Malware Analysis Report

2025-08-11 05:05

Sample ID 241230-caabdstnfy
Target JaffaCakes118_a57979937859ed51e4b90d5d623243ee619134124481ce57321a6b760e582e10
SHA256 a57979937859ed51e4b90d5d623243ee619134124481ce57321a6b760e582e10
Tags
rat dcrat discovery execution infostealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a57979937859ed51e4b90d5d623243ee619134124481ce57321a6b760e582e10

Threat Level: Known bad

The file JaffaCakes118_a57979937859ed51e4b90d5d623243ee619134124481ce57321a6b760e582e10 was found to be: Known bad.

Malicious Activity Summary

rat dcrat discovery execution infostealer

Process spawned unexpected child process

DcRat

DCRat payload

Dcrat family

DCRat payload

Command and Scripting Interpreter: PowerShell

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Legitimate hosting services abused for malware hosting/C2

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Scheduled Task/Job: Scheduled Task

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-30 01:51

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-30 01:51

Reported

2024-12-30 01:54

Platform

win7-20240903-en

Max time kernel

146s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a57979937859ed51e4b90d5d623243ee619134124481ce57321a6b760e582e10.exe"

Signatures

DcRat

rat infostealer dcrat

Dcrat family

dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Java\jre7\Idle.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Java\jre7\6ccacd8608530f C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Reference Assemblies\audiodg.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Reference Assemblies\42af1c969fbb7b C:\providercommon\DllCommonsvc.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\addins\services.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\addins\c5b4cb5e9653cc C:\providercommon\DllCommonsvc.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a57979937859ed51e4b90d5d623243ee619134124481ce57321a6b760e582e10.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\providercommon\DllCommonsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\providercommon\WmiPrvSE.exe N/A
Token: SeDebugPrivilege N/A C:\providercommon\WmiPrvSE.exe N/A
Token: SeDebugPrivilege N/A C:\providercommon\WmiPrvSE.exe N/A
Token: SeDebugPrivilege N/A C:\providercommon\WmiPrvSE.exe N/A
Token: SeDebugPrivilege N/A C:\providercommon\WmiPrvSE.exe N/A
Token: SeDebugPrivilege N/A C:\providercommon\WmiPrvSE.exe N/A
Token: SeDebugPrivilege N/A C:\providercommon\WmiPrvSE.exe N/A
Token: SeDebugPrivilege N/A C:\providercommon\WmiPrvSE.exe N/A
Token: SeDebugPrivilege N/A C:\providercommon\WmiPrvSE.exe N/A
Token: SeDebugPrivilege N/A C:\providercommon\WmiPrvSE.exe N/A
Token: SeDebugPrivilege N/A C:\providercommon\WmiPrvSE.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2016 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a57979937859ed51e4b90d5d623243ee619134124481ce57321a6b760e582e10.exe C:\Windows\SysWOW64\WScript.exe
PID 2016 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a57979937859ed51e4b90d5d623243ee619134124481ce57321a6b760e582e10.exe C:\Windows\SysWOW64\WScript.exe
PID 2016 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a57979937859ed51e4b90d5d623243ee619134124481ce57321a6b760e582e10.exe C:\Windows\SysWOW64\WScript.exe
PID 2016 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a57979937859ed51e4b90d5d623243ee619134124481ce57321a6b760e582e10.exe C:\Windows\SysWOW64\WScript.exe
PID 2316 wrote to memory of 1808 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2316 wrote to memory of 1808 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2316 wrote to memory of 1808 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2316 wrote to memory of 1808 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2660 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 1808 wrote to memory of 2660 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 1808 wrote to memory of 2660 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 1808 wrote to memory of 2660 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 2660 wrote to memory of 2864 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2660 wrote to memory of 2864 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2660 wrote to memory of 2864 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2660 wrote to memory of 1604 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2660 wrote to memory of 1604 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2660 wrote to memory of 1604 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2660 wrote to memory of 1780 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2660 wrote to memory of 1780 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2660 wrote to memory of 1780 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2660 wrote to memory of 1404 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2660 wrote to memory of 1404 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2660 wrote to memory of 1404 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2660 wrote to memory of 2856 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2660 wrote to memory of 2856 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2660 wrote to memory of 2856 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2660 wrote to memory of 2092 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2660 wrote to memory of 2092 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2660 wrote to memory of 2092 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2660 wrote to memory of 1996 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2660 wrote to memory of 1996 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2660 wrote to memory of 1996 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2660 wrote to memory of 2500 N/A C:\providercommon\DllCommonsvc.exe C:\providercommon\WmiPrvSE.exe
PID 2660 wrote to memory of 2500 N/A C:\providercommon\DllCommonsvc.exe C:\providercommon\WmiPrvSE.exe
PID 2660 wrote to memory of 2500 N/A C:\providercommon\DllCommonsvc.exe C:\providercommon\WmiPrvSE.exe
PID 2500 wrote to memory of 2980 N/A C:\providercommon\WmiPrvSE.exe C:\Windows\System32\cmd.exe
PID 2500 wrote to memory of 2980 N/A C:\providercommon\WmiPrvSE.exe C:\Windows\System32\cmd.exe
PID 2500 wrote to memory of 2980 N/A C:\providercommon\WmiPrvSE.exe C:\Windows\System32\cmd.exe
PID 2980 wrote to memory of 2288 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2980 wrote to memory of 2288 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2980 wrote to memory of 2288 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2980 wrote to memory of 1724 N/A C:\Windows\System32\cmd.exe C:\providercommon\WmiPrvSE.exe
PID 2980 wrote to memory of 1724 N/A C:\Windows\System32\cmd.exe C:\providercommon\WmiPrvSE.exe
PID 2980 wrote to memory of 1724 N/A C:\Windows\System32\cmd.exe C:\providercommon\WmiPrvSE.exe
PID 1724 wrote to memory of 2112 N/A C:\providercommon\WmiPrvSE.exe C:\Windows\System32\cmd.exe
PID 1724 wrote to memory of 2112 N/A C:\providercommon\WmiPrvSE.exe C:\Windows\System32\cmd.exe
PID 1724 wrote to memory of 2112 N/A C:\providercommon\WmiPrvSE.exe C:\Windows\System32\cmd.exe
PID 2112 wrote to memory of 1852 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2112 wrote to memory of 1852 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2112 wrote to memory of 1852 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2112 wrote to memory of 2956 N/A C:\Windows\System32\cmd.exe C:\providercommon\WmiPrvSE.exe
PID 2112 wrote to memory of 2956 N/A C:\Windows\System32\cmd.exe C:\providercommon\WmiPrvSE.exe
PID 2112 wrote to memory of 2956 N/A C:\Windows\System32\cmd.exe C:\providercommon\WmiPrvSE.exe
PID 2956 wrote to memory of 2056 N/A C:\providercommon\WmiPrvSE.exe C:\Windows\System32\cmd.exe
PID 2956 wrote to memory of 2056 N/A C:\providercommon\WmiPrvSE.exe C:\Windows\System32\cmd.exe
PID 2956 wrote to memory of 2056 N/A C:\providercommon\WmiPrvSE.exe C:\Windows\System32\cmd.exe
PID 2056 wrote to memory of 1092 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2056 wrote to memory of 1092 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2056 wrote to memory of 1092 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2056 wrote to memory of 2880 N/A C:\Windows\System32\cmd.exe C:\providercommon\WmiPrvSE.exe
PID 2056 wrote to memory of 2880 N/A C:\Windows\System32\cmd.exe C:\providercommon\WmiPrvSE.exe
PID 2056 wrote to memory of 2880 N/A C:\Windows\System32\cmd.exe C:\providercommon\WmiPrvSE.exe
PID 2880 wrote to memory of 2540 N/A C:\providercommon\WmiPrvSE.exe C:\Windows\System32\cmd.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a57979937859ed51e4b90d5d623243ee619134124481ce57321a6b760e582e10.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a57979937859ed51e4b90d5d623243ee619134124481ce57321a6b760e582e10.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\providercommon\1zu9dW.bat" "

