Malware Analysis Report

2025-08-10 11:53

Sample ID 241230-c61hfsvqct
Target JaffaCakes118_536aa3c8c0df98bd6a34fa919a92e838ff6823d1ef631af26b46da4b3685f081
SHA256 536aa3c8c0df98bd6a34fa919a92e838ff6823d1ef631af26b46da4b3685f081
Tags
dcrat discovery execution infostealer rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

536aa3c8c0df98bd6a34fa919a92e838ff6823d1ef631af26b46da4b3685f081

Threat Level: Known bad

The file JaffaCakes118_536aa3c8c0df98bd6a34fa919a92e838ff6823d1ef631af26b46da4b3685f081 was found to be: Known bad.

Malicious Activity Summary

dcrat discovery execution infostealer rat

DcRat

Process spawned unexpected child process

Dcrat family

DCRat payload

DCRat payload

Command and Scripting Interpreter: PowerShell

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Legitimate hosting services abused for malware hosting/C2

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Scheduled Task/Job: Scheduled Task

Suspicious use of WriteProcessMemory

Modifies registry class

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-30 02:42

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-30 02:42

Reported

2024-12-30 02:44

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_536aa3c8c0df98bd6a34fa919a92e838ff6823d1ef631af26b46da4b3685f081.exe"

Signatures

DcRat

rat infostealer dcrat

Dcrat family

dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\providercommon\DllCommonsvc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Users\Default\Templates\dllhost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Users\Default\Templates\dllhost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Users\Default\Templates\dllhost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Users\Default\Templates\dllhost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Users\Default\Templates\dllhost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Users\Default\Templates\dllhost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Users\Default\Templates\dllhost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Users\Default\Templates\dllhost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Users\Default\Templates\dllhost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Users\Default\Templates\dllhost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Users\Default\Templates\dllhost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_536aa3c8c0df98bd6a34fa919a92e838ff6823d1ef631af26b46da4b3685f081.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Users\Default\Templates\dllhost.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Windows Mail\winlogon.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Windows Mail\cc11b995f2a76d C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Windows NT\TableTextService\en-US\DllCommonsvc.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Windows NT\TableTextService\en-US\a76d7bf15d8370 C:\providercommon\DllCommonsvc.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\servicing\fr-FR\sihost.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\Migration\WTR\explorer.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\Migration\WTR\7a0fd90576e088 C:\providercommon\DllCommonsvc.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_536aa3c8c0df98bd6a34fa919a92e838ff6823d1ef631af26b46da4b3685f081.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings C:\Users\Default\Templates\dllhost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings C:\Users\Default\Templates\dllhost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings C:\Users\Default\Templates\dllhost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings C:\Users\Default\Templates\dllhost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings C:\Users\Default\Templates\dllhost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings C:\Users\Default\Templates\dllhost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings C:\Users\Default\Templates\dllhost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings C:\Users\Default\Templates\dllhost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings C:\Users\Default\Templates\dllhost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings C:\Users\Default\Templates\dllhost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings C:\Users\Default\Templates\dllhost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings C:\providercommon\DllCommonsvc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings C:\Users\Default\Templates\dllhost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_536aa3c8c0df98bd6a34fa919a92e838ff6823d1ef631af26b46da4b3685f081.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Default\Templates\dllhost.exe N/A
N/A N/A C:\Users\Default\Templates\dllhost.exe N/A
N/A N/A C:\Users\Default\Templates\dllhost.exe N/A
N/A N/A C:\Users\Default\Templates\dllhost.exe N/A
N/A N/A C:\Users\Default\Templates\dllhost.exe N/A
N/A N/A C:\Users\Default\Templates\dllhost.exe N/A
N/A N/A C:\Users\Default\Templates\dllhost.exe N/A
N/A N/A C:\Users\Default\Templates\dllhost.exe N/A
N/A N/A C:\Users\Default\Templates\dllhost.exe N/A
N/A N/A C:\Users\Default\Templates\dllhost.exe N/A
N/A N/A C:\Users\Default\Templates\dllhost.exe N/A
N/A N/A C:\Users\Default\Templates\dllhost.exe N/A
N/A N/A C:\Users\Default\Templates\dllhost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\providercommon\DllCommonsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default\Templates\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default\Templates\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default\Templates\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default\Templates\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default\Templates\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default\Templates\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default\Templates\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default\Templates\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default\Templates\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default\Templates\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default\Templates\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default\Templates\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default\Templates\dllhost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 372 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_536aa3c8c0df98bd6a34fa919a92e838ff6823d1ef631af26b46da4b3685f081.exe C:\Windows\SysWOW64\WScript.exe
PID 372 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_536aa3c8c0df98bd6a34fa919a92e838ff6823d1ef631af26b46da4b3685f081.exe C:\Windows\SysWOW64\WScript.exe
PID 372 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_536aa3c8c0df98bd6a34fa919a92e838ff6823d1ef631af26b46da4b3685f081.exe C:\Windows\SysWOW64\WScript.exe
