Malware Analysis Report

2025-08-11 05:06

Sample ID 241230-b9p1fstqap
Target JaffaCakes118_5c0e63d6e1c302991ee83f8d3dda67e76c43c480af0236cade9dda14b1eb6f11
SHA256 5c0e63d6e1c302991ee83f8d3dda67e76c43c480af0236cade9dda14b1eb6f11
Tags
rat dcrat discovery execution infostealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5c0e63d6e1c302991ee83f8d3dda67e76c43c480af0236cade9dda14b1eb6f11

Threat Level: Known bad

The file JaffaCakes118_5c0e63d6e1c302991ee83f8d3dda67e76c43c480af0236cade9dda14b1eb6f11 was found to be: Known bad.

Malicious Activity Summary

rat dcrat discovery execution infostealer

DcRat

Process spawned unexpected child process

Dcrat family

DCRat payload

DCRat payload

Command and Scripting Interpreter: PowerShell

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Legitimate hosting services abused for malware hosting/C2

Drops file in Windows directory

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Scheduled Task/Job: Scheduled Task

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-30 01:50

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-30 01:50

Reported

2024-12-30 01:53

Platform

win7-20240729-en

Max time kernel

146s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c0e63d6e1c302991ee83f8d3dda67e76c43c480af0236cade9dda14b1eb6f11.exe"

Signatures

DcRat

rat infostealer dcrat

Dcrat family

dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Windows Photo Viewer\fr-FR\winlogon.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Windows Photo Viewer\fr-FR\cc11b995f2a76d C:\providercommon\DllCommonsvc.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\SoftwareDistribution\ScanFile\6cb0b6c459d5d3 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\fr-FR\b75386f1303e64 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\SoftwareDistribution\ScanFile\dwm.exe C:\providercommon\DllCommonsvc.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\ScanFile\dwm.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\Speech\Common\ja-JP\dwm.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\fr-FR\taskhost.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\CSC\v2.0.6\cmd.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\ja-JP\spoolsv.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\ja-JP\f3b6ecef712a24 C:\providercommon\DllCommonsvc.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c0e63d6e1c302991ee83f8d3dda67e76c43c480af0236cade9dda14b1eb6f11.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Public\cmd.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Public\cmd.exe N/A
N/A N/A C:\Users\Public\cmd.exe N/A
N/A N/A C:\Users\Public\cmd.exe N/A
N/A N/A C:\Users\Public\cmd.exe N/A
N/A N/A C:\Users\Public\cmd.exe N/A
N/A N/A C:\Users\Public\cmd.exe N/A
N/A N/A C:\Users\Public\cmd.exe N/A
N/A N/A C:\Users\Public\cmd.exe N/A
N/A N/A C:\Users\Public\cmd.exe N/A
N/A N/A C:\Users\Public\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\providercommon\DllCommonsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\cmd.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\cmd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\cmd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\cmd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\cmd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\cmd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\cmd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\cmd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\cmd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\cmd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\cmd.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2744 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c0e63d6e1c302991ee83f8d3dda67e76c43c480af0236cade9dda14b1eb6f11.exe C:\Windows\SysWOW64\WScript.exe
PID 2744 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c0e63d6e1c302991ee83f8d3dda67e76c43c480af0236cade9dda14b1eb6f11.exe C:\Windows\SysWOW64\WScript.exe
PID 2744 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c0e63d6e1c302991ee83f8d3dda67e76c43c480af0236cade9dda14b1eb6f11.exe C:\Windows\SysWOW64\WScript.exe
PID 2744 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c0e63d6e1c302991ee83f8d3dda67e76c43c480af0236cade9dda14b1eb6f11.exe C:\Windows\SysWOW64\WScript.exe
PID 2152 wrote to memory of 2888 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2152 wrote to memory of 2888 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2152 wrote to memory of 2888 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2152 wrote to memory of 2888 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2888 wrote to memory of 2880 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 2888 wrote to memory of 2880 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 2888 wrote to memory of 2880 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 2888 wrote to memory of 2880 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 2880 wrote to memory of 1760 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2880 wrote to memory of 1760 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2880 wrote to memory of 1760 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2880 wrote to memory of 2540 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2880 wrote to memory of 2540 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2880 wrote to memory of 2540 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2880 wrote to memory of 1584 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2880 wrote to memory of 1584 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2880 wrote to memory of 1584 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2880 wrote to memory of 1692 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2880 wrote to memory of 1692 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2880 wrote to memory of 1692 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2880 wrote to memory of 1576 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2880 wrote to memory of 1576 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2880 wrote to memory of 1576 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2880 wrote to memory of 2968 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2880 wrote to memory of 2968 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2880 wrote to memory of 2968 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2880 wrote to memory of 2216 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2880 wrote to memory of 2216 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2880 wrote to memory of 2216 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2880 wrote to memory of 3016 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2880 wrote to memory of 3016 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2880 wrote to memory of 3016 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2880 wrote to memory of 1620 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2880 wrote to memory of 1620 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2880 wrote to memory of 1620 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2880 wrote to memory of 1780 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2880 wrote to memory of 1780 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2880 wrote to memory of 1780 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2880 wrote to memory of 2772 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2880 wrote to memory of 2772 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2880 wrote to memory of 2772 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2880 wrote to memory of 2124 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2880 wrote to memory of 2124 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2880 wrote to memory of 2124 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2880 wrote to memory of 2804 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2880 wrote to memory of 2804 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2880 wrote to memory of 2804 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2880 wrote to memory of 2904 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2880 wrote to memory of 2904 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2880 wrote to memory of 2904 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2880 wrote to memory of 2908 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2880 wrote to memory of 2908 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2880 wrote to memory of 2908 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2880 wrote to memory of 2912 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2880 wrote to memory of 2912 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2880 wrote to memory of 2912 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2880 wrote to memory of 2180 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2880 wrote to memory of 2180 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2880 wrote to memory of 2180 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2880 wrote to memory of 2672 N/A C:\providercommon\DllCommonsvc.exe C:\Users\Public\cmd.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c0e63d6e1c302991ee83f8d3dda67e76c43c480af0236cade9dda14b1eb6f11.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c0e63d6e1c302991ee83f8d3dda67e76c43c480af0236cade9dda14b1eb6f11.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\providercommon\1zu9dW.bat" "