C:\providercommon\DllCommonsvc.exe

"C:\providercommon\DllCommonsvc.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\taskhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\providercommon\WmiPrvSE.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Program Files\Reference Assemblies\audiodg.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Program Files\Reference Assemblies\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Windows\addins\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\addins\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Windows\addins\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Program Files\Java\jre7\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Java\jre7\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files\Java\jre7\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\NetHood\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Admin\NetHood\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\NetHood\wininit.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\taskhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\WmiPrvSE.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\audiodg.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\addins\services.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\jre7\Idle.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\NetHood\wininit.exe'

C:\providercommon\WmiPrvSE.exe

"C:\providercommon\WmiPrvSE.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XIXHPi7vyc.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\providercommon\WmiPrvSE.exe

"C:\providercommon\WmiPrvSE.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UMVEid32eq.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\providercommon\WmiPrvSE.exe

"C:\providercommon\WmiPrvSE.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EVfp7xrD4G.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\providercommon\WmiPrvSE.exe

"C:\providercommon\WmiPrvSE.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\da4noHdFs8.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\providercommon\WmiPrvSE.exe

"C:\providercommon\WmiPrvSE.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gN51JOWfNX.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\providercommon\WmiPrvSE.exe

"C:\providercommon\WmiPrvSE.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OvjOVLkpjd.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\providercommon\WmiPrvSE.exe

"C:\providercommon\WmiPrvSE.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MXvuXcjR4o.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\providercommon\WmiPrvSE.exe