PID 1180 wrote to memory of 1868 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1180 wrote to memory of 1868 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1180 wrote to memory of 1868 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1868 wrote to memory of 3200 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 1868 wrote to memory of 3200 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 3200 wrote to memory of 2500 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3200 wrote to memory of 2500 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3200 wrote to memory of 1580 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3200 wrote to memory of 1580 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3200 wrote to memory of 3988 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3200 wrote to memory of 3988 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3200 wrote to memory of 4168 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3200 wrote to memory of 4168 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3200 wrote to memory of 4552 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3200 wrote to memory of 4552 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3200 wrote to memory of 4896 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3200 wrote to memory of 4896 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3200 wrote to memory of 336 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3200 wrote to memory of 336 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3200 wrote to memory of 2084 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3200 wrote to memory of 2084 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3200 wrote to memory of 2588 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\cmd.exe
PID 3200 wrote to memory of 2588 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\cmd.exe
PID 2588 wrote to memory of 208 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2588 wrote to memory of 208 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2588 wrote to memory of 5068 N/A C:\Windows\System32\cmd.exe C:\Users\Default\Templates\dllhost.exe
PID 2588 wrote to memory of 5068 N/A C:\Windows\System32\cmd.exe C:\Users\Default\Templates\dllhost.exe
PID 5068 wrote to memory of 3724 N/A C:\Users\Default\Templates\dllhost.exe C:\Windows\System32\cmd.exe
PID 5068 wrote to memory of 3724 N/A C:\Users\Default\Templates\dllhost.exe C:\Windows\System32\cmd.exe
PID 3724 wrote to memory of 3192 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3724 wrote to memory of 3192 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3724 wrote to memory of 3176 N/A C:\Windows\System32\cmd.exe C:\Users\Default\Templates\dllhost.exe
PID 3724 wrote to memory of 3176 N/A C:\Windows\System32\cmd.exe C:\Users\Default\Templates\dllhost.exe
PID 3176 wrote to memory of 3720 N/A C:\Users\Default\Templates\dllhost.exe C:\Windows\System32\cmd.exe
PID 3176 wrote to memory of 3720 N/A C:\Users\Default\Templates\dllhost.exe C:\Windows\System32\cmd.exe
PID 3720 wrote to memory of 4384 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3720 wrote to memory of 4384 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3720 wrote to memory of 2564 N/A C:\Windows\System32\cmd.exe C:\Users\Default\Templates\dllhost.exe
PID 3720 wrote to memory of 2564 N/A C:\Windows\System32\cmd.exe C:\Users\Default\Templates\dllhost.exe
PID 2564 wrote to memory of 380 N/A C:\Users\Default\Templates\dllhost.exe C:\Windows\System32\cmd.exe
PID 2564 wrote to memory of 380 N/A C:\Users\Default\Templates\dllhost.exe C:\Windows\System32\cmd.exe
PID 380 wrote to memory of 3868 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 380 wrote to memory of 3868 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 380 wrote to memory of 4920 N/A C:\Windows\System32\cmd.exe C:\Users\Default\Templates\dllhost.exe
PID 380 wrote to memory of 4920 N/A C:\Windows\System32\cmd.exe C:\Users\Default\Templates\dllhost.exe
PID 4920 wrote to memory of 2616 N/A C:\Users\Default\Templates\dllhost.exe C:\Windows\System32\cmd.exe
PID 4920 wrote to memory of 2616 N/A C:\Users\Default\Templates\dllhost.exe C:\Windows\System32\cmd.exe
PID 2616 wrote to memory of 1820 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2616 wrote to memory of 1820 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2616 wrote to memory of 3260 N/A C:\Windows\System32\cmd.exe C:\Users\Default\Templates\dllhost.exe
PID 2616 wrote to memory of 3260 N/A C:\Windows\System32\cmd.exe C:\Users\Default\Templates\dllhost.exe
PID 3260 wrote to memory of 5080 N/A C:\Users\Default\Templates\dllhost.exe C:\Windows\System32\cmd.exe
PID 3260 wrote to memory of 5080 N/A C:\Users\Default\Templates\dllhost.exe C:\Windows\System32\cmd.exe
PID 5080 wrote to memory of 5040 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 5080 wrote to memory of 5040 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 5080 wrote to memory of 4912 N/A C:\Windows\System32\cmd.exe C:\Users\Default\Templates\dllhost.exe
PID 5080 wrote to memory of 4912 N/A C:\Windows\System32\cmd.exe C:\Users\Default\Templates\dllhost.exe
PID 4912 wrote to memory of 712 N/A C:\Users\Default\Templates\dllhost.exe C:\Windows\System32\cmd.exe
PID 4912 wrote to memory of 712 N/A C:\Users\Default\Templates\dllhost.exe C:\Windows\System32\cmd.exe
PID 712 wrote to memory of 4004 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 712 wrote to memory of 4004 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_536aa3c8c0df98bd6a34fa919a92e838ff6823d1ef631af26b46da4b3685f081.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_536aa3c8c0df98bd6a34fa919a92e838ff6823d1ef631af26b46da4b3685f081.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "

C:\providercommon\DllCommonsvc.exe

"C:\providercommon\DllCommonsvc.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\providercommon\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\providercommon\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\providercommon\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Users\Public\AccountPictures\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Public\AccountPictures\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Users\Public\AccountPictures\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Mail\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Mail\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Templates\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default\Templates\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Templates\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows NT\TableTextService\en-US\DllCommonsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\en-US\DllCommonsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows NT\TableTextService\en-US\DllCommonsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 13 /tr "'C:\providercommon\OfficeClickToRun.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\providercommon\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\providercommon\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Windows\Migration\WTR\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Windows\Migration\WTR\explorer.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\RuntimeBroker.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\AccountPictures\dwm.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\winlogon.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Templates\dllhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\TableTextService\en-US\DllCommonsvc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\OfficeClickToRun.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Migration\WTR\explorer.exe'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rRelPrOQ0o.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default\Templates\dllhost.exe