C:\providercommon\DllCommonsvc.exe

"C:\providercommon\DllCommonsvc.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Windows\SoftwareDistribution\ScanFile\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\SoftwareDistribution\ScanFile\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Windows\SoftwareDistribution\ScanFile\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Users\Public\cmd.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\Public\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Users\Public\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\providercommon\conhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Windows\fr-FR\taskhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\fr-FR\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Windows\fr-FR\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\providercommon\taskhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\providercommon\conhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Windows\ja-JP\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\ja-JP\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Windows\ja-JP\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Documents\My Videos\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Videos\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Documents\My Videos\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Videos\Sample Videos\audiodg.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Public\Videos\Sample Videos\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Videos\Sample Videos\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\providercommon\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SoftwareDistribution\ScanFile\dwm.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\explorer.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\cmd.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\conhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\fr-FR\taskhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\wininit.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\taskhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\conhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ja-JP\spoolsv.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\My Videos\lsass.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dllhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\fr-FR\winlogon.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Videos\Sample Videos\audiodg.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\spoolsv.exe'

C:\Users\Public\cmd.exe

"C:\Users\Public\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jaxwQXfGLd.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Public\cmd.exe

"C:\Users\Public\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5Ad8adCyX4.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Public\cmd.exe

"C:\Users\Public\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Jk1vLt9ke4.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Public\cmd.exe

"C:\Users\Public\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xAFUrPKKMy.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Public\cmd.exe

"C:\Users\Public\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2K3DLFE7WC.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Public\cmd.exe

"C:\Users\Public\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sPXGbYzrvf.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Public\cmd.exe

"C:\Users\Public\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eTpA0L9dlX.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Public\cmd.exe

"C:\Users\Public\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SNnEytbzjv.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Public\cmd.exe

"C:\Users\Public\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QHkN6qNcbm.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Public\cmd.exe

"C:\Users\Public\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xm2kK1SIVO.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Public\cmd.exe

"C:\Users\Public\cmd.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp

Files

C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

MD5 8088241160261560a02c84025d107592
SHA1 083121f7027557570994c9fc211df61730455bb5
SHA256 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA512 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

C:\providercommon\1zu9dW.bat

MD5 6783c3ee07c7d151ceac57f1f9c8bed7
SHA1 17468f98f95bf504cc1f83c49e49a78526b3ea03
SHA256 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512 c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

C:\providercommon\DllCommonsvc.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/2880-13-0x0000000000140000-0x0000000000250000-memory.dmp

memory/2880-14-0x0000000000540000-0x0000000000552000-memory.dmp

memory/2880-15-0x0000000000550000-0x000000000055C000-memory.dmp

memory/2880-16-0x0000000000560000-0x000000000056C000-memory.dmp

memory/2880-17-0x0000000000790000-0x000000000079C000-memory.dmp

memory/2672-56-0x0000000000E50000-0x0000000000F60000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 486d4cd85822358786f60abf8181d372
SHA1 bb5f368f6f91824072ef2bcfd48fa5d47343f202
SHA256 1056ac94a03b432c22b351edfd285fc5e9228634d28a1b8bcdf0f34b328c0a3d
SHA512 6cfd365c419abacfab623b9e4b1b1e0fbbc8fb547f7c340a88bbb222a2d9765bb271ba3241f6f0005fdf53be6379d5e82c3844e4345f71c9c12af355531e919c

memory/2968-63-0x00000000022C0000-0x00000000022C8000-memory.dmp

memory/2968-62-0x000000001B510000-0x000000001B7F2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabAD61.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarAD83.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\Local\Temp\jaxwQXfGLd.bat