"C:\providercommon\WmiPrvSE.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qqpXlQnQd1.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\providercommon\WmiPrvSE.exe

"C:\providercommon\WmiPrvSE.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\F82V1kRox2.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\providercommon\WmiPrvSE.exe

"C:\providercommon\WmiPrvSE.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uVUt9EuWwA.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\providercommon\WmiPrvSE.exe

"C:\providercommon\WmiPrvSE.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\U1yQEvZAPO.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp

Files

C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

MD5 8088241160261560a02c84025d107592
SHA1 083121f7027557570994c9fc211df61730455bb5
SHA256 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA512 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

C:\providercommon\1zu9dW.bat

MD5 6783c3ee07c7d151ceac57f1f9c8bed7
SHA1 17468f98f95bf504cc1f83c49e49a78526b3ea03
SHA256 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512 c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

\providercommon\DllCommonsvc.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/2660-13-0x0000000001060000-0x0000000001170000-memory.dmp

memory/2660-14-0x0000000000550000-0x0000000000562000-memory.dmp

memory/2660-15-0x0000000000570000-0x000000000057C000-memory.dmp

memory/2660-16-0x0000000000560000-0x000000000056C000-memory.dmp

memory/2660-17-0x0000000000580000-0x000000000058C000-memory.dmp

memory/2500-36-0x0000000000D60000-0x0000000000E70000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 adbf33fe427a383e095d64cc2afc520a
SHA1 77d37cb3c9c84ae164cbbceae6874211b1d2c4b8
SHA256 812dd08fc266cd37184fe5c9e8ac432a30ae26f9775456a7b997e8083fedae3d
SHA512 f054592cc2a3a2c17f7bada8470bcf24eb69735156567b33c755ea5d65c779c40bdf1711cf5fc3743f6bda474f05c6db0cc504c35b19f5d570bd5807a7cd9e4d

memory/1996-47-0x0000000002670000-0x0000000002678000-memory.dmp

memory/2864-46-0x000000001B5E0000-0x000000001B8C2000-memory.dmp

memory/2500-73-0x00000000003C0000-0x00000000003D2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab192E.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar1950.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\Local\Temp\XIXHPi7vyc.bat

MD5 5b4b677f885c959611c58272ebb8fc81
SHA1 a4ee95da14984ca39d5a04a1e419a2678fff1f58
SHA256 05cfda4559a01de60165433b4709a8aafc04639d596c9dd160d16e5b15365281
SHA512 878e44c4fcf4e8230765775399071679fde4a87ca80cdd6ce2cf40d1e86c9751740a52f47fb4faf40b13aaa0e264ee7f39f3ccfe15a87cde4f4c96a96cf0abbd

memory/1724-132-0x00000000002A0000-0x00000000003B0000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 88a132cc269b91d13727e5121ce57c86
SHA1 65c97604f629f96c3b859336bbb8fb5a658f7313
SHA256 34b5f17143f4b42edb906ecae5ee98ac288bd423ad8af2b165a6aa341b496078
SHA512 11e683f993a5155f310770fadc53bc53524fb7edf1f63f07e5a6644484fa22d5ec4c1c1a8fa5ed0537c3e65c72e1e95ef88bc5c9a703accea89fd82eb35abda4

C:\Users\Admin\AppData\Local\Temp\UMVEid32eq.bat

MD5 5eb42f3dacde8fe78adc8c39f40cb25e
SHA1 022bc0e688c513a3713e6466bfaa5e7c41911836
SHA256 311e09f53391ac08a89148c01a9c2cf4ebf2a08f53e70bf86e9f39c641443413
SHA512 02941988c2099901026afcdb4c81200906a104e55f63d1a432b07b0335327d8eeb754cd033b5bdda5618dffdfdf8a9b43cc9538839ad81469fa804eb209e86b5

memory/2956-192-0x0000000000090000-0x00000000001A0000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cbc29ad46499e10a781a950c8c2e809b
SHA1 c818fc8f699b09d211339d3b347d1428656958e9
SHA256 8734b7b23baeba09a16bd9c9565576462fd2b86a38f192e9977885a700636603
SHA512 1670d61944952822ffefecbadcc132301cff4e3287724341217504e938753d311722c09d8e0d3fca5ba0853d967db5c3565c11902cdac269beed40dbededf7da

