Malware Analysis Report

2025-08-10 11:52

Sample ID 241230-cxybqsvlhs
Target JaffaCakes118_dfdf6f6fe3208ab1f52c73fbc2809645827ed959af4dc4f7dc100f3049fbe5d6
SHA256 dfdf6f6fe3208ab1f52c73fbc2809645827ed959af4dc4f7dc100f3049fbe5d6
Tags
rat dcrat discovery execution infostealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

dfdf6f6fe3208ab1f52c73fbc2809645827ed959af4dc4f7dc100f3049fbe5d6

Threat Level: Known bad

The file JaffaCakes118_dfdf6f6fe3208ab1f52c73fbc2809645827ed959af4dc4f7dc100f3049fbe5d6 was found to be: Known bad.

Malicious Activity Summary

rat dcrat discovery execution infostealer

Dcrat family

DCRat payload

DcRat

Process spawned unexpected child process

DCRat payload

Command and Scripting Interpreter: PowerShell

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Legitimate hosting services abused for malware hosting/C2

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Uses Task Scheduler COM API

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Scheduled Task/Job: Scheduled Task

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-30 02:27

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-30 02:27

Reported

2024-12-30 02:30

Platform

win7-20240903-en

Max time kernel

145s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_dfdf6f6fe3208ab1f52c73fbc2809645827ed959af4dc4f7dc100f3049fbe5d6.exe"

