntimeBroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Windows\RemotePackages\RemoteDesktops\RuntimeBroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Windows\RemotePackages\RemoteDesktops\RuntimeBroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Windows\RemotePackages\RemoteDesktops\RuntimeBroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Windows\RemotePackages\RemoteDesktops\RuntimeBroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Windows\RemotePackages\RemoteDesktops\RuntimeBroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Windows\RemotePackages\RemoteDesktops\RuntimeBroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Windows\RemotePackages\RemoteDesktops\RuntimeBroker.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\5b884080fd4f94 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\OfficeClickToRun.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Microsoft Office\root\loc\fontdrvhost.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Microsoft Office\root\loc\5b884080fd4f94 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Windows Portable Devices\ea9f0e6c9e2dcd C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Microsoft Office 15\ClientX64\f3b6ecef712a24 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\SearchApp.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\38384e6a620884 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\7-Zip\Lang\38384e6a620884 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\e6c9b481da804f C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Microsoft Office 15\ClientX64\spoolsv.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\fontdrvhost.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\7-Zip\Lang\SearchApp.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Windows Portable Devices\taskhostw.exe C:\providercommon\DllCommonsvc.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\PolicyDefinitions\es-ES\RuntimeBroker.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\Speech\unsecapp.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\Speech\29c1c3cc0f7685 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\debug\9e8d7a4ca61bd9 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\uk-UA\StartMenuExperienceHost.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\RemotePackages\RemoteDesktops\9e8d7a4ca61bd9 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\RemotePackages\RemoteDesktops\RuntimeBroker.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\PolicyDefinitions\es-ES\9e8d7a4ca61bd9 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\debug\RuntimeBroker.exe C:\providercommon\DllCommonsvc.exe N/A
File opened for modification C:\Windows\uk-UA\StartMenuExperienceHost.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\uk-UA\55b276f4edf653 C:\providercommon\DllCommonsvc.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6967526d2772ad9afaf9d37407a183989f72032e43469452d45647e2a281771f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings C:\Windows\RemotePackages\RemoteDesktops\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6967526d2772ad9afaf9d37407a183989f72032e43469452d45647e2a281771f.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings C:\Windows\RemotePackages\RemoteDesktops\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings C:\Windows\RemotePackages\RemoteDesktops\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings C:\Windows\RemotePackages\RemoteDesktops\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings C:\Windows\RemotePackages\RemoteDesktops\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings C:\Windows\RemotePackages\RemoteDesktops\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings C:\Windows\RemotePackages\RemoteDesktops\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings C:\Windows\RemotePackages\RemoteDesktops\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings C:\Windows\RemotePackages\RemoteDesktops\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings C:\Windows\RemotePackages\RemoteDesktops\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings C:\Windows\RemotePackages\RemoteDesktops\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings C:\Windows\RemotePackages\RemoteDesktops\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings C:\Windows\RemotePackages\RemoteDesktops\RuntimeBroker.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\RemotePackages\RemoteDesktops\RuntimeBroker.exe N/A
N/A N/A C:\Windows\RemotePackages\RemoteDesktops\RuntimeBroker.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\providercommon\DllCommonsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\RemotePackages\RemoteDesktops\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\RemotePackages\RemoteDesktops\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\RemotePackages\RemoteDesktops\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\RemotePackages\RemoteDesktops\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\RemotePackages\RemoteDesktops\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\RemotePackages\RemoteDesktops\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\RemotePackages\RemoteDesktops\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\RemotePackages\RemoteDesktops\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\RemotePackages\RemoteDesktops\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\RemotePackages\RemoteDesktops\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\RemotePackages\RemoteDesktops\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\RemotePackages\RemoteDesktops\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\RemotePackages\RemoteDesktops\RuntimeBroker.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4144 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6967526d2772ad9afaf9d37407a183989f72032e43469452d45647e2a281771f.exe C:\Windows\SysWOW64\WScript.exe
PID 4144 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6967526d2772ad9afaf9d37407a183989f72032e43469452d45647e2a281771f.exe C:\Windows\SysWOW64\WScript.exe