C:\Users\Admin\AppData\Local\Temp\EVfp7xrD4G.bat

MD5 fc049c599b2b275e8cfa006b6a7cb762
SHA1 87727f6a2378770654f5bf1fe6b2357fea5d3250
SHA256 5a5cbbe520ced9d61bc102787218b253356ca1b5c034a58c6e1ad6c8ce8732b6
SHA512 f84901b8785fb5787215e8372fe6d25aa5d5e5dbd414a0cf144e4651937135ff8b811a456c901e3668cbba75377fc081a25cb9776fdca5755b1936b2630f1401

memory/2880-252-0x0000000000E30000-0x0000000000F40000-memory.dmp

memory/2880-253-0x0000000000540000-0x0000000000552000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1a6542c2099438f4fb28744594f79d4b
SHA1 522891d834f1c719d128cc1b06abd2b54a846b29
SHA256 8c7ca7ecd89fe53de3d4633d1a1870bac08cbd114a197b1003f2126bcfb87934
SHA512 d38a5bf26bde9d67106bb4903913b36c066bf039dcbb93c19788e81a4e83293ae15ca8a3dda0b60f4d0f2a4b1a477cffec990678d7afb83e7aedc3c2899873fd

C:\Users\Admin\AppData\Local\Temp\da4noHdFs8.bat

MD5 64d3891f280dd0e881d16f25a5fe4fd2
SHA1 117d54e513f6a7d82099b1a3ae48d03f148b6ef4
SHA256 3fc228380b3ea8a5bfa854cac93869c5e8234fb5d383b7ed339a490f9977a0a2
SHA512 8f0b76a0ce379f4b5eec2d03b58af1e61fe3fafaede0d01e63733103194ab85d1a7d5137db9a0f555f000a7cc031bad83a971385957613d6417835316c63a71f

memory/1992-313-0x00000000013C0000-0x00000000014D0000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b566743ba8dd492e5d96c21a06b19f5a
SHA1 08b1abf1f3f0024607f9534a352be278045ea7f6
SHA256 6c88c01aae24744872f8f2a9f8987dc3c22ec17b8508caf71947158442eaf076
SHA512 9cc06b1ae0e3a34667951cc545b2141fc549b5518de49abd2bb81856256b46b2a1adb6a0274cc28420c991a9bff9879b46764a1932893addc909b5556c5ee1a8

C:\Users\Admin\AppData\Local\Temp\gN51JOWfNX.bat

MD5 0da76fc34baccb5dcc8137d11dc11ebb
SHA1 d6998b75b0e75d7374bbafaa0af2efcf2815f388
SHA256 cb7c2c93d7a9d420803e2eeac407d66ea11eabae5e74e0c862688a0fde3e08ce
SHA512 9ecaf923396f0acca89e78a6703d53fe392673382b55814e0a783a3a8e2d1ca2515a01e31cffdecdc5999e931a36f2f215f71c8bdaea5888089c09074baff4e1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 28974d45c471083a211463abc263ec00
SHA1 843a8af682580b4eef5d17f16cce6d0b4323e7be
SHA256 ec2e407eb2d1d72ab59568b6e71a265468b0f8cb8d56b399fd6b2cf0860f6275
SHA512 c5ff75d60f8066925fea551be2908fd949a33e045e5103d3864161946ec4b7a53cdb687054e71e3388ae0de60c340499437987e6517db9ce4d1881a8d8b5be5b

C:\Users\Admin\AppData\Local\Temp\OvjOVLkpjd.bat

MD5 527f51fa41b615541a954d3709c4c9eb
SHA1 8320b49784036787d309c9f551948d054a2de721
SHA256 775abbd522ccf0aa7e260aae6eb202a0f1f9890cdef44d00f3e5bef63e61da39
SHA512 af04a9c2e5b88f2bfdd95c6759a1e1a38ea428fa78b659c35918fa954a0a621252e811638f9d140690b7ac86f16400fba2b7f253f618840801ead4e5caee9a69

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2cd201de0ebf708d3f9650705350eea0
SHA1 669c5f4c1e68b053f0690e3b48ad89a04e28a0a0
SHA256 497f29a296f840056a827480ca2e20fbfa3d5015c7f50add60e919142d4243ac
SHA512 c885ab2e1269c00483785fcc432e5790bfcacf30b590b2d86038d524f13743b745cc9b1e1e0113dfa4aa0ee4e3fe3ca4d2b7c9efcca2b8ba76187b1da359c5d6

C:\Users\Admin\AppData\Local\Temp\MXvuXcjR4o.bat

MD5 e65df733917177742be472a3ac3a2825
SHA1 1bc7c6c5a8b75785c859513288da67de6cb05f02
SHA256 72e575db9518b21e758854cd755a6ae3936bb5a9e9ee52c14d5aa79ac9739fec
SHA512 bc56ac6a4e73495d6464c1d3e3427d012357010d616307b4d5e50012717e13f35d552340847d829e6025b0bd3f3f19998a18d3599b2ea353cb050e2bd8d13cff

memory/2668-491-0x0000000000140000-0x0000000000152000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 112ecfa9715c54530ed22710d3c58a0e
SHA1 dc5022c59a36c9afa46830034b2a78f1cc153900
SHA256 942b23d8fe4ff0768f567459831c85f32e183a5392e8514c985e7dffe7197156
SHA512 efd2c496b1a956ded8fb8313f92cc1ad90f8921970807a007d986c4f553a45ad8b10c357e814cede6397807127e538d5ca3de507d4ddba4c060f95e79a61ab30