Signatures

DcRat

rat infostealer dcrat

Dcrat family

dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Google\Chrome\WmiPrvSE.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Google\Chrome\24dbde2999530e C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\explorer.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\7a0fd90576e088 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\MSBuild\Microsoft\csrss.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\MSBuild\Microsoft\886983d96e3d3e C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Google\Chrome\WmiPrvSE.exe C:\providercommon\DllCommonsvc.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_dfdf6f6fe3208ab1f52c73fbc2809645827ed959af4dc4f7dc100f3049fbe5d6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\providercommon\DllCommonsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\MSBuild\Microsoft\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\MSBuild\Microsoft\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\MSBuild\Microsoft\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\MSBuild\Microsoft\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\MSBuild\Microsoft\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\MSBuild\Microsoft\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\MSBuild\Microsoft\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\MSBuild\Microsoft\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\MSBuild\Microsoft\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\MSBuild\Microsoft\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\MSBuild\Microsoft\csrss.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2140 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_dfdf6f6fe3208ab1f52c73fbc2809645827ed959af4dc4f7dc100f3049fbe5d6.exe C:\Windows\SysWOW64\WScript.exe
PID 2140 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_dfdf6f6fe3208ab1f52c73fbc2809645827ed959af4dc4f7dc100f3049fbe5d6.exe C:\Windows\SysWOW64\WScript.exe
PID 2140 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_dfdf6f6fe3208ab1f52c73fbc2809645827ed959af4dc4f7dc100f3049fbe5d6.exe C:\Windows\SysWOW64\WScript.exe
PID 2140 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_dfdf6f6fe3208ab1f52c73fbc2809645827ed959af4dc4f7dc100f3049fbe5d6.exe C:\Windows\SysWOW64\WScript.exe
PID 2744 wrote to memory of 2992 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2744 wrote to memory of 2992 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2744 wrote to memory of 2992 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2744 wrote to memory of 2992 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2992 wrote to memory of 2264 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 2992 wrote to memory of 2264 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 2992 wrote to memory of 2264 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 2992 wrote to memory of 2264 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 2264 wrote to memory of 1776 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2264 wrote to memory of 1776 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2264 wrote to memory of 1776 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2264 wrote to memory of 2368 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2264 wrote to memory of 2368 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2264 wrote to memory of 2368 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2264 wrote to memory of 2124 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2264 wrote to memory of 2124 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2264 wrote to memory of 2124 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2264 wrote to memory of 2664 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2264 wrote to memory of 2664 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2264 wrote to memory of 2664 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2264 wrote to memory of 660 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2264 wrote to memory of 660 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2264 wrote to memory of 660 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2264 wrote to memory of 2900 N/A C:\providercommon\DllCommonsvc.exe C:\Program Files\MSBuild\Microsoft\csrss.exe
PID 2264 wrote to memory of 2900 N/A C:\providercommon\DllCommonsvc.exe C:\Program Files\MSBuild\Microsoft\csrss.exe
PID 2264 wrote to memory of 2900 N/A C:\providercommon\DllCommonsvc.exe C:\Program Files\MSBuild\Microsoft\csrss.exe
PID 2900 wrote to memory of 292 N/A C:\Program Files\MSBuild\Microsoft\csrss.exe C:\Windows\System32\cmd.exe
PID 2900 wrote to memory of 292 N/A C:\Program Files\MSBuild\Microsoft\csrss.exe C:\Windows\System32\cmd.exe
PID 2900 wrote to memory of 292 N/A C:\Program Files\MSBuild\Microsoft\csrss.exe C:\Windows\System32\cmd.exe
PID 292 wrote to memory of 1520 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 292 wrote to memory of 1520 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 292 wrote to memory of 1520 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 292 wrote to memory of 2208 N/A C:\Windows\System32\cmd.exe C:\Program Files\MSBuild\Microsoft\csrss.exe
PID 292 wrote to memory of 2208 N/A C:\Windows\System32\cmd.exe C:\Program Files\MSBuild\Microsoft\csrss.exe
PID 292 wrote to memory of 2208 N/A C:\Windows\System32\cmd.exe C:\Program Files\MSBuild\Microsoft\csrss.exe
PID 2208 wrote to memory of 2928 N/A C:\Program Files\MSBuild\Microsoft\csrss.exe C:\Windows\System32\cmd.exe
PID 2208 wrote to memory of 2928 N/A C:\Program Files\MSBuild\Microsoft\csrss.exe C:\Windows\System32\cmd.exe
PID 2208 wrote to memory of 2928 N/A C:\Program Files\MSBuild\Microsoft\csrss.exe C:\Windows\System32\cmd.exe
PID 2928 wrote to memory of 572 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2928 wrote to memory of 572 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2928 wrote to memory of 572 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2928 wrote to memory of 2268 N/A C:\Windows\System32\cmd.exe C:\Program Files\MSBuild\Microsoft\csrss.exe
PID 2928 wrote to memory of 2268 N/A C:\Windows\System32\cmd.exe C:\Program Files\MSBuild\Microsoft\csrss.exe
PID 2928 wrote to memory of 2268 N/A C:\Windows\System32\cmd.exe C:\Program Files\MSBuild\Microsoft\csrss.exe
PID 2268 wrote to memory of 1496 N/A C:\Program Files\MSBuild\Microsoft\csrss.exe C:\Windows\System32\cmd.exe
PID 2268 wrote to memory of 1496 N/A C:\Program Files\MSBuild\Microsoft\csrss.exe C:\Windows\System32\cmd.exe
PID 2268 wrote to memory of 1496 N/A C:\Program Files\MSBuild\Microsoft\csrss.exe C:\Windows\System32\cmd.exe
PID 1496 wrote to memory of 1944 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1496 wrote to memory of 1944 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1496 wrote to memory of 1944 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1496 wrote to memory of 2424 N/A C:\Windows\System32\cmd.exe C:\Program Files\MSBuild\Microsoft\csrss.exe
PID 1496 wrote to memory of 2424 N/A C:\Windows\System32\cmd.exe C:\Program Files\MSBuild\Microsoft\csrss.exe
PID 1496 wrote to memory of 2424 N/A C:\Windows\System32\cmd.exe C:\Program Files\MSBuild\Microsoft\csrss.exe
PID 2424 wrote to memory of 2980 N/A C:\Program Files\MSBuild\Microsoft\csrss.exe C:\Windows\System32\cmd.exe
PID 2424 wrote to memory of 2980 N/A C:\Program Files\MSBuild\Microsoft\csrss.exe C:\Windows\System32\cmd.exe
PID 2424 wrote to memory of 2980 N/A C:\Program Files\MSBuild\Microsoft\csrss.exe C:\Windows\System32\cmd.exe
PID 2980 wrote to memory of 1636 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2980 wrote to memory of 1636 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2980 wrote to memory of 1636 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2980 wrote to memory of 2228 N/A C:\Windows\System32\cmd.exe C:\Program Files\MSBuild\Microsoft\csrss.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_dfdf6f6fe3208ab1f52c73fbc2809645827ed959af4dc4f7dc100f3049fbe5d6.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_dfdf6f6fe3208ab1f52c73fbc2809645827ed959af4dc4f7dc100f3049fbe5d6.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\providercommon\1zu9dW.bat" "

C:\providercommon\DllCommonsvc.exe

"C:\providercommon\DllCommonsvc.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Program Files\Google\Chrome\WmiPrvSE.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Program Files\Google\Chrome\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\MSBuild\Microsoft\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\MSBuild\Microsoft\csrss.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\Chrome\WmiPrvSE.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Idle.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\explorer.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\csrss.exe'

C:\Program Files\MSBuild\Microsoft\csrss.exe

"C:\Program Files\MSBuild\Microsoft\csrss.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tfVhKC50lX.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\MSBuild\Microsoft\csrss.exe

"C:\Program Files\MSBuild\Microsoft\csrss.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\n9GQh003RW.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\MSBuild\Microsoft\csrss.exe

"C:\Program Files\MSBuild\Microsoft\csrss.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fg7ffKrc0I.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\MSBuild\Microsoft\csrss.exe