PID 4144 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6967526d2772ad9afaf9d37407a183989f72032e43469452d45647e2a281771f.exe C:\Windows\SysWOW64\WScript.exe
PID 3936 wrote to memory of 2256 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3936 wrote to memory of 2256 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3936 wrote to memory of 2256 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2256 wrote to memory of 4132 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 2256 wrote to memory of 4132 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 4132 wrote to memory of 640 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4132 wrote to memory of 640 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4132 wrote to memory of 1156 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4132 wrote to memory of 1156 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4132 wrote to memory of 4336 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4132 wrote to memory of 4336 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4132 wrote to memory of 2344 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4132 wrote to memory of 2344 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4132 wrote to memory of 1820 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4132 wrote to memory of 1820 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4132 wrote to memory of 3832 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4132 wrote to memory of 3832 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4132 wrote to memory of 4032 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4132 wrote to memory of 4032 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4132 wrote to memory of 1604 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4132 wrote to memory of 1604 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4132 wrote to memory of 4252 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4132 wrote to memory of 4252 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4132 wrote to memory of 4372 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4132 wrote to memory of 4372 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4132 wrote to memory of 3948 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4132 wrote to memory of 3948 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4132 wrote to memory of 2420 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4132 wrote to memory of 2420 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4132 wrote to memory of 2076 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4132 wrote to memory of 2076 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4132 wrote to memory of 736 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4132 wrote to memory of 736 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4132 wrote to memory of 1596 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4132 wrote to memory of 1596 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4132 wrote to memory of 2176 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4132 wrote to memory of 2176 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4132 wrote to memory of 5020 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4132 wrote to memory of 5020 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4132 wrote to memory of 4528 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4132 wrote to memory of 4528 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4132 wrote to memory of 2864 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\RemotePackages\RemoteDesktops\RuntimeBroker.exe
PID 4132 wrote to memory of 2864 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\RemotePackages\RemoteDesktops\RuntimeBroker.exe
PID 2864 wrote to memory of 5672 N/A C:\Windows\RemotePackages\RemoteDesktops\RuntimeBroker.exe C:\Windows\System32\cmd.exe
PID 2864 wrote to memory of 5672 N/A C:\Windows\RemotePackages\RemoteDesktops\RuntimeBroker.exe C:\Windows\System32\cmd.exe
PID 5672 wrote to memory of 5740 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 5672 wrote to memory of 5740 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 5672 wrote to memory of 5848 N/A C:\Windows\System32\cmd.exe C:\Windows\RemotePackages\RemoteDesktops\RuntimeBroker.exe
PID 5672 wrote to memory of 5848 N/A C:\Windows\System32\cmd.exe C:\Windows\RemotePackages\RemoteDesktops\RuntimeBroker.exe
PID 5848 wrote to memory of 5976 N/A C:\Windows\RemotePackages\RemoteDesktops\RuntimeBroker.exe C:\Windows\System32\cmd.exe
PID 5848 wrote to memory of 5976 N/A C:\Windows\RemotePackages\RemoteDesktops\RuntimeBroker.exe C:\Windows\System32\cmd.exe
PID 5976 wrote to memory of 6032 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 5976 wrote to memory of 6032 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 5976 wrote to memory of 6136 N/A C:\Windows\System32\cmd.exe C:\Windows\RemotePackages\RemoteDesktops\RuntimeBroker.exe
PID 5976 wrote to memory of 6136 N/A C:\Windows\System32\cmd.exe C:\Windows\RemotePackages\RemoteDesktops\RuntimeBroker.exe
PID 6136 wrote to memory of 1168 N/A C:\Windows\RemotePackages\RemoteDesktops\RuntimeBroker.exe C:\Windows\System32\cmd.exe
PID 6136 wrote to memory of 1168 N/A C:\Windows\RemotePackages\RemoteDesktops\RuntimeBroker.exe C:\Windows\System32\cmd.exe
PID 1168 wrote to memory of 1568 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1168 wrote to memory of 1568 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1168 wrote to memory of 3452 N/A C:\Windows\System32\cmd.exe C:\Windows\RemotePackages\RemoteDesktops\RuntimeBroker.exe
PID 1168 wrote to memory of 3452 N/A C:\Windows\System32\cmd.exe C:\Windows\RemotePackages\RemoteDesktops\RuntimeBroker.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6967526d2772ad9afaf9d37407a183989f72032e43469452d45647e2a281771f.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6967526d2772ad9afaf9d37407a183989f72032e43469452d45647e2a281771f.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "

C:\providercommon\DllCommonsvc.exe

"C:\providercommon\DllCommonsvc.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\Windows\uk-UA\StartMenuExperienceHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\uk-UA\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\Windows\uk-UA\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Windows\RemotePackages\RemoteDesktops\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\RemotePackages\RemoteDesktops\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Windows\RemotePackages\RemoteDesktops\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\OfficeClickToRun.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Users\All Users\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Windows\PolicyDefinitions\es-ES\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\PolicyDefinitions\es-ES\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Windows\PolicyDefinitions\es-ES\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 12 /tr "'C:\Windows\Speech\unsecapp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Windows\Speech\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 8 /tr "'C:\Windows\Speech\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Windows\debug\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\debug\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Windows\debug\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Favorites\cmd.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\Default\Favorites\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Favorites\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\SearchApp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\SearchApp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\SearchApp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 13 /tr "'C:\Program Files\7-Zip\Lang\SearchApp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\SearchApp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 7 /tr "'C:\Program Files\7-Zip\Lang\SearchApp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\OfficeClickToRun.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Office\root\loc\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\root\loc\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Office\root\loc\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Portable Devices\taskhostw.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Portable Devices\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\uk-UA\StartMenuExperienceHost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office 15\ClientX64\spoolsv.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\RemotePackages\RemoteDesktops\RuntimeBroker.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\OfficeClickToRun.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\fontdrvhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PolicyDefinitions\es-ES\RuntimeBroker.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Speech\unsecapp.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dwm.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\debug\RuntimeBroker.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Favorites\cmd.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\Gadgets\SearchApp.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\csrss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\upfc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\Lang\SearchApp.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\OfficeClickToRun.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\root\loc\fontdrvhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\taskhostw.exe'

C:\Windows\RemotePackages\RemoteDesktops\RuntimeBroker.exe

"C:\Windows\RemotePackages\RemoteDesktops\RuntimeBroker.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OTxxDhnLNa.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\RemotePackages\RemoteDesktops\RuntimeBroker.exe

"C:\Windows\RemotePackages\RemoteDesktops\RuntimeBroker.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TK13bru719.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\RemotePackages\RemoteDesktops\RuntimeBroker.exe

"C:\Windows\RemotePackages\RemoteDesktops\RuntimeBroker.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lEFN0vw97k.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\RemotePackages\RemoteDesktops\RuntimeBroker.exe

"C:\Windows\RemotePackages\RemoteDesktops\RuntimeBroker.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EYKlAcFNfO.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\RemotePackages\RemoteDesktops\RuntimeBroker.exe

"C:\Windows\RemotePackages\RemoteDesktops\RuntimeBroker.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OMb46N11BK.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\RemotePackages\RemoteDesktops\RuntimeBroker.exe

"C:\Windows\RemotePackages\RemoteDesktops\RuntimeBroker.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jBrSCX6wbi.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\RemotePackages\RemoteDesktops\RuntimeBroker.exe

"C:\Windows\RemotePackages\RemoteDesktops\RuntimeBroker.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ST975DOJvB.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\RemotePackages\RemoteDesktops\RuntimeBroker.exe

"C:\Windows\RemotePackages\RemoteDesktops\RuntimeBroker.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\h6hK16ZrMt.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\RemotePackages\RemoteDesktops\RuntimeBroker.exe

"C:\Windows\RemotePackages\RemoteDesktops\RuntimeBroker.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Nc51i3GWIc.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\RemotePackages\RemoteDesktops\RuntimeBroker.exe