MD5 31b0ee83f04ed132f4ab906869afb989
SHA1 76b527df15986d6007b43d446674e476a281e667
SHA256 5fe4b578af003399cd6ade33022c898ea3577a6bd6fbcbedf38a5345d5d5800b
SHA512 fa036e92b818570ceca3238628b7c65e917be41a081721a208d0558ff8ff8775a285fa9435efe3fbfa5c61a6179bfe690777a4edc159f70a8826ba035cad0331

memory/1164-197-0x00000000001E0000-0x00000000002F0000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3d9e89cc4c166449b50794993a331de2
SHA1 055711e76621504545ec6393e2442859625c6eef
SHA256 919153e850156271ffae28e1d19b5bb09903215560f9923a9c470a510c7797d8
SHA512 21f32f496e5c592d18454a1612c7dbfe8097cafbccbdba4a940fae0425621bd5d9a6627c5eac2d49b33779c092676ee59bb18ffd4e77c8f21d7800e6ea8707d5

C:\Users\Admin\AppData\Local\Temp\5Ad8adCyX4.bat

MD5 f71be3873c01c0d3cfc0a677c9298a47
SHA1 6a629fae6fa5b36b35e0691ccbfd75542a073742
SHA256 a8bd017bde3c12e09bf210b7b2757e3ecfed44372ab1d2437734a333e0a765c7
SHA512 bfbbfd415f68a4b17957c3b8ec70a762e97ca58091fb5dbb1fa03a79dc13f58b2c997bd0af2d5494ce961348f67102fd6188149dde08659ba188cc98b907bf8c

memory/2136-257-0x0000000000AE0000-0x0000000000BF0000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8855bdab34c3ff0beb01f575dc2d5831
SHA1 eadeaf8fcfc91beca9cd62d34ccf85b3f996f12f
SHA256 004c8b7d0a6130bae50edc7a0f520ef5585ff633cab3b9b1c3418c9a12268610
SHA512 0e4d19a2143cc2a8ddb29639bcccaeffa101bb608140a56cd32ffd5cc86a7ecb066567e13bd8e304de58ff4ea2009d6504b06c0f073be37af320d6e20ac54407

C:\Users\Admin\AppData\Local\Temp\Jk1vLt9ke4.bat

MD5 eaae9407e0536922dddb39d4009a6436
SHA1 7585304ce0530bd0dab6b3dae2b56f33aaf5b6a2
SHA256 8083180f922e5573a7840dae02fc1b01282843867f602fb2f32c2395549d5a10
SHA512 33964e2c49371e4728cecb75f6bb03ab39c46f4db949affb4e0878959c3a7d454968ab28f211b3e4f08e43ca57cf8fe4c176525fbe09a636aa635fdb8ebb5b4c

memory/696-317-0x0000000000E40000-0x0000000000F50000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bca43b667dd0a0b41717edb126ce4dd3
SHA1 0268dfcd037ca8e4f590a267048e2d5685e57de3
SHA256 a3a29875748d253bfa60f42624beced388fa345f6f34f9f86a69ec51a39e50c5
SHA512 25f47cfe937055cd6ee684cb27adb6b0281c710b4daf1a1be2ef966c4b8277dd7c869e5a08ba60ad3297b8cb5eb19719afe8df44c0bb8ac0930f3970868081d5

C:\Users\Admin\AppData\Local\Temp\xAFUrPKKMy.bat

MD5 3942212c5c50a72364cafbd5052eb9fa
SHA1 86bb427acd6d541ba707e168f86a5711854cd942
SHA256 5192f8691137af9f571eba6795a57c695fadba0ebaf2b0be0d1c3ba771a85149
SHA512 6aa5260019fc7e0ed3d9d30448671275ccefa41d328d00f96414c36d909d6c1ee924d1bcdf189f3fc91fe820cf4f56984cb355d24961550ff5e41bbb3d448f68

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 efd2a719bfe43d2eb88ce22d2ef4627b
SHA1 d0d874980cbe7cbd8c5116306056dbef99c441f5
SHA256 a575f92b3f47a1236ac409d776c18e0b420d3ed575b5736a7cc709c502eeadf5
SHA512 ed5a08a4586b0295cc627369fb98c486d8cc880a7c703b9e4c67f993b05013324d1311619d3bad8555f8d8729855b610d92e5e3677779f9ff554fed74645e5f8

C:\Users\Admin\AppData\Local\Temp\2K3DLFE7WC.bat

MD5 429c8b930545514f14b091f550b5bfd3
SHA1 af3d2cc95c353cfcc2364c7f2098fcbc0fefd012
SHA256 01c48ffc11e6054c3147ad7154b1ec8881e7b087748fe8eb9f3cf95d580e3556
SHA512 959d8c3bbf6a5695fb22813a9288955293ea0432ff41db7337667cf45381f760649097aa67479c656a6abb258d62c6123c78b045a1ce3fdddc5c1039bd88ef43

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 10bf5a844f970cb1893957f8f7238d2a
SHA1 6c06bde45bef1beb84a15b86b5314149c03875fb
SHA256 c2558de9ac3d6e2f9f942f25d70fc91df52a14c3888642705f4354e2ad7117de
SHA512 4fe816a8d133bd3add63f8512d6a79f7f7dec0e0b2e2ed62ad3099ba30ccfcede724495818e508e2ca7b94ac79a483d5595b2b869c39b568ce8fd0d5734b61ae