C:\Users\Admin\AppData\Local\Temp\qqpXlQnQd1.bat

MD5 029d9c5520643722795c857f65326e07
SHA1 eeb4bf838a7701c29f406ecd00e732101f880926
SHA256 16658b0cd52dc57c9baf09cbd7acb6674fc5a494f867bbef899b99559244a0d9
SHA512 197c5790290b423f340609cc2b03872d2a41dc3d11fc9cb76d48ec10753958201fdac517c2568510e47981e45fc2e754d0ebb8f7154fafaa975f271132ee86b9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d2ad47008b6041373e7c7a2598ccc557
SHA1 043ed616c3e7298048b9b3aca706de38e9aceafd
SHA256 3d8b9b2c75be7156e7025ef6a37e495833e3494c7002da3dd19f8001ea1b51ef
SHA512 ceaacdef535865db0c831779603d598851c4344d87bc6388fe7f021775e389d0f5bb2f097ff21b577b10ea901540818479cc817e19346e66a0726d0f0062f857

C:\Users\Admin\AppData\Local\Temp\F82V1kRox2.bat

MD5 c92d5e628b3296b79008bcde943137b3
SHA1 8654528fed7548a18907a111e9cef1ee43baf82e
SHA256 a9f49ad375b177db714dbea3589a7b246aad4552c3ad9e7b748db6803ffaa68b
SHA512 f007537e098cbe4668761f25181a85d491b1557e890a0dfd44bbfa52af0fe13696ca74df850636943c38452020f5cd08bde63837dfca1f4ea0d705acfc304543

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5a33adb65e91372675eaf3b2f52d7b77
SHA1 98030702b9942d7d46be0f917ca96c3ee1a19f86
SHA256 90f9178f7f5a6875cf579381b2e1af0bc688ba6a71542f423681ddb570fb610c
SHA512 606291bcf5df6906b82fa9aa8a11d3ebfc2e78d45dbb9dd426abe17b6a7c4b39a4561f2e8217f6f943bfea1e3c6e821d62c5a6bdffc74a808690c79add7a9f16

memory/800-668-0x0000000000020000-0x0000000000130000-memory.dmp

memory/800-669-0x00000000003D0000-0x00000000003E2000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 dc812d14feba4e9cee24e8e768b55ee5
SHA1 a3315bd85d32dd908e660d4503abea362d809897
SHA256 6f5533da5cded92b52321ebe4565cf6e526f11580ba01e06063962e086c7ae54
SHA512 662734b36b43c500a9a768bbafa1bec8ac6cabc630e0be5fcac73b6e6ab73b72da9442ba01807ed48ae08fe76d693182252da9b4bb3f76a4ae54bb3c66a8e40b

C:\Users\Admin\AppData\Local\Temp\U1yQEvZAPO.bat

MD5 01600015d6ab334e040be7e545c47932
SHA1 2b24ce3f7c464bf0f84584599519a0dc4e367a02
SHA256 8b353376fcc2175d743c8a40e44f4bc7756b65d2b285ef9c80ddd8e9b92f270b
SHA512 398641f1f9fb52ed1df4acdc1cc6e1e83495ea339a006bd86503d209d892b026b4500ab8015037e46e1cb4431e24d1f606b626b4d038ac47557ba8b004aef032

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-30 01:51

Reported

2024-12-30 01:54

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a57979937859ed51e4b90d5d623243ee619134124481ce57321a6b760e582e10.exe"