"C:\Users\Default\Templates\dllhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tcplHXgq9Q.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default\Templates\dllhost.exe

"C:\Users\Default\Templates\dllhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cwtcXGf4Cf.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default\Templates\dllhost.exe

"C:\Users\Default\Templates\dllhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3fa1oyizme.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default\Templates\dllhost.exe

"C:\Users\Default\Templates\dllhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\R8cJcUuQgj.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default\Templates\dllhost.exe

"C:\Users\Default\Templates\dllhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\V9nTU0UPEK.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default\Templates\dllhost.exe

"C:\Users\Default\Templates\dllhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\asjVMp8zxr.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default\Templates\dllhost.exe

"C:\Users\Default\Templates\dllhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ezHXLeVHih.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default\Templates\dllhost.exe

"C:\Users\Default\Templates\dllhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kvUluF99a5.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default\Templates\dllhost.exe

"C:\Users\Default\Templates\dllhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\P6ENo64DAh.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default\Templates\dllhost.exe

"C:\Users\Default\Templates\dllhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IJ9EkrtYDM.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default\Templates\dllhost.exe

"C:\Users\Default\Templates\dllhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3Lxx1rvPQX.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default\Templates\dllhost.exe

"C:\Users\Default\Templates\dllhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\U4eMIZxK0W.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default\Templates\dllhost.exe

"C:\Users\Default\Templates\dllhost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 133.109.199.185.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 181.129.81.91.in-addr.arpa udp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 134.130.81.91.in-addr.arpa udp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 udp

Files

C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

MD5 8088241160261560a02c84025d107592
SHA1 083121f7027557570994c9fc211df61730455bb5
SHA256 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA512 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

C:\providercommon\1zu9dW.bat

MD5 6783c3ee07c7d151ceac57f1f9c8bed7
SHA1 17468f98f95bf504cc1f83c49e49a78526b3ea03
SHA256 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512 c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

C:\providercommon\DllCommonsvc.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/3200-12-0x00007FF9A1A63000-0x00007FF9A1A65000-memory.dmp

memory/3200-13-0x0000000000F30000-0x0000000001040000-memory.dmp

memory/3200-14-0x0000000003160000-0x0000000003172000-memory.dmp

memory/3200-15-0x000000001BC60000-0x000000001BC6C000-memory.dmp

memory/3200-16-0x0000000003170000-0x000000000317C000-memory.dmp

memory/3200-17-0x000000001BC70000-0x000000001BC7C000-memory.dmp

memory/3988-41-0x000002671BD70000-0x000002671BD92000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_c33eqhmx.zbn.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Temp\rRelPrOQ0o.bat

MD5 3bbe3393b65a530ffb08752ed82cf4e6
SHA1 94cb010e3893eee041d5da43e5fc4e70eeeb33d3
SHA256 bcfd1f4abe78c803fc1b804f549c74d996f8462a09700fb7237bf446f98b8ee8
SHA512 fc3a6a0cac7cb6e6948c10fd0f541d131549d7091dba525a36998e1bf1c42f6e8b022a4aa4ae0f98e8a671f348e2c264d042f029a9ec42ea7c978e57b38431b3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6d3e9c29fe44e90aae6ed30ccf799ca8
SHA1 c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA256 2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA512 60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 2e907f77659a6601fcc408274894da2e
SHA1 9f5b72abef1cd7145bf37547cdb1b9254b4efe9d
SHA256 385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233
SHA512 34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 cadef9abd087803c630df65264a6c81c
SHA1 babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256 cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA512 7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 bd5940f08d0be56e65e5f2aaf47c538e
SHA1 d7e31b87866e5e383ab5499da64aba50f03e8443
SHA256 2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6
SHA512 c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

C:\Users\Admin\AppData\Local\Temp\tcplHXgq9Q.bat

MD5 4b9cebdc4032bc13c3ad8fa6650a7d7b
SHA1 0b9cbc7102ae0978b3d1d01ce0be958da3a6a1e3
SHA256 25eaa4f35b72988fdd190fd76ebc611bbb2d9f5221c2db195d0352a9621a3fc0
SHA512 1b2d7829b4fdf89d9c7da023b6eaf990719f833555e627f8bac9821d22d189710657d7183232cb3f5989340e3647bbabe41e378a514d9078b7020f9506803747

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dllhost.exe.log

MD5 baf55b95da4a601229647f25dad12878
SHA1 abc16954ebfd213733c4493fc1910164d825cac8
SHA256 ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA512 24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

memory/3176-143-0x000000001C710000-0x000000001C87A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cwtcXGf4Cf.bat

MD5 d4e9143f6c96cd2d64239af27d232ffb
SHA1 f2078e876016242fe3f92783f636a966b87bef0e
SHA256 1ace10b58d8662fbccb6d957d0b07cdf30f3e791c3cc7e0af96727d124ed3a3c
SHA512 9f41749b6ca63fa22b91679f67d78a41ab920d0ceb79ac76fb396aa93816937ee4bb548b4406ab1bc91ef7d42368a763e18441750b2cfc88bf4f1745046a00d3

memory/2564-150-0x000000001C0E0000-0x000000001C24A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3fa1oyizme.bat