C:\Users\Admin\AppData\Local\Temp\sPXGbYzrvf.bat

MD5 c5f923a4b37de138f98072acfc5b2934
SHA1 6a055347e2d4a25ab080ed9354e4ff1b31a4865d
SHA256 64dc1b1002e3d5a737b33e6ff13a02df75bfbf5e643091b21e232000ca6914d2
SHA512 e8c0670acbc6fec49edc2d0fdc01c0cd0d6f48ef7f3807289b472acd6b94c075f6bde21979db0b9dc6822296438383e304936325f5d495026a17bcd796ad17cf

memory/2796-495-0x00000000011F0000-0x0000000001300000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 df5e2878a605e90f52ba3bfa54b23c3a
SHA1 519cc7d4efcaa8836084679ff6546c4335236f74
SHA256 609ef1d2428617b26aec9311b0b207d9a183b45b0611c7dc49c2661faf1cb6e1
SHA512 417d35f7a7b648352b5e252f4fb613bbb06a1fb87e0341e08a39252579a25cedc6dd5227a1ce7367456d701b67f89b0fac269c18364b37b641afc0256d1ebbb7

C:\Users\Admin\AppData\Local\Temp\eTpA0L9dlX.bat

MD5 e61ae54a4a27f6346381d5e2e02b279d
SHA1 3d6efe71fa7f3e3b1e1b1ff30920b70ce78a889c
SHA256 03f7fabe710173cd15fc1a709ceb5cdf44d5cb87c8f9917175b581a2d4e02b4e
SHA512 fb676826f44d20f7192d396768a1689cdbc88c67df1b45c8ee2d19730c83615dc4498a1fe25f652311b36b93049bf1357329631f55fd3fc17f9d69490fc632e3

memory/1408-555-0x0000000000440000-0x0000000000452000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3b1f8ce64acc55d80c769f0c4d51ebd8
SHA1 30a0f69cd90d4ec48591ec1bfa36f690640b9fa2
SHA256 d5b49ae7855b1c127d5ea7c93d58ebed2561d2f35eb71b96d6e486095ebdfdc6
SHA512 ac69cafd953936f8a9e3dc10762a72887b5cfad86ddd988be9346342f2e499e0bef90bf2fe949f819bd5f0133be9f94215b92d2d6d0c4c030ff597bc177fd1a3

C:\Users\Admin\AppData\Local\Temp\SNnEytbzjv.bat

MD5 74a0aab2fe44d1bb9a14c3604e3e055b
SHA1 f751c824e5bc883745575e86aaddf5a780e3ab70
SHA256 379c647cae67fd3d97833689f24c1959f64dcd4275634121554dd2795688dc75
SHA512 47e355b0d55246fc7b960ba4e2fd870efbfb3dabc9d20f1eff9211382f1087be45fc0392b816bb06c31b6263286fbae7611cdb99754ee32a138a929e8ced6b3f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3d1249599ef27cfbdc9577f9b229e511
SHA1 d77624f6401383bc755516009cd4cba30b3f60dc
SHA256 6daedf425526e319d7c094705487813cc858c4088c3ec38ebb9b07695d9bbc8f
SHA512 f7c73033e4588953501d9aefd39349a920dd8c28342a42f8a67430aaa1a258888d6f83c202e5aa98a33cc41408f3bf7c71472f229bcf16597a7fa3af8a48c172

C:\Users\Admin\AppData\Local\Temp\QHkN6qNcbm.bat

MD5 971bf380edad5494123e3270d227a736
SHA1 40219bbd7753228d0296c9e320ee11c657d140d3
SHA256 c8eaaa1f74cf76679c7224a356c74e3626726d326d92befa6c9cf1469db7e7f9
SHA512 6f29ef025d5f53078549ca28174524fc0a2356e0bbc7ab7c9a56b48065d19274b07d85ec261f0e5ce142f2ca5142d21ee94a824af90f6f18981027b039082a01

memory/2928-674-0x0000000000350000-0x0000000000460000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 525aae4dd0fe5c78c967afbd15980d66
SHA1 6971312b46eb549aa0dec3d71c88c5da5da4f01c
SHA256 a0e219835e349d93dd00647d4ecec7b9aa5008e3f9a6387f7803999f731ddf95
SHA512 c0e743ba74f298175fdec5cde1f60f5a8bfee002c5141208b5e6e72a05a9f5e246040b2261caada4cd8c0ba8782a381f196dfb829ebda578df0dc6ca7c69e22d

C:\Users\Admin\AppData\Local\Temp\xm2kK1SIVO.bat

MD5 5200b24564022580a23a45e724f1a0b7
SHA1 9ea07b172d29f02c7be00877b924783caededd00
SHA256 ad32fce11865e2501a360703bfe990dea3b3718f7d3d547005b2df06a4e94950
SHA512 3679c80d97d71f249157a90d657d64b16dd508fbf9cd643ed8bcab7fac9854ed932fa0f2c043bc69f86afa6e8ff276b87b57141f75501cb7655d57073c6b40ea

memory/2888-734-0x0000000000D60000-0x0000000000E70000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-30 01:50