"C:\Windows\RemotePackages\RemoteDesktops\RuntimeBroker.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\s1KW4B7p45.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\RemotePackages\RemoteDesktops\RuntimeBroker.exe

"C:\Windows\RemotePackages\RemoteDesktops\RuntimeBroker.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CWxqMEPA9M.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\RemotePackages\RemoteDesktops\RuntimeBroker.exe

"C:\Windows\RemotePackages\RemoteDesktops\RuntimeBroker.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ESzt3JT3T8.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\RemotePackages\RemoteDesktops\RuntimeBroker.exe

"C:\Windows\RemotePackages\RemoteDesktops\RuntimeBroker.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RId7nS4uU7.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 133.111.199.185.in-addr.arpa udp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 20.49.80.91.in-addr.arpa udp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 21.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp

Files

C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

MD5 8088241160261560a02c84025d107592
SHA1 083121f7027557570994c9fc211df61730455bb5
SHA256 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA512 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

C:\providercommon\1zu9dW.bat

MD5 6783c3ee07c7d151ceac57f1f9c8bed7
SHA1 17468f98f95bf504cc1f83c49e49a78526b3ea03
SHA256 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512 c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

C:\providercommon\DllCommonsvc.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/4132-12-0x00007FFC76913000-0x00007FFC76915000-memory.dmp

memory/4132-13-0x0000000000530000-0x0000000000640000-memory.dmp

memory/4132-14-0x0000000000CF0000-0x0000000000D02000-memory.dmp

memory/4132-15-0x0000000002980000-0x000000000298C000-memory.dmp

memory/4132-16-0x0000000000F60000-0x0000000000F6C000-memory.dmp

memory/4132-17-0x0000000002990000-0x000000000299C000-memory.dmp

memory/1604-63-0x00000121E8370000-0x00000121E8392000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1jpbhjql.n2i.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2864-168-0x000000001BBE0000-0x000000001BBF2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6d42b6da621e8df5674e26b799c8e2aa
SHA1 ab3ce1327ea1eeedb987ec823d5e0cb146bafa48
SHA256 5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c
SHA512 53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3a6bad9528f8e23fb5c77fbd81fa28e8
SHA1 f127317c3bc6407f536c0f0600dcbcf1aabfba36
SHA256 986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05
SHA512 846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 62623d22bd9e037191765d5083ce16a3
SHA1 4a07da6872672f715a4780513d95ed8ddeefd259
SHA256 95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010
SHA512 9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 bd5940f08d0be56e65e5f2aaf47c538e
SHA1 d7e31b87866e5e383ab5499da64aba50f03e8443
SHA256 2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6
SHA512 c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e243a38635ff9a06c87c2a61a2200656
SHA1 ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc
SHA256 af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f
SHA512 4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e448fe0d240184c6597a31d3be2ced58
SHA1 372b8d8c19246d3e38cd3ba123cc0f56070f03cd
SHA256 c660f0db85a1e7f0f68db19868979bf50bd541531babf77a701e1b1ce5e6a391
SHA512 0b7f7eae7700d32b18eee3677cb7f89b46ace717fa7e6b501d6c47d54f15dff7e12b49f5a7d36a6ffe4c16165c7d55162db4f3621db545b6af638035752beab4

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 28d4235aa2e6d782751f980ceb6e5021
SHA1 f5d82d56acd642b9fc4b963f684fd6b78f25a140
SHA256 8c66720f953e82cfbd8f00543c42c0cf77c3d97787ec09cb3e1e2ba5819bd638
SHA512 dba1bd6600f5affcfdc33a59e7ac853ee5fdfafb8d1407a1768728bd4f66ef6b49437214716b7e33e3de91d7ce95709050a3dab4354dd62acaf1de28107017a2