"C:\Program Files\MSBuild\Microsoft\csrss.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dk6czFnjgV.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\MSBuild\Microsoft\csrss.exe

"C:\Program Files\MSBuild\Microsoft\csrss.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\c38FLB8gIG.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\MSBuild\Microsoft\csrss.exe

"C:\Program Files\MSBuild\Microsoft\csrss.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\moqrXfpsIj.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\MSBuild\Microsoft\csrss.exe

"C:\Program Files\MSBuild\Microsoft\csrss.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hC9SSnetfo.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\MSBuild\Microsoft\csrss.exe

"C:\Program Files\MSBuild\Microsoft\csrss.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HAJBVlyJNQ.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\MSBuild\Microsoft\csrss.exe

"C:\Program Files\MSBuild\Microsoft\csrss.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LEBHQwxRW8.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\MSBuild\Microsoft\csrss.exe

"C:\Program Files\MSBuild\Microsoft\csrss.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\15yWIDpGaf.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\MSBuild\Microsoft\csrss.exe

"C:\Program Files\MSBuild\Microsoft\csrss.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2K3DLFE7WC.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp

Files

C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

MD5 8088241160261560a02c84025d107592
SHA1 083121f7027557570994c9fc211df61730455bb5
SHA256 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA512 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

C:\providercommon\1zu9dW.bat

MD5 6783c3ee07c7d151ceac57f1f9c8bed7
SHA1 17468f98f95bf504cc1f83c49e49a78526b3ea03
SHA256 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512 c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

\providercommon\DllCommonsvc.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/2264-13-0x00000000009C0000-0x0000000000AD0000-memory.dmp

memory/2264-14-0x0000000000570000-0x0000000000582000-memory.dmp

memory/2264-15-0x0000000000590000-0x000000000059C000-memory.dmp

memory/2264-16-0x0000000000580000-0x000000000058C000-memory.dmp

memory/2264-17-0x00000000005A0000-0x00000000005AC000-memory.dmp

memory/2900-32-0x0000000001300000-0x0000000001410000-memory.dmp

memory/2368-58-0x0000000001D90000-0x0000000001D98000-memory.dmp

memory/2368-57-0x000000001B670000-0x000000001B952000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\U98IYCLQC53MT4DWSBR9.temp

MD5 2eab39f326bf5d5aedef07889eaa56c2
SHA1 87f64636a48db8bb36e08a9e3d47586e0bdff763
SHA256 58a6470710786f6972019cdb5b872308419aaa86bc0299f3a834cd9f6fb92c00
SHA512 df516dbc4e611ed16d818042135b9c8574ee8ea513ae56bff0fe988b186bcada8958d11524490b91317d396b25ad2825d18dd466947c0ed0a5056facb51f1067

C:\Users\Admin\AppData\Local\Temp\CabB0DA.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarB0FC.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\Local\Temp\tfVhKC50lX.bat

MD5 4660e09700adcc8297fc7611ab3b2c68
SHA1 556083e6c40c4a48fde38a850acd12975db1a586
SHA256 5f4b3edbbb0a42b50e2298920b8d379c2bc914bf848de6fc171123f43b8098b8
SHA512 d926729dbb2185bb33ee5c58733dba824b9bf03561faf71484b866d35433b3c3a8b228f7657220939111f7bb5621405aa63424c12d68b3003134d38feb194838

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 151f0b475f068cafb492c6b4a851c71a
SHA1 d6ed464e3096c24cb8fff49700cfb613b498b4c2
SHA256 f3970e19e6cbc8e1956332c7584509ce8ddad4b709eb4ad83ac7fbd0d8c44542
SHA512 f867db67dc58c17216f4e133628a3158d0ea07444d1263001ee907ae6d0003343dc190ce1fd04ce0fa0207652202317517b8de5f71d880a0cf3c0522ae288b66

C:\Users\Admin\AppData\Local\Temp\n9GQh003RW.bat

MD5 1ae0d52c24db7b6ca0837706ef84b499
SHA1 bd131cde49740af0a4cd77a7b6f59f08ba37edb9
SHA256 74d29848659c0d964efbff45346232efda23295cc917f7b1d07cfbb36ce13fd9
SHA512 e4e65dfb66c9919322cd1de0d7df2bcbafc4f9634b81b038826c46e190cf3f6e84f8f2e1a17299977cbfbd8071a37797989d190f5f82a7724796188d9dd7f2bf

memory/2268-176-0x0000000000440000-0x0000000000452000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5567abda592f63172aed03bebf1622e5
SHA1 d12c4db782b247a4b32d0efbd4b73dfb903c1e88
SHA256 ce9fc2a61d6a2ec6986b8f74437b38a624996d92e31802b8818649105246077c
SHA512 efb731570ab8691199ffb486349d113dbb87c6b3a747a0544229ce927f553440763040d850adf681ea66f4a29b9f41664262d211e92f8fafb275a46bf64958d4