Reported

2024-12-30 01:53

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c0e63d6e1c302991ee83f8d3dda67e76c43c480af0236cade9dda14b1eb6f11.exe"

Signatures

DcRat

rat infostealer dcrat

Dcrat family

dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Windows\ShellExperiences\System.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Windows\ShellExperiences\System.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Windows\ShellExperiences\System.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c0e63d6e1c302991ee83f8d3dda67e76c43c480af0236cade9dda14b1eb6f11.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\providercommon\DllCommonsvc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Windows\ShellExperiences\System.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Windows\ShellExperiences\System.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Windows\ShellExperiences\System.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Windows\ShellExperiences\System.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Windows\ShellExperiences\System.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Windows\ShellExperiences\System.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Windows\ShellExperiences\System.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Windows\ShellExperiences\System.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Windows\ShellExperiences\System.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Windows Multimedia Platform\TextInputHost.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Windows Multimedia Platform\22eafd247d37c3 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Windows Portable Devices\dllhost.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Windows Portable Devices\5940a34987c991 C:\providercommon\DllCommonsvc.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\ShellExperiences\System.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\ShellExperiences\27d1bcfc3c54e0 C:\providercommon\DllCommonsvc.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c0e63d6e1c302991ee83f8d3dda67e76c43c480af0236cade9dda14b1eb6f11.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings C:\Windows\ShellExperiences\System.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings C:\Windows\ShellExperiences\System.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings C:\Windows\ShellExperiences\System.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings C:\providercommon\DllCommonsvc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings C:\Windows\ShellExperiences\System.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings C:\Windows\ShellExperiences\System.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c0e63d6e1c302991ee83f8d3dda67e76c43c480af0236cade9dda14b1eb6f11.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings C:\Windows\ShellExperiences\System.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings C:\Windows\ShellExperiences\System.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings C:\Windows\ShellExperiences\System.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings C:\Windows\ShellExperiences\System.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings C:\Windows\ShellExperiences\System.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings C:\Windows\ShellExperiences\System.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings C:\Windows\ShellExperiences\System.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\ShellExperiences\System.exe N/A
N/A N/A C:\Windows\ShellExperiences\System.exe N/A
N/A N/A C:\Windows\ShellExperiences\System.exe N/A
N/A N/A C:\Windows\ShellExperiences\System.exe N/A
N/A N/A C:\Windows\ShellExperiences\System.exe N/A
N/A N/A C:\Windows\ShellExperiences\System.exe N/A
N/A N/A C:\Windows\ShellExperiences\System.exe N/A
N/A N/A C:\Windows\ShellExperiences\System.exe N/A
N/A N/A C:\Windows\ShellExperiences\System.exe N/A
N/A N/A C:\Windows\ShellExperiences\System.exe N/A
N/A N/A C:\Windows\ShellExperiences\System.exe N/A
N/A N/A C:\Windows\ShellExperiences\System.exe N/A
N/A N/A C:\Windows\ShellExperiences\System.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\providercommon\DllCommonsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\ShellExperiences\System.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\ShellExperiences\System.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\ShellExperiences\System.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\ShellExperiences\System.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\ShellExperiences\System.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\ShellExperiences\System.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\ShellExperiences\System.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\ShellExperiences\System.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\ShellExperiences\System.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\ShellExperiences\System.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\ShellExperiences\System.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\ShellExperiences\System.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\ShellExperiences\System.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3772 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c0e63d6e1c302991ee83f8d3dda67e76c43c480af0236cade9dda14b1eb6f11.exe C:\Windows\SysWOW64\WScript.exe
PID 3772 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c0e63d6e1c302991ee83f8d3dda67e76c43c480af0236cade9dda14b1eb6f11.exe C:\Windows\SysWOW64\WScript.exe
PID 3772 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c0e63d6e1c302991ee83f8d3dda67e76c43c480af0236cade9dda14b1eb6f11.exe C:\Windows\SysWOW64\WScript.exe