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 aaaac7c68d2b7997ed502c26fd9f65c2
SHA1 7c5a3731300d672bf53c43e2f9e951c745f7fbdf
SHA256 8724dc2c3c8e8f17aeefae44a23741b1ea3b43c490fbc52fd61575ffe1cd82bb
SHA512 c526febd9430413b48bed976edd9a795793ad1f06c8ff4f6b768b4ad63f4d2f06b9da72d4fcfa7cb9530a64e2dc3554f5ad97fd0ab60129701d175f2724ef1ac

C:\Users\Admin\AppData\Local\Temp\OTxxDhnLNa.bat

MD5 21b0112a9d31f0d63a16cf9fd9af55e1
SHA1 ce4713f9a4db3090e23812914a343e11b4706900
SHA256 c59f719e1cbea6a9ae273ca9b844ad165db93ba0a9c2b257b31defa45aa16c29
SHA512 c15617f845391c880af5e867843525c72cb1c76d40244527ad11f5253a45c8b237ec8ba97781820bee88cf717e3f82aadc7be3d0075d6745c0139f0651051dcd

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RuntimeBroker.exe.log

MD5 baf55b95da4a601229647f25dad12878
SHA1 abc16954ebfd213733c4493fc1910164d825cac8
SHA256 ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA512 24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

memory/5848-272-0x000000001B7F0000-0x000000001B802000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TK13bru719.bat

MD5 d9c2e19a74f79b67bfb23d57d8c8d2b7
SHA1 8186c4a19982bb0078654535d5ead09986a35ddc
SHA256 df57302bce2d09686f3e14211432c901240d236e2a0d87edddd0fb831a91ca63
SHA512 b13730e260954bb1c39d994ac099c16ab71a90655fb904a322898c8578f7b9eea171aef35bcd0e5e4ace155374a34c2e667a94768d9031b4bc55db1597f1d67c

C:\Users\Admin\AppData\Local\Temp\lEFN0vw97k.bat

MD5 d520b07f72805fdab6e57de5fc98c6f4
SHA1 fa9fb04b4f308810987d35dbf0c1daf61d155a74
SHA256 8049b0094c0bce001dff3c3f351fde10d3d8f8cee05cc5506e3ea44b84051898
SHA512 95a7dc4232eb03f060caf703de499c21a53928a0a4e375fbaaa3c02bc00872fc29c674f851dac373c7f796df77fd4bd5ade3499d1f5f8ce5feb3a7aa3f025f48

C:\Users\Admin\AppData\Local\Temp\EYKlAcFNfO.bat

MD5 272e4f2eecd8c8cf81b9eb4ef4274a67
SHA1 6e1f2115342db043fa314b6618e361cd3d9eb486
SHA256 899113d1a244a1f8af4875d26bf830602cd8b94270fc21c28850e25b68851894
SHA512 4a1c72c2ef2c87bb7bc734822b365d3e1de9b244be272300ba9ac34ca5c58d5ceb4202b3fecf57d6cbf92882c9036909d7e6df15797dcb9ffd6bdcb9a4729340

memory/780-291-0x000000001BFF0000-0x000000001C002000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\OMb46N11BK.bat

MD5 969a9cc15fffec738ee8b4627091a398
SHA1 4acd5c61549c154f246fc567578a7ed3c0003844
SHA256 25b4a6ca1a08899cb7b0c017e961684db13d3efa4451256b231268c52b491471
SHA512 077d1364a3fc29922d73478eed4c30afa631e627847e89adc1a6de71f678448fce9a51319c5ae05d7a375a7b9614fb344a5317200bc70dbc7c662da92415b790

C:\Users\Admin\AppData\Local\Temp\jBrSCX6wbi.bat

MD5 9eec8efff5e3d31273483618a5e9f32a
SHA1 8bb53c8f1ee63179ffce11231a229b9eb5f9fe3d
SHA256 f6e64c29aec854ebeda5df3818355c3f44ee95620283815da1d0d3e399e9175a
SHA512 3e881fea31ecf03d72c34b1fdb39eb032deb35012bdf65f7346da57858351bca0f8b1c8c2dfff45dff58ec289244efb2536eafec4475ae6bf5f4e7ee06d86e3d