C:\Users\Admin\AppData\Local\Temp\fg7ffKrc0I.bat

MD5 c31afaec91c537659b71a630a1be7e02
SHA1 24bc1c86466f793ed829bc8185615dda17ddbf47
SHA256 51b3e7514578684326e40e8a28c503304804e9abc125a485ff438815cfb10e61
SHA512 7580564d0ee264d2ca6a24c59dc4490c758cca492592a0d906eecee06b51aa5f3d3d4c88fb9457125340a1a5f8810906163b983bde15aca87a36b903aea703f7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 22c0a7af02e6f2d761683bfd9a754efd
SHA1 6365922d32896b11a90666da006b45bf5189f791
SHA256 55229d0e98361f0652960dbeaeab11b92049993892ee2cce4cdca853e33fb784
SHA512 45e3592aabdcefab0d29b1968f761f0c81622e18093af1350867e3fa3a4af2ac8a62fb60845bf9437b49f08b0f3cfcaa9cd452cf4d29a5ada052ed2dd9ec9014

C:\Users\Admin\AppData\Local\Temp\dk6czFnjgV.bat

MD5 2ffb24ee4ea2296ee1465af194aac48f
SHA1 3fb532e33b78d85d69f0085da544ec807cb32467
SHA256 84ee284dfc1e05dbe898554bfda9a11abad9224badfc0fc7fae6a42fac8ff43c
SHA512 c19aaba7cb92991e758e70a4b0d810af7390a4fb0f1227a862a50fa9580d763b9fa306d9400fc95cb99c977e7730a41a3a841e3a5f1eb451746877e74f663f15

memory/2228-295-0x0000000000090000-0x00000000001A0000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cb8bae453f438d5897107546f578448e
SHA1 7d55b24d08bb7a232f612cfc145ac30a8bb53f80
SHA256 4b8d0fafa68616f0828e93c1e8375f93c06ba76548773bdf2db8c9d04100dbe1
SHA512 0478f4573f71b924c6d7cdeaece7463304b11c23321d07378b5ef560425d8f99665a77ff5580b543066eeda73f8b49e554d116db1b84957656e7a3c60a96862a

C:\Users\Admin\AppData\Local\Temp\c38FLB8gIG.bat

MD5 2ceaa488c1d1c42205bf1b37f2c269d2
SHA1 dd6dfcfc0242af894f5699ad4c8bc83b83a6b1b5
SHA256 de87cd1edf39fc202816e7d6a00f60f7e82527b12df54fec0e463cb3986c7222
SHA512 23f3c9a0a935df43dd63b9d7cf225a91c5a554cf714212fe4494070711ca84f968168d4fd4547762eddfb664c8a794b2fe4a1fd5ea14ab076bc3d84847c350ad

memory/2696-355-0x00000000010E0000-0x00000000011F0000-memory.dmp

memory/2696-356-0x00000000006C0000-0x00000000006D2000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fe5f279f533bad868160cd73f34d4986
SHA1 a6533622d292881ee2dd3ec1fcbf32c089921589
SHA256 fb8c268c2d620ffb0c9ded94d14f6cd5e0fda178d8df4e7c74e565923c38e2c7
SHA512 2d264c7f6f0979c2d49a771ffec38fcdd528eb38748eb1a6756b4618abaa778e4ebe969e970f940feb0df32ca00d6ca8fc489a02a299c4efb8f0e8ada03418ee

C:\Users\Admin\AppData\Local\Temp\moqrXfpsIj.bat

MD5 eb6aa59fa12e1b96268cdb30063c2780
SHA1 3ac03b47185e1960b8a21a536358587969d4631f
SHA256 a758d54e5d2b008494880b2d9eeb3774c2a8483a5926e85d5c0006e949c74f2a
SHA512 ef9b2d94e0a40e72b635fbb700e4391cd65a28f069387bc164a521c99a11ea2c20ede1e6f5ef964dd6125eaa6b0a68515d497721ad41c030c0848b8a97d20095

memory/288-416-0x00000000002C0000-0x00000000003D0000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0cdc41b5c467e3fbe459801fa6646edd
SHA1 cd4c16a90ef90f8ee8c69c23a869f9cf8e6aeedf
SHA256 2867b7d06a917d816956b26abe682d4b4f1dd3c99cf252bc983c32a4526a3843
SHA512 1caf705a185833aa69d98f779a039025e3b3f69343fbb5dd3218f99695c00b0c9224e3e5509c1c673f9a2e1d816b5248f4d81cf74bfaa7ed8d956a4239f0fcd5