PID 1020 wrote to memory of 4612 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1020 wrote to memory of 4612 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1020 wrote to memory of 4612 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4612 wrote to memory of 2832 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 4612 wrote to memory of 2832 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 2832 wrote to memory of 3516 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2832 wrote to memory of 3516 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2832 wrote to memory of 1688 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2832 wrote to memory of 1688 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2832 wrote to memory of 776 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2832 wrote to memory of 776 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2832 wrote to memory of 5068 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2832 wrote to memory of 5068 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2832 wrote to memory of 2680 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2832 wrote to memory of 2680 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2832 wrote to memory of 1840 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2832 wrote to memory of 1840 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2832 wrote to memory of 2552 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2832 wrote to memory of 2552 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2832 wrote to memory of 4372 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\cmd.exe
PID 2832 wrote to memory of 4372 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\cmd.exe
PID 4372 wrote to memory of 4184 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4372 wrote to memory of 4184 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4372 wrote to memory of 2972 N/A C:\Windows\System32\cmd.exe C:\Windows\ShellExperiences\System.exe
PID 4372 wrote to memory of 2972 N/A C:\Windows\System32\cmd.exe C:\Windows\ShellExperiences\System.exe
PID 2972 wrote to memory of 212 N/A C:\Windows\ShellExperiences\System.exe C:\Windows\System32\cmd.exe
PID 2972 wrote to memory of 212 N/A C:\Windows\ShellExperiences\System.exe C:\Windows\System32\cmd.exe
PID 212 wrote to memory of 2956 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 212 wrote to memory of 2956 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 212 wrote to memory of 4264 N/A C:\Windows\System32\cmd.exe C:\Windows\ShellExperiences\System.exe
PID 212 wrote to memory of 4264 N/A C:\Windows\System32\cmd.exe C:\Windows\ShellExperiences\System.exe
PID 4264 wrote to memory of 1636 N/A C:\Windows\ShellExperiences\System.exe C:\Windows\System32\cmd.exe
PID 4264 wrote to memory of 1636 N/A C:\Windows\ShellExperiences\System.exe C:\Windows\System32\cmd.exe
PID 1636 wrote to memory of 5060 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1636 wrote to memory of 5060 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1636 wrote to memory of 4652 N/A C:\Windows\System32\cmd.exe C:\Windows\ShellExperiences\System.exe
PID 1636 wrote to memory of 4652 N/A C:\Windows\System32\cmd.exe C:\Windows\ShellExperiences\System.exe
PID 4652 wrote to memory of 4580 N/A C:\Windows\ShellExperiences\System.exe C:\Windows\System32\cmd.exe
PID 4652 wrote to memory of 4580 N/A C:\Windows\ShellExperiences\System.exe C:\Windows\System32\cmd.exe
PID 4580 wrote to memory of 2180 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4580 wrote to memory of 2180 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4580 wrote to memory of 4776 N/A C:\Windows\System32\cmd.exe C:\Windows\ShellExperiences\System.exe
PID 4580 wrote to memory of 4776 N/A C:\Windows\System32\cmd.exe C:\Windows\ShellExperiences\System.exe
PID 4776 wrote to memory of 2680 N/A C:\Windows\ShellExperiences\System.exe C:\Windows\System32\cmd.exe
PID 4776 wrote to memory of 2680 N/A C:\Windows\ShellExperiences\System.exe C:\Windows\System32\cmd.exe
PID 2680 wrote to memory of 4236 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2680 wrote to memory of 4236 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2680 wrote to memory of 2268 N/A C:\Windows\System32\cmd.exe C:\Windows\ShellExperiences\System.exe
PID 2680 wrote to memory of 2268 N/A C:\Windows\System32\cmd.exe C:\Windows\ShellExperiences\System.exe
PID 2268 wrote to memory of 3396 N/A C:\Windows\ShellExperiences\System.exe C:\Windows\System32\cmd.exe
PID 2268 wrote to memory of 3396 N/A C:\Windows\ShellExperiences\System.exe C:\Windows\System32\cmd.exe
PID 3396 wrote to memory of 4496 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3396 wrote to memory of 4496 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3396 wrote to memory of 5024 N/A C:\Windows\System32\cmd.exe C:\Windows\ShellExperiences\System.exe
PID 3396 wrote to memory of 5024 N/A C:\Windows\System32\cmd.exe C:\Windows\ShellExperiences\System.exe
PID 5024 wrote to memory of 4488 N/A C:\Windows\ShellExperiences\System.exe C:\Windows\System32\cmd.exe
PID 5024 wrote to memory of 4488 N/A C:\Windows\ShellExperiences\System.exe C:\Windows\System32\cmd.exe
PID 4488 wrote to memory of 3100 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4488 wrote to memory of 3100 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4488 wrote to memory of 2136 N/A C:\Windows\System32\cmd.exe C:\Windows\ShellExperiences\System.exe
PID 4488 wrote to memory of 2136 N/A C:\Windows\System32\cmd.exe C:\Windows\ShellExperiences\System.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c0e63d6e1c302991ee83f8d3dda67e76c43c480af0236cade9dda14b1eb6f11.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c0e63d6e1c302991ee83f8d3dda67e76c43c480af0236cade9dda14b1eb6f11.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "

C:\providercommon\DllCommonsvc.exe

"C:\providercommon\DllCommonsvc.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 11 /tr "'C:\providercommon\upfc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\providercommon\upfc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 11 /tr "'C:\providercommon\upfc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Windows\ShellExperiences\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\ShellExperiences\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Windows\ShellExperiences\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Multimedia Platform\TextInputHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\TextInputHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Multimedia Platform\TextInputHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Portable Devices\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Portable Devices\dllhost.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\SppExtComObj.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\Registry.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\upfc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ShellExperiences\System.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Multimedia Platform\TextInputHost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\dllhost.exe'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jxMxsDnrsD.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\ShellExperiences\System.exe

"C:\Windows\ShellExperiences\System.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JGN3MoCgVZ.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\ShellExperiences\System.exe

"C:\Windows\ShellExperiences\System.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0WHmS6dpJ0.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\ShellExperiences\System.exe

"C:\Windows\ShellExperiences\System.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tiBdOqTAMf.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\ShellExperiences\System.exe

"C:\Windows\ShellExperiences\System.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KLWAYFjljO.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\ShellExperiences\System.exe

"C:\Windows\ShellExperiences\System.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Z7DRyUOV59.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\ShellExperiences\System.exe

"C:\Windows\ShellExperiences\System.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rgoiaSdxpd.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\ShellExperiences\System.exe

"C:\Windows\ShellExperiences\System.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nokcDIWAC5.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\ShellExperiences\System.exe

"C:\Windows\ShellExperiences\System.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cu7QADyCUt.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\ShellExperiences\System.exe

"C:\Windows\ShellExperiences\System.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qwHeC7tSxv.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\ShellExperiences\System.exe

"C:\Windows\ShellExperiences\System.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JGN3MoCgVZ.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\ShellExperiences\System.exe

"C:\Windows\ShellExperiences\System.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xjNnGM38uG.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\ShellExperiences\System.exe

"C:\Windows\ShellExperiences\System.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rm9ahlPG2t.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\ShellExperiences\System.exe

"C:\Windows\ShellExperiences\System.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 133.110.199.185.in-addr.arpa udp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp

Files

C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

MD5 8088241160261560a02c84025d107592
SHA1 083121f7027557570994c9fc211df61730455bb5
SHA256 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA512 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

C:\providercommon\1zu9dW.bat

MD5 6783c3ee07c7d151ceac57f1f9c8bed7
SHA1 17468f98f95bf504cc1f83c49e49a78526b3ea03
SHA256 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512 c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

C:\providercommon\DllCommonsvc.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/2832-12-0x00007FFB51E93000-0x00007FFB51E95000-memory.dmp

memory/2832-13-0x0000000000A90000-0x0000000000BA0000-memory.dmp

memory/2832-14-0x0000000002CA0000-0x0000000002CB2000-memory.dmp

memory/2832-15-0x0000000002CC0000-0x0000000002CCC000-memory.dmp

memory/2832-16-0x0000000002CB0000-0x0000000002CBC000-memory.dmp

memory/2832-17-0x0000000002CD0000-0x0000000002CDC000-memory.dmp

memory/2680-44-0x000001DAD3680000-0x000001DAD36A2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ryijcr1c.sc2.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Temp\jxMxsDnrsD.bat

MD5 a9b78b8ce4a3d1a03f2cddcfb34c98cd
SHA1 011142c8798b23d95c0d879015b6c7cdfed7b7bd
SHA256 1e05265d2f4865e17ac662fab54872708a40d875f04ecab0e8d777ddde0e246a
SHA512 492d44dea249f7132ab47e0c0ab7b39d635e571dcf1d3ca4bcd1f47675fe9d66f8f0d0cbe751ad0def92f54fdde33b1dd6731dca4dbe78d382b2db3655e5939e

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6d3e9c29fe44e90aae6ed30ccf799ca8
SHA1 c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA256 2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA512 60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 2e907f77659a6601fcc408274894da2e
SHA1 9f5b72abef1cd7145bf37547cdb1b9254b4efe9d
SHA256 385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233
SHA512 34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 cadef9abd087803c630df65264a6c81c
SHA1 babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256 cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA512 7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d28a889fd956d5cb3accfbaf1143eb6f
SHA1 157ba54b365341f8ff06707d996b3635da8446f7
SHA256 21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA512 0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

C:\Users\Admin\AppData\Local\Temp\JGN3MoCgVZ.bat

MD5 efdb6684a7eb1106268ef1acf31683ca
SHA1 a36d443aeb8c339a0fed5718fc189be0643f356f
SHA256 fde6a12eeab61b6da0dfb84f56d511cb3400b671e343554c55f5f5e8bd274174
SHA512 44952aec469f3c9489456f94741f19f28f756b19e6c8bfa700e71468bdcf58222d86d2f8f023e92a013a7a3d5d8ceb438c7ed57115db93798a09902f3ca750d0

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\System.exe.log

MD5 baf55b95da4a601229647f25dad12878
SHA1 abc16954ebfd213733c4493fc1910164d825cac8
SHA256 ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA512 24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

memory/4264-126-0x000000001AB80000-0x000000001AB92000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0WHmS6dpJ0.bat

MD5 aa44b1bb71531cf6ac27c2fe4fa59ca7
SHA1 a6e20ffb3c56727de6d009652f70a366feb2ed8f
SHA256 6bb1aeb358dadb34745ec4da8d5d80502fe05b8256eb5ee4bf4205ab8ffe4b16
SHA512 d446e097507ad33b1c6c27f4fe6a40609ba93177a3491a78e78a81798fe96b70f70c16f52216d9c36905cacf0716f107ead383fd9ca1c817ce151fdb54e4f9c4