MD5 1a8e9574bfda525d93b3260e97407d70
SHA1 a58e58ccffeba8f88a9a8c6cac450e196cff6d5b
SHA256 5748fdf7dd231fc7895a496f8b3f365fa4f236c963a17d1691207fd3a27e54ae
SHA512 cfc8d178004b2d24acc780dab4625095f6de5a106762d28375148d327899d82eeb10d1d2564138ec0a89a51018587ed3b3cf942d88c1eea021aa6fe5f9ac1c0a

memory/4920-157-0x000000001C030000-0x000000001C19A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\R8cJcUuQgj.bat

MD5 8efd4b10f29d1be8e669e1fd23ecd035
SHA1 5b39743567696b5b8b544f1b120238829fc17053
SHA256 2fb42a26e5c261b7f02bd87bfc59bf29ed9d8121f8a04353752cd12c7289b187
SHA512 45716e24a528a2e7caca6e0684c3938d9c3f2215bf27b8d429c12d21fc0496c00be94329efa4f506a4e27d18bb58e5f70873173bb7d8189ea3ee3a39eb187c42

memory/4920-159-0x000000001C030000-0x000000001C19A000-memory.dmp

memory/3260-166-0x000000001BBA0000-0x000000001BD0A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\V9nTU0UPEK.bat

MD5 e991c685e775b82001387226134de6bc
SHA1 47b536854c07dbcb9a96d8da80d7aac587f71853
SHA256 9360f433945e4576aee83f03cf7d400271143d7f27c82c13cb8e74a64820beb6
SHA512 7ad4c729af8143bb594b057c862c030b3fb512a6067ed48dfc8b2e6e9e5ee73d488f2bc00a64175283d4f43bb9e27911b7b71597fee5b8ed836a0861303281b1

C:\Users\Admin\AppData\Local\Temp\asjVMp8zxr.bat

MD5 34ddac05785415f8c7c45905677834b2
SHA1 2ce5004df72ca067087415eec8f8c803553a7fd2
SHA256 5834a12cfd51d53e38a6bf1f54e777e9a6e0617e7a4a2e45a78630611f1fb0cd
SHA512 41ef52f650475dca54bd85cfb7fd941f2f375d71f5911e5ec44cb7bb7f79acc08a9f3ad0add5ed139740466e3bc56656794d3e9c36a60d15eaf3d72cba463c54

memory/4912-173-0x000000001BCC0000-0x000000001BE2A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ezHXLeVHih.bat

MD5 7c67246fa20c82aa6c9b023145f9ed78
SHA1 427ae8753002c554c5a2a38b659af4c257c3a4f0
SHA256 780ccc17e7c637dcd1eaca6d92df744b8ed13a7c8cc38b388ff40a6f07004c9e
SHA512 27b851daf19801461aebff57b56320119153dd60316e7e22d4573d17dd985195a0162d8846e168f2e9c474541379fc7a54053a00dffb99be4ee7af98f7d1e5a6

memory/4624-181-0x0000000002AD0000-0x0000000002AE2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kvUluF99a5.bat

MD5 505880badceb77dca85da47145aa0937
SHA1 930666b30b229f4231558d78b8eec26912764a43
SHA256 a8a7e5d80ae34d6780ff2fad3bfe47198884bef91205008b92c8a528db7915a2
SHA512 60fec1dcdf7073d861c2df08b1a3c5dbd76763d7bbe98ee31e439def358b7bef28d34334164c5518c13a43c35d656f60fbcb2d8cf8dbc6bab953fc140c18e3f3

memory/4612-188-0x0000000002AB0000-0x0000000002AC2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\P6ENo64DAh.bat

MD5 6ca2ca1e2af61131b83db4e369b6945b
SHA1 7f5facb181c00beb980b5887c60f81ff29f11020
SHA256 0cdcf9e78a7631c42b2fce0a7055c0aafd14a17d12efa283fcaa7c6c0330f729
SHA512 6b0dd7bb124097694e612eb78a9db1b4e05cb20627aa93985be2e1180de0cd312721589dba7c91bb8920b8beaee492316deaf1159f9ac9fc7ac786f199283863

C:\Users\Admin\AppData\Local\Temp\IJ9EkrtYDM.bat

MD5 d033c2f43a0efb1c44cc366cf9f03b0d
SHA1 2020afe3c0a3a54111d3cef37b6d9bb0aaff2e22
SHA256 15138275917d8880b3ec0c3c571c55b1199f2adcd5e586f01b52590b1a2a2a39
SHA512 16ceca6f486145042aa3708cbf0b7d769bc60ee9cf0a12f2b14026231b8f6c47937ce2baa2a8df59cac9d35d49d22cd271e769b6d288d0996173a748f9e78ffe

C:\Users\Admin\AppData\Local\Temp\3Lxx1rvPQX.bat

MD5 23c326c2c0db53b8fb0c7b8fe18c7f9c
SHA1 aeffbd0dd6ea568ad5319d9f547304af13a690a6
SHA256 1d61d69c4ff728bbd56d4ee94b99402e6d755c05b159c9518e84d55c3985e910
SHA512 ee30d49b731883bc5343adfe99aace2849f3604c6aff027afd7589fc4f4d5b19fa50b570a7292622a4e0eed3428198c4399d4979933c46cf73897d19fb508dc4