C:\Users\Admin\AppData\Local\Temp\hC9SSnetfo.bat

MD5 5e9c255938845d617b70e278da102874
SHA1 6ac49326ace12f821c7af4f5e06ba26fb79253ed
SHA256 db15b9cd7ff6e4874902dbce3e5cf3dd69202fc7c62ee111eeb1c34a5601f215
SHA512 e8bc9ac033de8acf33f7334f85c346122acd72740c25adefcafcf49c8c09a75e21910e9ee3582ada9f52ae623c57f57c49a47e0b0a6459973d829125227cb7cd

memory/2364-476-0x00000000010C0000-0x00000000011D0000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 088ff6a59899731be11b7f7568f05bc7
SHA1 15872d0eb41e4ecebefff9e548fa58f9ca7afdcb
SHA256 85df8d5f33d68aa53f65e235d068da5f0678ec4f39ff2d4c2f75eebbe7f768bf
SHA512 d1ef8d78fc93d99a31180e341fcc6f340c0f2549fdda9a9d0c696e1ab0d529e74445fcc9a215ed21b76e676872b1c9118d8b0ee40aa49a7acd87963b0df2845e

C:\Users\Admin\AppData\Local\Temp\HAJBVlyJNQ.bat

MD5 44f16a23f2a36963612b8c3dfc669324
SHA1 5c88e0aac23900b868640da18c2984fcc474a193
SHA256 ea4437f7aca21c97536d6ab9af3f88f62708ed623ae713ace7b635a5350ae10e
SHA512 abe0072cddcf936d61641e18fd22f0860c6403ddff56ecdb64e895600aa3586dece7daaf0a5f5dd710f08afbe72d1fc00e6098428284c8cdfe6c15edbca456aa

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5f1f936f49126e718d9f8dfec7b0c3f9
SHA1 81808ac6e082fe53ca6e9a42b663276def0f83a7
SHA256 3a92919c29a9c1f79ca9e787b990fdb03939b23cd760cbdf09935524310cf5ab
SHA512 02fdb5b7e9c5394cf89e2f3824cce2e8f1e16c3c491aaff6e2b0aca371b6da3ed118ba6afac41df9561a4b52a1db76dffd70f7fab800e8006b906f94fa65edc1

C:\Users\Admin\AppData\Local\Temp\LEBHQwxRW8.bat

MD5 6fe2b116f24fdbb87b85893c71cf3bcf
SHA1 8b11b5982e54cc9290c0bcbe45a41fa6d26eba0b
SHA256 bdddb96c26a58a2dd4beef4371d36f0323a937a16d2abd9a74797f37b6b0f98b
SHA512 b14e5c7c0f1e34d844cb4e5d075a66c4f7a841b939036a4c55d1ac09754480b47c84dfc283263582356ff235aae3cf90d4cc16838d178ee7610d343dcc513bb0

memory/1268-595-0x0000000001370000-0x0000000001480000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8164401295ad85cb796baa49d7524707
SHA1 de9153edc6e1ac65000f36e02c645e38d8380e24
SHA256 e4be4e6ef77f3a003442197bcf007a36cf11a79da39a6afbb9fdc90e1a6d8628
SHA512 e05839ddadd94b84dff0d8e28fc7fc4efb1f3784078eef1622b10dc457fb53e8d1ab17f36e958d17e8428a785f60ded97fe8d4f71e2abdf65b6518a16e080a17

C:\Users\Admin\AppData\Local\Temp\15yWIDpGaf.bat

MD5 9067d3d3c67f78b0a9e62d4f9a7dfae3
SHA1 79d002669034312b7d08ccc4d9a1fc4f49b7e031
SHA256 2265c5733270a46031c235a1b730fa913c3652c7f3b63b65991c6cc68dfc76ec
SHA512 ab5949c3a870f9914e159e372bf89cb394f9dd459dcde9af3dd3ba9e0c4e6c39e210a9b7f7b52872d96e023ec48fa9294bfddf66de0625846079972b6b9dcdc9

memory/2868-655-0x0000000000390000-0x00000000004A0000-memory.dmp

memory/2868-656-0x00000000005E0000-0x00000000005F2000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3439a2b86aeffc5c4fd8f43157fa84d3
SHA1 06d57b9abbe15269f018ad78640fde3062358656
SHA256 ade96b129004e35751de144802ace7899ed65b4f6a75d60e0d3cf4e39a9ad695
SHA512 57e19a2d367f463eeb06f889a791286c123e2c3d001e0113f16654844468f656dbf83f3311e12685285a075a5ceda384415dc789cb9f6658a8645ca706a9419b