Signatures

DcRat

rat infostealer dcrat

Dcrat family

dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a57979937859ed51e4b90d5d623243ee619134124481ce57321a6b760e582e10.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\providercommon\DllCommonsvc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Microsoft Office 15\ClientX64\dllhost.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Microsoft Office 15\ClientX64\5940a34987c991 C:\providercommon\DllCommonsvc.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\GameBarPresenceWriter\DllCommonsvc.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\GameBarPresenceWriter\a76d7bf15d8370 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\BitLockerDiscoveryVolumeContents\sppsvc.exe C:\providercommon\DllCommonsvc.exe N/A
File opened for modification C:\Windows\BitLockerDiscoveryVolumeContents\sppsvc.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\BitLockerDiscoveryVolumeContents\0a1fd5f707cd16 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\appcompat\appraiser\RuntimeBroker.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\appcompat\appraiser\9e8d7a4ca61bd9 C:\providercommon\DllCommonsvc.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a57979937859ed51e4b90d5d623243ee619134124481ce57321a6b760e582e10.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a57979937859ed51e4b90d5d623243ee619134124481ce57321a6b760e582e10.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\providercommon\DllCommonsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 404 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a57979937859ed51e4b90d5d623243ee619134124481ce57321a6b760e582e10.exe C:\Windows\SysWOW64\WScript.exe
PID 404 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a57979937859ed51e4b90d5d623243ee619134124481ce57321a6b760e582e10.exe C:\Windows\SysWOW64\WScript.exe
PID 404 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a57979937859ed51e4b90d5d623243ee619134124481ce57321a6b760e582e10.exe C:\Windows\SysWOW64\WScript.exe
PID 4936 wrote to memory of 4212 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4936 wrote to memory of 4212 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4936 wrote to memory of 4212 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4212 wrote to memory of 3200 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 4212 wrote to memory of 3200 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 3200 wrote to memory of 3600 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3200 wrote to memory of 3600 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3200 wrote to memory of 1924 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3200 wrote to memory of 1924 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3200 wrote to memory of 1232 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3200 wrote to memory of 1232 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3200 wrote to memory of 1672 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3200 wrote to memory of 1672 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3200 wrote to memory of 4880 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3200 wrote to memory of 4880 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3200 wrote to memory of 2328 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3200 wrote to memory of 2328 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3200 wrote to memory of 1140 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3200 wrote to memory of 1140 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3200 wrote to memory of 4728 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3200 wrote to memory of 4728 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3200 wrote to memory of 2728 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3200 wrote to memory of 2728 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3200 wrote to memory of 2240 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3200 wrote to memory of 2240 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3200 wrote to memory of 620 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3200 wrote to memory of 620 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3200 wrote to memory of 5112 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3200 wrote to memory of 5112 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3200 wrote to memory of 8 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3200 wrote to memory of 8 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3200 wrote to memory of 5016 N/A C:\providercommon\DllCommonsvc.exe C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe
PID 3200 wrote to memory of 5016 N/A C:\providercommon\DllCommonsvc.exe C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe
PID 5016 wrote to memory of 4480 N/A C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe C:\Windows\System32\cmd.exe
PID 5016 wrote to memory of 4480 N/A C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe C:\Windows\System32\cmd.exe
PID 4480 wrote to memory of 1084 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4480 wrote to memory of 1084 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4480 wrote to memory of 1668 N/A C:\Windows\System32\cmd.exe C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe
PID 4480 wrote to memory of 1668 N/A C:\Windows\System32\cmd.exe C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe
PID 1668 wrote to memory of 2400 N/A C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe C:\Windows\System32\cmd.exe
PID 1668 wrote to memory of 2400 N/A C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe C:\Windows\System32\cmd.exe
PID 2400 wrote to memory of 4176 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2400 wrote to memory of 4176 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2400 wrote to memory of 1804 N/A C:\Windows\System32\cmd.exe C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe
PID 2400 wrote to memory of 1804 N/A C:\Windows\System32\cmd.exe C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe
PID 1804 wrote to memory of 4728 N/A C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe C:\Windows\System32\cmd.exe
PID 1804 wrote to memory of 4728 N/A C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe C:\Windows\System32\cmd.exe
PID 4728 wrote to memory of 620 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4728 wrote to memory of 620 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4728 wrote to memory of 116 N/A C:\Windows\System32\cmd.exe C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe
PID 4728 wrote to memory of 116 N/A C:\Windows\System32\cmd.exe C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe
PID 116 wrote to memory of 3264 N/A C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe C:\Windows\System32\cmd.exe
PID 116 wrote to memory of 3264 N/A C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe C:\Windows\System32\cmd.exe
PID 3264 wrote to memory of 2992 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3264 wrote to memory of 2992 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3264 wrote to memory of 648 N/A C:\Windows\System32\cmd.exe C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe
PID 3264 wrote to memory of 648 N/A C:\Windows\System32\cmd.exe C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe
PID 648 wrote to memory of 2108 N/A C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe C:\Windows\System32\cmd.exe
PID 648 wrote to memory of 2108 N/A C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe C:\Windows\System32\cmd.exe
PID 2108 wrote to memory of 4404 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2108 wrote to memory of 4404 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a57979937859ed51e4b90d5d623243ee619134124481ce57321a6b760e582e10.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a57979937859ed51e4b90d5d623243ee619134124481ce57321a6b760e582e10.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "

C:\providercommon\DllCommonsvc.exe

"C:\providercommon\DllCommonsvc.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Windows\appcompat\appraiser\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\appcompat\appraiser\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Windows\appcompat\appraiser\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 9 /tr "'C:\Windows\GameBarPresenceWriter\DllCommonsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Windows\GameBarPresenceWriter\DllCommonsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 6 /tr "'C:\Windows\GameBarPresenceWriter\DllCommonsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\providercommon\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\providercommon\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\DllCommonsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Users\Default User\DllCommonsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\DllCommonsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\BitLockerDiscoveryVolumeContents\sppsvc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dllhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\appcompat\appraiser\RuntimeBroker.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\GameBarPresenceWriter\DllCommonsvc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office 15\ClientX64\dllhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\conhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dllhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\spoolsv.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\lsass.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\Idle.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\DllCommonsvc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe'