C:\Users\Admin\AppData\Local\Temp\U4eMIZxK0W.bat

MD5 233ad05784cafc215b68ad795b050617
SHA1 9677fb0d3fca1f6202a43b09613646b569699795
SHA256 043d21ca0cc1c257d0eb537b9bf0603f480fc16c0ecfa383ab2db993e59b4b60
SHA512 69957232470121ade4a41cd4f84e8c5fb2a8befe8add71487ef443b06d3b6a5cdbd622755392b0a2c75ffb516b865b78a9e567dcdda5789eafd396195be5b041

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-30 02:42

Reported

2024-12-30 02:44

Platform

win7-20241010-en

Max time kernel

149s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_536aa3c8c0df98bd6a34fa919a92e838ff6823d1ef631af26b46da4b3685f081.exe"

Signatures

DcRat

rat infostealer dcrat

Dcrat family

dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\DVD Maker\en-US\c5b4cb5e9653cc C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Windows Journal\sppsvc.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Windows Journal\0a1fd5f707cd16 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\MSBuild\Microsoft\lsm.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\MSBuild\Microsoft\101b941d020240 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Internet Explorer\fr-FR\lsass.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Internet Explorer\fr-FR\6203df4a6bafc7 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\DVD Maker\en-US\services.exe C:\providercommon\DllCommonsvc.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\twain_32\spoolsv.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\twain_32\f3b6ecef712a24 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\security\lsass.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\security\6203df4a6bafc7 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-n..-security.resources_31bf3856ad364e35_6.1.7601.17514_de-de_036af9576c5505c8\dwm.exe C:\providercommon\DllCommonsvc.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_536aa3c8c0df98bd6a34fa919a92e838ff6823d1ef631af26b46da4b3685f081.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Public\Music\Sample Music\dllhost.exe N/A
N/A N/A C:\Users\Public\Music\Sample Music\dllhost.exe N/A
N/A N/A C:\Users\Public\Music\Sample Music\dllhost.exe N/A
N/A N/A C:\Users\Public\Music\Sample Music\dllhost.exe N/A
N/A N/A C:\Users\Public\Music\Sample Music\dllhost.exe N/A
N/A N/A C:\Users\Public\Music\Sample Music\dllhost.exe N/A
N/A N/A C:\Users\Public\Music\Sample Music\dllhost.exe N/A
N/A N/A C:\Users\Public\Music\Sample Music\dllhost.exe N/A
N/A N/A C:\Users\Public\Music\Sample Music\dllhost.exe N/A
N/A N/A C:\Users\Public\Music\Sample Music\dllhost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\providercommon\DllCommonsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\Music\Sample Music\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\Music\Sample Music\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\Music\Sample Music\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\Music\Sample Music\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\Music\Sample Music\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\Music\Sample Music\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\Music\Sample Music\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\Music\Sample Music\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\Music\Sample Music\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\Music\Sample Music\dllhost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2524 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_536aa3c8c0df98bd6a34fa919a92e838ff6823d1ef631af26b46da4b3685f081.exe C:\Windows\SysWOW64\WScript.exe
PID 2524 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_536aa3c8c0df98bd6a34fa919a92e838ff6823d1ef631af26b46da4b3685f081.exe C:\Windows\SysWOW64\WScript.exe
PID 2524 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_536aa3c8c0df98bd6a34fa919a92e838ff6823d1ef631af26b46da4b3685f081.exe C:\Windows\SysWOW64\WScript.exe
PID 2524 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_536aa3c8c0df98bd6a34fa919a92e838ff6823d1ef631af26b46da4b3685f081.exe C:\Windows\SysWOW64\WScript.exe
PID 2244 wrote to memory of 1500 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2244 wrote to memory of 1500 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2244 wrote to memory of 1500 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2244 wrote to memory of 1500 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1500 wrote to memory of 2996 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 1500 wrote to memory of 2996 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 1500 wrote to memory of 2996 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 1500 wrote to memory of 2996 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 2996 wrote to memory of 2724 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2996 wrote to memory of 2724 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2996 wrote to memory of 2724 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2996 wrote to memory of 880 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2996 wrote to memory of 880 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2996 wrote to memory of 880 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2996 wrote to memory of 596 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2996 wrote to memory of 596 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2996 wrote to memory of 596 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2996 wrote to memory of 1052 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2996 wrote to memory of 1052 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2996 wrote to memory of 1052 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2996 wrote to memory of 2640 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2996 wrote to memory of 2640 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2996 wrote to memory of 2640 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2996 wrote to memory of 1284 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2996 wrote to memory of 1284 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2996 wrote to memory of 1284 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2996 wrote to memory of 1648 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2996 wrote to memory of 1648 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2996 wrote to memory of 1648 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2996 wrote to memory of 2060 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2996 wrote to memory of 2060 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2996 wrote to memory of 2060 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2996 wrote to memory of 1536 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2996 wrote to memory of 1536 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2996 wrote to memory of 1536 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2996 wrote to memory of 1936 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2996 wrote to memory of 1936 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2996 wrote to memory of 1936 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2996 wrote to memory of 1172 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2996 wrote to memory of 1172 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2996 wrote to memory of 1172 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2996 wrote to memory of 2516 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2996 wrote to memory of 2516 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2996 wrote to memory of 2516 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2996 wrote to memory of 1028 N/A C:\providercommon\DllCommonsvc.exe C:\Users\Public\Music\Sample Music\dllhost.exe
PID 2996 wrote to memory of 1028 N/A C:\providercommon\DllCommonsvc.exe C:\Users\Public\Music\Sample Music\dllhost.exe
PID 2996 wrote to memory of 1028 N/A C:\providercommon\DllCommonsvc.exe C:\Users\Public\Music\Sample Music\dllhost.exe
PID 1028 wrote to memory of 636 N/A C:\Users\Public\Music\Sample Music\dllhost.exe C:\Windows\System32\cmd.exe
PID 1028 wrote to memory of 636 N/A C:\Users\Public\Music\Sample Music\dllhost.exe C:\Windows\System32\cmd.exe
PID 1028 wrote to memory of 636 N/A C:\Users\Public\Music\Sample Music\dllhost.exe C:\Windows\System32\cmd.exe
PID 636 wrote to memory of 1500 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 636 wrote to memory of 1500 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 636 wrote to memory of 1500 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 636 wrote to memory of 1476 N/A C:\Windows\System32\cmd.exe C:\Users\Public\Music\Sample Music\dllhost.exe
PID 636 wrote to memory of 1476 N/A C:\Windows\System32\cmd.exe C:\Users\Public\Music\Sample Music\dllhost.exe
PID 636 wrote to memory of 1476 N/A C:\Windows\System32\cmd.exe C:\Users\Public\Music\Sample Music\dllhost.exe
PID 1476 wrote to memory of 2184 N/A C:\Users\Public\Music\Sample Music\dllhost.exe C:\Windows\System32\cmd.exe
PID 1476 wrote to memory of 2184 N/A C:\Users\Public\Music\Sample Music\dllhost.exe C:\Windows\System32\cmd.exe
PID 1476 wrote to memory of 2184 N/A C:\Users\Public\Music\Sample Music\dllhost.exe C:\Windows\System32\cmd.exe
PID 2184 wrote to memory of 932 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_536aa3c8c0df98bd6a34fa919a92e838ff6823d1ef631af26b46da4b3685f081.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_536aa3c8c0df98bd6a34fa919a92e838ff6823d1ef631af26b46da4b3685f081.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\providercommon\1zu9dW.bat" "