C:\Users\Admin\AppData\Local\Temp\ST975DOJvB.bat

MD5 32035ff5d8e87460a1d6b8b9ab866fa3
SHA1 f1b0798df659ea3d4e61f6b5563abd36ae9c8847
SHA256 2edca5e49629477f6160d4a2626f461f80b22b6ed9dd79783d978790e89bdece
SHA512 3f1b90b39bbdf7d82622d3298ba4c9b1034572f98f1d207ec4b998de4e68021b88c23fb870f3e718390595ab8c48dc533b3ffef728aa2a5c81eadd49acf58115

C:\Users\Admin\AppData\Local\Temp\h6hK16ZrMt.bat

MD5 68800c1ab94490c24595907d3f0938c4
SHA1 c253ff7ab08bcde0da31b7d8f56268460377478f
SHA256 3eb43415d569f761ed4a9dd15c22c1c2edc78bdd9ad894efe56267c12305fdd9
SHA512 59a0b62fd7ffd4226b79d09ad9010bbbd90ed33e780db24675696d1a74c8c02b11e3a4160aab836d997196edf92666b03cec9000ddfe73d718e5c52642dbbb86

memory/776-316-0x000000001BDF0000-0x000000001BE02000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Nc51i3GWIc.bat

MD5 ae9707ec8fe090ec6ac147bc71994f9d
SHA1 7a38d7ca331afad4ecb37abb6fd899884b9d472f
SHA256 940a35fdf174f08d0430c6d6ec7421dd1ff12bd1a96da8eb879dad11aba4cece
SHA512 bb0c8ee20315c86061848c6a46ce09ee5af59dfb188ef43e92b2e92d3c13f2ef6ede2e1df822ae62678b6d64fa98405ac09f479bff1d35343a4a5ee2d20ba2cb

C:\Users\Admin\AppData\Local\Temp\s1KW4B7p45.bat

MD5 27871d3ef3bc5961073f96a02df704c1
SHA1 9da40bc46073623acee85d90e38f3a67d6d67daf
SHA256 ad5125620f7e84d50f3928f1f7fce6103f6e3ac285a0901baba8663122020ffd
SHA512 6d5ac57c32c82f485f4430c35b1b7a32e295640d662e55f3d13e6b54d175cfb6058d0950c987038ed7b3b0942a548165677cb33870228196c2bd7588770f06f4

C:\Users\Admin\AppData\Local\Temp\CWxqMEPA9M.bat

MD5 5b54ff9579820695f6df563fe47cdcec
SHA1 7e12d5b0021389753b582c6b74075eb747b48a88
SHA256 f733c20a8eb0559431e8921b182575ef07cc81fdc8bea3e3145de30bede9cba0
SHA512 59e337e21ac363d27753274518764ccb7b070a4b4ef805fef9e3cc03987a39a927cda71c09fe95e0c7fc6bd21f8296ca01f65645a7d8e70adc8bda4e0e65e8fa

C:\Users\Admin\AppData\Local\Temp\ESzt3JT3T8.bat

MD5 40cbb9830fa894c74cf80c47ff38f08b
SHA1 ba9c4409db1301cf70ae1d34d93a8d948e4433e7
SHA256 7f43ef8f3fbe4b4cf932ad42ba1646967fc4fe17978c053eb7149b0ae1c50889
SHA512 0ea79c86152b214632caf2a5b3dd3b6eef5a22bf5abdc951fa3c349f47c000039b526d8313b0a2dbc041dd5354c4ef5c90dc01ebc012b5d3fddfe4e0b4794584

C:\Users\Admin\AppData\Local\Temp\RId7nS4uU7.bat

MD5 0eabee644551e92423372234b5892e79
SHA1 5765c0fb138511871a6d5b2c0f11fa6a55c1c7a4
SHA256 efff2ac7b927e24464061b784f35994860d2eec29eb4764e07ad05c227587e06
SHA512 e7a1ca86e2df78d4cb37bad5fa693310778792159a714d33566e3368cf9f928ee014fd46e1c112f65e355b133a34053e4efe0c443412f5fb652d2fdeea4a1f7c