C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe

"C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xjNnGM38uG.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe

"C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0PvuKmrV6l.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe

"C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pkmftNZ3Wr.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe

"C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9Z120WfzwF.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe

"C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tcplHXgq9Q.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe

"C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\asjVMp8zxr.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe

"C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\b3FUfZROOv.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe

"C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6SU00hIhBO.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe

"C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\R8cJcUuQgj.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe

"C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CV35gbisF1.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe

"C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\M53DwaTFc6.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe

"C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NHYDEKme3A.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe

"C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kvUluF99a5.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe

"C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AKY6NrPTox.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe

"C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\asjVMp8zxr.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe

"C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp

Files

C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

MD5 8088241160261560a02c84025d107592
SHA1 083121f7027557570994c9fc211df61730455bb5
SHA256 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA512 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

C:\providercommon\1zu9dW.bat

MD5 6783c3ee07c7d151ceac57f1f9c8bed7
SHA1 17468f98f95bf504cc1f83c49e49a78526b3ea03
SHA256 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512 c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

C:\providercommon\DllCommonsvc.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/3200-12-0x00007FFFD1D83000-0x00007FFFD1D85000-memory.dmp

memory/3200-13-0x0000000000D30000-0x0000000000E40000-memory.dmp

memory/3200-14-0x0000000001750000-0x0000000001762000-memory.dmp

memory/3200-15-0x00000000017C0000-0x00000000017CC000-memory.dmp

memory/3200-16-0x0000000003080000-0x000000000308C000-memory.dmp

memory/3200-17-0x0000000003090000-0x000000000309C000-memory.dmp

memory/8-68-0x000001C72D1E0000-0x000001C72D202000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_oyufstej.h4r.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/5016-126-0x0000000001190000-0x00000000011A2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6d3e9c29fe44e90aae6ed30ccf799ca8
SHA1 c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA256 2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA512 60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 cadef9abd087803c630df65264a6c81c
SHA1 babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256 cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA512 7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 62623d22bd9e037191765d5083ce16a3
SHA1 4a07da6872672f715a4780513d95ed8ddeefd259
SHA256 95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010
SHA512 9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 bd5940f08d0be56e65e5f2aaf47c538e
SHA1 d7e31b87866e5e383ab5499da64aba50f03e8443
SHA256 2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6
SHA512 c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 5f0ddc7f3691c81ee14d17b419ba220d
SHA1 f0ef5fde8bab9d17c0b47137e014c91be888ee53
SHA256 a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5
SHA512 2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

C:\Users\Admin\AppData\Local\Temp\xjNnGM38uG.bat

MD5 87af4d68c556a0540a551a52b079269b
SHA1 17e68367ad300d565d494d4be6e64259f46c447d
SHA256 24ea8a5a98dec27e6b558c365e20e9c242437354d571b9c79257c9f58e9d32b2
SHA512 a98b21bb85f8d37c61672cf62e28ea46a3ff8c51767aef76b074dce1b5997bcefaaa3d840e2350534ea68968639ed9ec15e0cd5c3ff239497041bdbd85f3109a

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\winlogon.exe.log

MD5 baf55b95da4a601229647f25dad12878
SHA1 abc16954ebfd213733c4493fc1910164d825cac8
SHA256 ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA512 24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

memory/1668-207-0x00000000010E0000-0x00000000010F2000-memory.dmp

memory/1668-212-0x000000001C250000-0x000000001C2F1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0PvuKmrV6l.bat

MD5 9115e77695f1e0c5fe90e2e015429813
SHA1 7948f86788da9ecbf76e9c4b26de41486722e2dd
SHA256 b5e765fb4ad1bf483dce47e00ede9151377c500b0b8928f20e051c67ac034d70
SHA512 aae8e6b32a364bc97d6347e71cd732b38fcc335ba3a176501875bfe7ee6a5011954df0db1a0c86ca0218532d716c5de45f58fab63dafb1c12eee5c43ca83c8ed

memory/1804-219-0x000000001C670000-0x000000001C711000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\pkmftNZ3Wr.bat

MD5 5fccef33d3a14edefc43797bbc1b6dd6
SHA1 b52f54777dce664b56506bff5ebcfa2ba685c3d0
SHA256 9797e6150019e97241f2de24ec5abe33f5a3a83698f77313ea288184ad55b274
SHA512 4a3b88808695aa56b09774fcab1c8c62e9d13f96e8be768f2d1823e0bc27bae5b733b7db583fdb155b6b670f78060fd3863f1bf7ba9d21ad1572808c97eae423