C:\providercommon\DllCommonsvc.exe

"C:\providercommon\DllCommonsvc.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Music\Sample Music\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Public\Music\Sample Music\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Music\Sample Music\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files\Internet Explorer\fr-FR\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\fr-FR\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Program Files\Internet Explorer\fr-FR\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\providercommon\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Program Files\DVD Maker\en-US\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\en-US\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files\DVD Maker\en-US\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Journal\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Journal\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\lsm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Windows\twain_32\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\twain_32\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Windows\twain_32\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Windows\security\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\security\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Windows\security\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\smss.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Idle.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Music\Sample Music\dllhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\fr-FR\lsass.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\DVD Maker\en-US\services.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Journal\sppsvc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\csrss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\lsm.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\twain_32\spoolsv.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\security\lsass.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\smss.exe'

C:\Users\Public\Music\Sample Music\dllhost.exe

"C:\Users\Public\Music\Sample Music\dllhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IrGY9odMle.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Public\Music\Sample Music\dllhost.exe

"C:\Users\Public\Music\Sample Music\dllhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nGW3UwTeX7.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Public\Music\Sample Music\dllhost.exe

"C:\Users\Public\Music\Sample Music\dllhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GN7B3lpeta.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Public\Music\Sample Music\dllhost.exe

"C:\Users\Public\Music\Sample Music\dllhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dCyIaH4v8D.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Public\Music\Sample Music\dllhost.exe

"C:\Users\Public\Music\Sample Music\dllhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sSDDfDN1Wn.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Public\Music\Sample Music\dllhost.exe

"C:\Users\Public\Music\Sample Music\dllhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tebxeZNirC.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Public\Music\Sample Music\dllhost.exe

"C:\Users\Public\Music\Sample Music\dllhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4oJokgKWVw.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Public\Music\Sample Music\dllhost.exe

"C:\Users\Public\Music\Sample Music\dllhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vlZZCFJNsh.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Public\Music\Sample Music\dllhost.exe

"C:\Users\Public\Music\Sample Music\dllhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xEoBbgPmrR.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Public\Music\Sample Music\dllhost.exe

"C:\Users\Public\Music\Sample Music\dllhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\U04fYIssV3.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp

Files

C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

MD5 8088241160261560a02c84025d107592
SHA1 083121f7027557570994c9fc211df61730455bb5
SHA256 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA512 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

C:\providercommon\1zu9dW.bat

MD5 6783c3ee07c7d151ceac57f1f9c8bed7
SHA1 17468f98f95bf504cc1f83c49e49a78526b3ea03
SHA256 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512 c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

\providercommon\DllCommonsvc.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/2996-13-0x0000000000A80000-0x0000000000B90000-memory.dmp

memory/2996-14-0x0000000000450000-0x0000000000462000-memory.dmp

memory/2996-15-0x0000000000460000-0x000000000046C000-memory.dmp

memory/2996-16-0x0000000000470000-0x000000000047C000-memory.dmp

memory/2996-17-0x0000000000480000-0x000000000048C000-memory.dmp

memory/1028-46-0x0000000000CF0000-0x0000000000E00000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 7c2ab678381076a17db2104e5173df10
SHA1 e7a867c9cde4c6c190da96edca7a760b2038186b
SHA256 5a3a242d7a0d6171e93609b3287fb86407feee2f76ca75f072a6b61b8f5e3391
SHA512 6b904ba3414521c912662450aa78616deef157bd2975573c5b67297808c8e5ac863fddc8eb71b7976be2fa15f1b507170a7ab1d8cc9d9c8b039fe3736e66c6b3

memory/1536-67-0x00000000024E0000-0x00000000024E8000-memory.dmp

memory/1536-66-0x000000001B300000-0x000000001B5E2000-memory.dmp

memory/1028-108-0x00000000001C0000-0x00000000001D2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabFD45.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarFD96.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\Local\Temp\IrGY9odMle.bat