C:\Users\Admin\AppData\Local\Temp\tiBdOqTAMf.bat

MD5 5407cef3d3a7a91c4abc4284ff6e9673
SHA1 837c2d0af54d0e5495538357ed5d3a6accf3d38f
SHA256 92e24c051d8090cb22c21ae89c335e1ef5ebd80dba13f9e60f1a727f403fb8e2
SHA512 4f1d86e33ef22546d11a97c16fc478ab14aeadf289de3958e8882f3b870bbedf9dcdd9b49b3d83eb4ac23700cf0a7d1fa24951459be8c6d26f2fa294b8774e59

C:\Users\Admin\AppData\Local\Temp\KLWAYFjljO.bat

MD5 0799b4a943ebe21fe3a222e433f54528
SHA1 2b56324a0cb2722d70726af84399011ce20de19e
SHA256 bb324b34354f33bffaa04762f91adaf050daede54fb71761ea9890b978867a5c
SHA512 6462504d2412f1bd334bb5c7d5abad0272019fbf49759b131888012b2cb2e83e40c53858909d0192fa62d77fa2380c287f5e9698d10b12cc2d3199875f32bb07

C:\Users\Admin\AppData\Local\Temp\Z7DRyUOV59.bat

MD5 388d6973c6359079ed6ebeec0e2b4196
SHA1 b28089acef4fc76e563abd8a8d08c803ffef62c8
SHA256 07093e9e37c969e6aec8681ba645ff143e5627d5dff1743291aee771b2a71d3e
SHA512 7f6e3fa12b596afc9e0a271c57bdab49d309451b8838cb52aa3f76905fb64f6a931ac0d79e87ea053a3888211f1387d902c0b620a50b56018c8a0c82df59fc3a

C:\Users\Admin\AppData\Local\Temp\rgoiaSdxpd.bat

MD5 182819fd7b98f7144df0ec4cd4853a28
SHA1 9b64b775b5fe09d1e7e6e0cb6d217f3bb4f46d9e
SHA256 37e33855e40848b0580b09587b586e7d35871c6cc43725c58596b04c4275ca8d
SHA512 cfb7e4af584b6a00b4327909d75fd95b8af99a9dc276f8322e7f4928cd1b692128b6e9f052595bf169688ec40e9b7eb9ef9e2e365ddd4504bacc1ad06a497208

memory/2136-157-0x00000000015F0000-0x0000000001602000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nokcDIWAC5.bat

MD5 9d102ace5a313391c89db0d406d4ff55
SHA1 d63ddae4be447e3522b66b878012564060f1a39c
SHA256 d74e7e7dd483482769b623b7cea914d6274f028f639c2860023debd5cccdf306
SHA512 a179d23c298dd05d3f1dbe7a5c9a5a34076acb38d65adf9f3fa37843c7af1f659e38056e8b5c100f8843fe9be4c835b6258f8022481c8cc95d038796ab9efade

memory/1880-164-0x0000000002500000-0x0000000002512000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cu7QADyCUt.bat

MD5 c84bd012fb4593630467a3dabfc1430a
SHA1 d325267114f75f361844bf340a6c712a4dd525d4
SHA256 ff7090ed0fec1efdc55c8966deb4b280b3ef7d7e4e3dce70a04fbba7f804d3a4
SHA512 90027b6f4a89d9d44e09e1934ddf5de18e979c08d06678893409537d4779be6984162bb3b2eb83fe8968a86155ac994c6dd2b0c6d6970839350a596430c1de9f

C:\Users\Admin\AppData\Local\Temp\qwHeC7tSxv.bat

MD5 e987203dd19d9f8512fea3814c603ab0
SHA1 eb4f9974fa043daa67f9a708145fdcc0312f7ae4
SHA256 1cb2a50014c9791421ea459f0e42ca7afbbb1a0466061a7757821ade83056c6f
SHA512 9030b3c85c88f04a8518c400ceb11da397d69d5bd529030aef77b6f395ae6b80bb64880b454638b26620bbf79392bc9f68dea30d6c7dc2f3bbf72061b6138332

C:\Users\Admin\AppData\Local\Temp\xjNnGM38uG.bat

MD5 8b708c9e1e25cb21daafa9790bd79d65
SHA1 b3493442da916ab14725d5ab385f088ef90b4902
SHA256 0fec74cef95025231f14ccbdf199500e5745faed7f763f373731b65bb09961cd
SHA512 074e09174298603fedfa66d49aeaae79e243ce353c877df4a7a8ae85a049d6e2c3344391a71f13670a82eab3c9d472b00b88a8690fb9e37dcf15bbe77a78dbff

C:\Users\Admin\AppData\Local\Temp\rm9ahlPG2t.bat

MD5 c04a8e446b2a088c3f582a0033a29d84
SHA1 7fad7d84f0c346789040ccde8f649243b78dde29
SHA256 c4b96a7fdf1a95c82723cdebe6f5fa26af94ab5211bac753f765710d2474edd0
SHA512 37fb1fdec8643c76fc265e8343079bb0fe8276544aaad148e7bf511af43e976de3a885d2e18d7283e5b8123624dbe17bb92e609137a2579921a644d2792317df