C:\Users\Admin\AppData\Local\Temp\2K3DLFE7WC.bat

MD5 7f968c3c7cd5239cb67cc5329ce43833
SHA1 e6ad3b81bb5e372fa88eb9c2d9459a04103ef633
SHA256 6ae9da66d4785858414dd5fcacc6eb52e2a90cb6f5caf10cec0a5e0721eb1653
SHA512 c52f5c5a782330709e22ea619155d92ae85038506d9d9fbc94dc0b0333feb8cc8229e594f1c3d4b25f6d3a735a61a62e563f05281502cf63510005b360b3aa77

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-30 02:27

Reported

2024-12-30 02:30

Platform

win10v2004-20241007-en

Max time kernel

146s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_dfdf6f6fe3208ab1f52c73fbc2809645827ed959af4dc4f7dc100f3049fbe5d6.exe"

Signatures

DcRat

rat infostealer dcrat

Dcrat family

dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\providercommon\DllCommonsvc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_dfdf6f6fe3208ab1f52c73fbc2809645827ed959af4dc4f7dc100f3049fbe5d6.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Uninstall Information\66fc9ff0ee96c2 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Windows NT\TableTextService\cmd.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Windows NT\TableTextService\ebf1f9fa8afd6d C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Internet Explorer\SIGNUP\ea9f0e6c9e2dcd C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Windows Portable Devices\conhost.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Windows Portable Devices\088424020bedd6 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Uninstall Information\sihost.exe C:\providercommon\DllCommonsvc.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_dfdf6f6fe3208ab1f52c73fbc2809645827ed959af4dc4f7dc100f3049fbe5d6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings C:\providercommon\DllCommonsvc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_dfdf6f6fe3208ab1f52c73fbc2809645827ed959af4dc4f7dc100f3049fbe5d6.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\providercommon\DllCommonsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 116 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_dfdf6f6fe3208ab1f52c73fbc2809645827ed959af4dc4f7dc100f3049fbe5d6.exe C:\Windows\SysWOW64\WScript.exe
PID 116 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_dfdf6f6fe3208ab1f52c73fbc2809645827ed959af4dc4f7dc100f3049fbe5d6.exe C:\Windows\SysWOW64\WScript.exe
PID 116 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_dfdf6f6fe3208ab1f52c73fbc2809645827ed959af4dc4f7dc100f3049fbe5d6.exe C:\Windows\SysWOW64\WScript.exe
PID 3648 wrote to memory of 4728 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3648 wrote to memory of 4728 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3648 wrote to memory of 4728 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4728 wrote to memory of 4388 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 4728 wrote to memory of 4388 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 4388 wrote to memory of 1796 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4388 wrote to memory of 1796 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4388 wrote to memory of 2020 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4388 wrote to memory of 2020 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4388 wrote to memory of 4128 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4388 wrote to memory of 4128 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4388 wrote to memory of 1344 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4388 wrote to memory of 1344 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4388 wrote to memory of 4512 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4388 wrote to memory of 4512 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4388 wrote to memory of 2228 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4388 wrote to memory of 2228 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4388 wrote to memory of 816 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4388 wrote to memory of 816 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4388 wrote to memory of 2496 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4388 wrote to memory of 2496 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4388 wrote to memory of 2064 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4388 wrote to memory of 2064 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4388 wrote to memory of 1008 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4388 wrote to memory of 1008 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4388 wrote to memory of 2176 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\cmd.exe
PID 4388 wrote to memory of 2176 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\cmd.exe
PID 2176 wrote to memory of 3964 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2176 wrote to memory of 3964 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2176 wrote to memory of 1604 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe
PID 2176 wrote to memory of 1604 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe
PID 1604 wrote to memory of 1476 N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe C:\Windows\System32\cmd.exe
PID 1604 wrote to memory of 1476 N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe C:\Windows\System32\cmd.exe
PID 1476 wrote to memory of 1204 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1476 wrote to memory of 1204 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1476 wrote to memory of 2032 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe
PID 1476 wrote to memory of 2032 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe
PID 2032 wrote to memory of 4672 N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe C:\Windows\System32\cmd.exe
PID 2032 wrote to memory of 4672 N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe C:\Windows\System32\cmd.exe
PID 4672 wrote to memory of 4044 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4672 wrote to memory of 4044 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4672 wrote to memory of 3620 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe
PID 4672 wrote to memory of 3620 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe
PID 3620 wrote to memory of 1280 N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe C:\Windows\System32\cmd.exe
PID 3620 wrote to memory of 1280 N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe C:\Windows\System32\cmd.exe
PID 1280 wrote to memory of 3268 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1280 wrote to memory of 3268 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1280 wrote to memory of 3824 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe
PID 1280 wrote to memory of 3824 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe
PID 3824 wrote to memory of 3684 N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe C:\Windows\System32\cmd.exe
PID 3824 wrote to memory of 3684 N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe C:\Windows\System32\cmd.exe
PID 3684 wrote to memory of 2956 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3684 wrote to memory of 2956 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3684 wrote to memory of 4124 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe
PID 3684 wrote to memory of 4124 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe
PID 4124 wrote to memory of 3080 N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe C:\Windows\System32\cmd.exe
PID 4124 wrote to memory of 3080 N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe C:\Windows\System32\cmd.exe
PID 3080 wrote to memory of 3656 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3080 wrote to memory of 3656 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3080 wrote to memory of 2848 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe
PID 3080 wrote to memory of 2848 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_dfdf6f6fe3208ab1f52c73fbc2809645827ed959af4dc4f7dc100f3049fbe5d6.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_dfdf6f6fe3208ab1f52c73fbc2809645827ed959af4dc4f7dc100f3049fbe5d6.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "

C:\providercommon\DllCommonsvc.exe

"C:\providercommon\DllCommonsvc.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Downloads\cmd.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\Public\Downloads\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Downloads\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Contacts\taskhostw.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Users\Admin\Contacts\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Contacts\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 7 /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\SearchApp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\SearchApp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 11 /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\SearchApp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 6 /tr "'C:\providercommon\sihost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\providercommon\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 6 /tr "'C:\providercommon\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Portable Devices\conhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Portable Devices\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 10 /tr "'C:\Program Files\Uninstall Information\sihost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Program Files\Uninstall Information\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\cmd.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\cmd.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Downloads\cmd.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Contacts\taskhostw.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\Chrome\Application\SetupMetrics\SearchApp.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\csrss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sihost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\conhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\sihost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\TableTextService\cmd.exe'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FDjabAlDYP.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe

"C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lHo4kC1bcD.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe

"C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VeFqpJq3BV.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe

"C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aWJwCUxpp4.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe

"C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hJP5Gj8VmP.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe

"C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4vYRXbn8bW.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe

"C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6raUEgr1vJ.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe

"C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JhFjyqSsxH.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe

"C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RgqsKqwwLg.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe

"C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VeFqpJq3BV.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe

"C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jFR8woBO6B.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe

"C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lHo4kC1bcD.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe

"C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6raUEgr1vJ.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe

"C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 180.129.81.91.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp

Files

C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

MD5 8088241160261560a02c84025d107592
SHA1 083121f7027557570994c9fc211df61730455bb5
SHA256 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA512 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

C:\providercommon\1zu9dW.bat

MD5 6783c3ee07c7d151ceac57f1f9c8bed7
SHA1 17468f98f95bf504cc1f83c49e49a78526b3ea03
SHA256 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512 c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

C:\providercommon\DllCommonsvc.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/4388-12-0x00007FFD30E43000-0x00007FFD30E45000-memory.dmp

memory/4388-13-0x00000000005D0000-0x00000000006E0000-memory.dmp

memory/4388-14-0x00000000028F0000-0x0000000002902000-memory.dmp

memory/4388-15-0x0000000002910000-0x000000000291C000-memory.dmp

memory/4388-16-0x0000000002900000-0x000000000290C000-memory.dmp

memory/4388-17-0x0000000002930000-0x000000000293C000-memory.dmp

memory/2020-45-0x00000155A8860000-0x00000155A8882000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_g0hula1x.evk.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Temp\FDjabAlDYP.bat

MD5 820f7492c3828554e26a1dd74e7f170a
SHA1 6d909bfc6e2fd4c009fe9e7283cd92aafa33d24e
SHA256 178e99949daa4375cb7809b6d9b81a679ba84b8cb897099f3b86a78847e02e78
SHA512 5ee3483f3704ffafde697a14c184076b0178ea1a2cb2ceecb7ee2d3817b0b727cf00abdd6230e847025a59f592286a4efee544bef8eac95a71c657b060aa6280

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d28a889fd956d5cb3accfbaf1143eb6f
SHA1 157ba54b365341f8ff06707d996b3635da8446f7
SHA256 21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA512 0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 cadef9abd087803c630df65264a6c81c
SHA1 babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256 cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA512 7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

C:\Users\Admin\AppData\Local\Temp\lHo4kC1bcD.bat

MD5 92bcba5362ecdd5a1715a195fea95634
SHA1 a8fa82d8e1c47a2a2a2dfdb151768f8925e41de4
SHA256 fe40e5ebcd47e868dccee14bec97ebebf22f2ca9f6566247deb807e6985e08fb
SHA512 afe1344aadf6e1b9d5110eb4c6c006d62258d43c4814a9b751bc546e87367d1906d408e4e973f963317e523b2acf6a7e78dcc5374a207f497c93adf8ff996339

memory/1604-163-0x000000001CAB0000-0x000000001CC1A000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\taskhostw.exe.log

MD5 baf55b95da4a601229647f25dad12878
SHA1 abc16954ebfd213733c4493fc1910164d825cac8
SHA256 ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA512 24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

memory/2032-170-0x000000001CA00000-0x000000001CB6A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\VeFqpJq3BV.bat