MD5 dd987216225b491df1d4597766311dd0
SHA1 c3a3323c17a0f083a8877a3647c0600f8af7d383
SHA256 25208d735394b37551f9922f97f5f9c99ab471b2cbf1c3494664936895162022
SHA512 183506edba7bcee3b570a44726ec49a8a47b93685dc24735228be3ccdb57e14182ca8cc32e699da55891760d94c3370b76ce7f1e013c77179f927ea75076c788

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ea6965799abb34000a34d4b9523b2783
SHA1 67e5b9e6018995560db822762586416a89441646
SHA256 6a5ce694cb3d7439d35b362f76aff812f440dbc18b40794a4158173e4d5b098d
SHA512 de0a9dd8b57bea945ac0cb7787795d0a1c5702fc4d6c1bfd3a4ef158b880e1e90f099da3c451e9b2a69863ac55fa80bd1da86e6a5b85b6c77f9c00aa9162932f

C:\Users\Admin\AppData\Local\Temp\nGW3UwTeX7.bat

MD5 03c4dce97ee0aad4437b892aee96089a
SHA1 c26f1b45dbe5b287a937b5f4435f561254338d2c
SHA256 b365e953d0361ac4eb73d559b996041888c17b9fc80ec4573ee9830efce85dd1
SHA512 1b3e539d4d855b60378cb21bd89c504e8994197b416f0e33c184bd9d6417346e89e24658f9a0577873dba33906d1a34ac5ca4945de5f989f8c70a7fb9fe907e3

memory/1812-226-0x0000000001180000-0x0000000001290000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 409f2a75b491264bc8c473ebd77b8e1c
SHA1 eca24db8d9b9bc9990bd2930de66f76f999af7b9
SHA256 6f9d69ccae69c749f49cfd42a2a4d8eee5fd71d5e4137180e3f2b9b0b929cfbb
SHA512 b6259a04abeb01bca4db48bde6887b6800d4f30958e2f0cc64c54b52090b3d2e0589f26b78bfd44bd1d8dffe24c0993f806f64d5de58ed7b704903b892e4784f

C:\Users\Admin\AppData\Local\Temp\GN7B3lpeta.bat

MD5 7214131fbfb822dfbda7cc8d41d6aed9
SHA1 6938c7f2fd4990575c01c6478c67297810ad3a27
SHA256 04302c6d96ed02a0b5226f755cd289934fa28f9b76e2dcb8692854d68bb8495c
SHA512 4096c430539d1805613142cf1c2acf74bf77d4fc5f22b086eb1fa7c4b53129823c58880eaaf98ce958c921beaec42baa1bee833fb926ba836225c74c08ce3f91

memory/2208-286-0x0000000001300000-0x0000000001410000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c046937c4fe96639e636600c1e1b1c17
SHA1 1d98b2a83531e65fab5e12ab77425f6898e585db
SHA256 12c8e21889c2f71014a51ee678a95343f7964772008107d98831f137c40766b1
SHA512 776a9b982d3c786c19d105d326a4d861b4126e1a94b010424c6b2e8e72316d87a25a0ba0c7f8c6883dd4bc3bc22837c4392257ccb518caddf9b056032d5621f5

C:\Users\Admin\AppData\Local\Temp\dCyIaH4v8D.bat

MD5 37d7fa14381d166d11b7f7dde4a1375c
SHA1 1bcdb5477efa59346f1cb9a1b15e2034fc5289af
SHA256 8fdfb722836443cf51e04f64f58bc0cc61e5fa7ab0d518659e22a5b21d95f509
SHA512 c8a152d9968a1f4bd438da46ff359fa85b4866fa787f2e1e1f9f4a382ba5180562d4d25fe8568d802eb417de16e967300c2fcec35ba4fd0d0cb3e798971c12a5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4222ac2c9bf826a00b01c781362db7a3
SHA1 2fef6e2fb21c9f3567fe9c6598a8e30a245cfcb2
SHA256 ffd491fedd80a38322aafdf22d90038f07059f83849818ff7f8454a50498d1bb
SHA512 157d4ff10a9541983f9e4e288283a6359c05c0a46c7cb70b6a76cae0265d1865fc74b9f67f02d6ace2f9956a5de9a26ca2c6bd744b0c9b85d5afdd86f650e141

C:\Users\Admin\AppData\Local\Temp\sSDDfDN1Wn.bat

MD5 ae8197b756f308f00544c13f3c96ed09
SHA1 3ef4968b2b8b9980dcc743f6067452e74acc09ed
SHA256 dfdbc41f4096c52ab7a8e175387b3b8ba6342257f8bcd52aa6184c7f09d579ab
SHA512 dc3290043075d7907f94a7c43960902d286da96814b94ef3f15c875996e801231a5abea7d0f63edbc34406139d6f085de294c3310a04de927caf7cbc9ad3aa6e

memory/1652-405-0x0000000000430000-0x0000000000442000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8bacb66c1649b72ecbe33353d82f04bd
SHA1 59ee32b494e62834ed6d1df57f62ef2493178625
SHA256 0e85954e8c156f481a3f5c911ad377c749ef7149c35b9fd21e89d07de35ac412
SHA512 adaf39269d3f4d7e004c59d4d69fac873355d17665ca086e78bf5f06d59c1b5bd530b0736cc4936644f1d7f46a84ba3712583dc63ab5cbfae190511db49ca612

C:\Users\Admin\AppData\Local\Temp\tebxeZNirC.bat

MD5 44b225b4a3c68fe25e51c32aea26ab46
SHA1 bc2ab4ed69d4e68f02145630908ceebfb3f30748
SHA256 9d122379db0c379bd796ec9f09cc844a6057b48ad2a08126af7d97c6c0d7ede8
SHA512 d59eccdea22314c1cc1abd40afbab302a752f46f673b51350b8ca74291e191a62eef144ed863bbcd0ea56889c2ab6a7621b056bbc5e3e25829174e40644dcf26

memory/3040-465-0x0000000000290000-0x00000000003A0000-memory.dmp

memory/3040-466-0x0000000000280000-0x0000000000292000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b9af6fa8aeaacf7f63c3593cd875fb53
SHA1 f61261a258e98e7c2f758df9b55d415c994e029b
SHA256 bbb0e74bd5db789a032c4d79329d31dd0bb65bc4504aad043a05d4b1a46bcba7
SHA512 214ad42ad808d34c93e15a82b829cfd42039a1634f8d1b0a869eadf9fad5461b49295c3550ccfbcdcfac9ff1a04b07bc4006e3c2dd89ea4fb1984d82893d66c2

C:\Users\Admin\AppData\Local\Temp\4oJokgKWVw.bat

MD5 5cc99c9e9247123666b6a0d7cc440cff
SHA1 230b5d0fe5cd93eb75f3791468650321d038b297
SHA256 3f6098e0fcfd233ddcd803c26ff62e1d011a889592b4b543d39ea4287baaad9e
SHA512 bf2d365f49b7d08c714af3023402b0d494becd4401116b169edc3529d912b980ab8787334f824892cd51c519b60ae72e92d5514b5d500f5b5555c45133dcf690

memory/1972-526-0x0000000000FF0000-0x0000000001100000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7e3baf005cc368205a1b2a0ad25045b0
SHA1 7e4f2f54e023a3e826cc0300ecb9de5c4c01d962
SHA256 40cfd44f277e221844e19baaa598bc2556f9cf4ec4b693d91bcd3b4d9514f481
SHA512 4ed67559c9bee5783ceeafc201ac45c0ae429518c6183a1550e82177c2b38b772cd9e2bedcb5673e05a4d55d477c1f553af21562bad64e8aefc1bb6c9d6e9202

C:\Users\Admin\AppData\Local\Temp\vlZZCFJNsh.bat

MD5 0468a135dfbd56f8f22e2dcebf5ab285
SHA1 93849bf87b8efc891a4c4a9474420965db4952a1
SHA256 16cb2b02bd11b55f0bb66b9d1cfd937958d32f31f532afb7d4cf50200b12a014
SHA512 6bd6de2eb4bb592c18a56ca5b2c0d1ba487677b5995d4ddc7d4a72aaf5e4abcaf2c65b6866a61a05a5b87f028ea9cf346e89e6e1b8304b26183b2597bc2ef84a

memory/1044-586-0x00000000002B0000-0x00000000003C0000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bf12c7530f21bf8c6627b0f53ebfd167
SHA1 1ec7ae104ef894da0810fe3da4912d130db52154
SHA256 29b9364c3f1dcf25a6b2405e7ac8e33342cd58a994272b8880e7c8f866cb6f27
SHA512 88d9e0ea56bcc23928ae51094cf64a3df5fb43e8cc4fc3cc88c1118d9d88498af805f11b01c967cd85d7fc928f9f7add60a27c1d214e315e63250db33db449c0

C:\Users\Admin\AppData\Local\Temp\xEoBbgPmrR.bat

MD5 e67f2897e683f7fc25b1ad9a100dcc36
SHA1 b53c9884a2663ce5e680618e0a6b144b3d2c8f01
SHA256 84510aacab1b40ffacef8439559e4d4c0ae1d5dc7d85685c78b2e185d3fde1eb
SHA512 cd6ee5c70ffe6ee271df0be2b03e8a918636682b87be852cdea447a1066aeddefea0934e42d9a9071da9218e210719579c07de73ee791e92975adc26457daf99

memory/2056-646-0x0000000000B70000-0x0000000000C80000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c24c354d8d95ffdfd43848fe5d41cd3e
SHA1 d178c3830f713035ea631eb491bf7c8fde48fedb
SHA256 2a6d0373a6d4c8cf18afd7baa483503c2fe7caea639ad2b92d166d7f39be7fa5
SHA512 1cddf78674cbd385a98c146d6385518e64d9351eb66bf21e90a01efe17c292013e70d8b8a3aa00146f975eb651f9ef51a93e95941a022510c8170d74bc7df112

C:\Users\Admin\AppData\Local\Temp\U04fYIssV3.bat

MD5 716235c1a05d5e1d3947d25ffa8b2697
SHA1 0e45a7da46c4cf97839b3e23d13d6383406058af
SHA256 4f30c51adae6f88509f553bf94aff1b0248da96b2f6009f7b35d91ce8460b073
SHA512 47938cf17987e5ab944f494155187294dbc149aadff333b16b109026ab88ba0d461c138bd5e73cb6b7a57d72b0522063edaf8fe9684c6f57797f50ff86377df9