MD5 c2c1261181c6887ace6c53b20dd30c6e
SHA1 c8bcd2f57e0715b1941e405ae01f92ea1e78789a
SHA256 a99f81b9b16267b6fd75028633d4cd4f59692fced65ee4f2f5e9284cc953ede5
SHA512 e76cf82eafafc62d6d42d1699271a29e3f95318b8f411a411c39f876397b90a5965db0b9cb9853aa9a2580787dd95883fdd06e62816c54e67f79cbf180abd0ac

C:\Users\Admin\AppData\Local\Temp\aWJwCUxpp4.bat

MD5 a1f43007e927e1791079613f677a43a2
SHA1 4cf00e45d465b54fe1031cca018a2ac3c2272286
SHA256 232df95fbcc8ee7157ca0438713ce04f935653f66cdcb7b7c4da227cc80456f2
SHA512 e080e1b7aecbdde6fa5464f3a775834d3814c91f760a11d97724dd31122d5b1475bbb93cb81e638dfc9bccfa03b429fd311388b954bac903cec5942f0bb6d00a

C:\Users\Admin\AppData\Local\Temp\hJP5Gj8VmP.bat

MD5 242003e7a06d414fea9974a79879fca9
SHA1 579b60e9f77619649c1e09c4658657082ab986b0
SHA256 143cd769ad587b2a245af4a93773364b847c1c9aff4c97121eaf5b43943eb0f8
SHA512 b1fa0ce53ff91abfd11bd9b6baca1772f489191e821c31e3cbb6cad0c59649a55ded22796f3f697c31a3721bd171ca84aea081e1b4ac956139142a69274af230

C:\Users\Admin\AppData\Local\Temp\4vYRXbn8bW.bat

MD5 4435dd52a652b8acf6712dc96dc09c39
SHA1 8e18233347aad3a7ad4205ae7363fc4976307645
SHA256 aa2b36b9ccedfd788d0df09c0e44f5a66cfe5e7e5cf1aa49843d3afac3df210a
SHA512 bff773e1225bd4878bf556cc6af80861dabac68d4419003e5101dea26f0a319890e4c29b43553ad914e05678c206cdd9da6de7c93fbf8d8396c4157c24bfa1cd

memory/2848-191-0x0000000002FF0000-0x0000000003002000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6raUEgr1vJ.bat

MD5 74513d67254e25d8826691f2cb50785f
SHA1 04003b8b25b8b2902ad8f82a223eb091f1b766c9
SHA256 ea0d3c0904c43a55e27c29cbf488ae45a4f99231f6f32bb210b3c1195b4c20e2
SHA512 1fdefc610fc13c54ecfef0bbb4af8bf00a63c04e6d4732f2e4ac491a03b2ed9d0fadf154198205406d9ae454c8ec349a911fbe75d8b88bb4598f3a1976b1b6be

C:\Users\Admin\AppData\Local\Temp\JhFjyqSsxH.bat

MD5 b7715f2b96e4b65e0bcbfba16f5b383b
SHA1 bbdbe743303285c56cfd03885039452581718367
SHA256 30c8139762a1e6d3bdb2f372b8c73a271a5cc8777b1605ff2b800fd617eec9a6
SHA512 1b3de1f30fe30f887f98f466beb67374de42da703bb811ab80548fd646ad1ed4340031c588874960c3d2c9ddd1f0a6c7937eba648a49abec8a804080f23ce195

C:\Users\Admin\AppData\Local\Temp\RgqsKqwwLg.bat

MD5 3c1ada63de53e24b1053ad213bff7b6f
SHA1 3ec5c0589751aabb34c520841244b2574a5d8345
SHA256 10ac6fcf27a9b8b9f959c5d617b202a70d17481050881f64fbc11bf98da9ae10
SHA512 b2f9eaee0176a6ab27edf3716265f2276d053f27adaa87abe3b02d9f04be440bb315b0037db6bc90ecaf6e4b4cbe5577977eb18098d2b1bfeb8b7084f8ebc138

memory/2284-216-0x00000000029A0000-0x00000000029B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\jFR8woBO6B.bat

MD5 a2097af67a3ed07e330a2f4420d02846
SHA1 da1e37f67cbbabeff845fceeba0b56190e3575d6
SHA256 c9c41e3dbe95e1c3922b1a761fd7165184607b0a5370b49e074fded0a310c485
SHA512 1cc83801939e2ca3591cfb017776fd311a61576ab6621b90364f0b37a8960605429f701d2b2d8de7c1e8bc2c0128fb2378c76495e98e62e63609ab2476011254

memory/2564-235-0x0000000000C20000-0x0000000000C32000-memory.dmp