C:\Users\Admin\AppData\Local\Temp\9Z120WfzwF.bat

MD5 b5000a3ce34661a65c79054ecafcc765
SHA1 8b08497facc668f48ef78cd77b98bbe778e097c1
SHA256 bed03f83f075b2762b1e3ba02a8b4dbfbbef6dec6b1c388323a106af14b40f22
SHA512 593de0c9f3824a2a9e928714bae007463e7d4015a38c4ce933314bf961d0d1eed44632f3b5a6f6d24d978a9382066acf185e113422c3d14fc6058ae1649a67fa

C:\Users\Admin\AppData\Local\Temp\tcplHXgq9Q.bat

MD5 a448d78b877d481b4864ade072efa46a
SHA1 aa086b940bbfecbdce2714861578a9c21d112c1b
SHA256 9be912895b8949cbded5bcaf2b0c9e88a6a94bd7d0bec3aad4da3982eb8dca59
SHA512 c20d79f06c5591fd11d97c5eabe3c163981024c41def1515eedf16bdbc50a35c71ade99f5d3987887bd2f22f170bb807f0ede90e08180ded0b69d350a8f6fbe9

C:\Users\Admin\AppData\Local\Temp\asjVMp8zxr.bat

MD5 852f721c89a864eed9fa57e6d3a507f3
SHA1 5f482cc6477e5291ccc252900a7909369476e149
SHA256 30dde8518a482a7a7a8f56a470a858a6423d25af0128983ef1ee19b7bdc098ef
SHA512 c4a373b355f5c3762ff4138cf48711aadad6c11dc7af69bd0b2dc3fb97f3b746942b63984a04c852992042a3dcc1a9819d54463bd9f7752b5b2636e5c3a66731

C:\Users\Admin\AppData\Local\Temp\b3FUfZROOv.bat

MD5 c60669db9241d305a1fa423cbafeefe3
SHA1 1990dcd0b86c30b5e7ca3a4c5046c53d6c650d0c
SHA256 84e818dd8783e00c307be74137131151cf7d5369370567a33bfcc03bd39d4b11
SHA512 a961047e3bf3622bedb8d463eaa9397040f5467ca5c76e0f620a03afdc7893a3d58c86295ed2736d3a61c1fa0adff827efd9762d7d59fa1ea500d0486d127317

memory/2752-246-0x0000000001000000-0x0000000001012000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6SU00hIhBO.bat

MD5 42a500fd7053ec107c299fd5a9da4ea9
SHA1 be7c6ba2270191e50bef5f204aaf72e1dbad1e92
SHA256 4f5571579babf410901135ea9eaf7e0d24fc97e4d5a4f9feb8bc742db8df0b41
SHA512 f7c314518b11aff6f212f7a849f82a27beafcbfd9fd828cd423b070f0720e6b6ec794d28c56408700a56f284b25f1d72c4514cf6adf3c65537d9845892825049

memory/4988-257-0x000000001CA50000-0x000000001CBF9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\R8cJcUuQgj.bat

MD5 704b0c798de27e0cf0bd10a841ce89f6
SHA1 e940e7552dca958cf8306ee03c1a1bc5bcbc60fc
SHA256 20d5f8646a87b7d93db5b8a610907f9a4bbaabe5c3fb2861bdceef099f15ac53
SHA512 0db54e1f85c248e67c7dad1f676e7bd0b2fff9af44d5322ff94eb29933fa8d542c1441950a8a4908f5f31c50e8aa2d0323ba9732e02aebe41495fee11bf8707e

memory/224-260-0x00000000026B0000-0x00000000026C2000-memory.dmp

memory/224-265-0x000000001C140000-0x000000001C2E9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CV35gbisF1.bat

MD5 d99b8561129f2a485c28aa9bd9f29623
SHA1 c337a915042117a7e9d9a7c065c0fe7837ef8160
SHA256 eb1371a4f418dcbf5466020320f7125518d58c50a7af77bc21cbf0c9ff4863e8
SHA512 d4e616f0d2b3083c138ac50e9c097f7973c40533b7ad7edd19503adbde855a80bc7abacd042120445e8ebe44623619caec8c3d08dfaaef15fdb0e7fb093a30df

memory/112-268-0x0000000002B00000-0x0000000002B12000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\M53DwaTFc6.bat

MD5 9ac08c7c13a135ff10b96872a9a3cf14
SHA1 1a53d7548a9ccb458225b5d3a1a7e5e26448429a
SHA256 c15e153d03dafe09bd2dba5663a84dbc442aea4a8e8f229dd5c393c19f2a2edd
SHA512 856afd25c6cd83af4258587106729cdb43a9f70c5fae9a3286ac42012fd2832ff7631543341d6f0695ecaeaf4bb29905322ac9d6e84d05a0f666782675f6c694

C:\Users\Admin\AppData\Local\Temp\NHYDEKme3A.bat

MD5 e5f4a9fa6e16dbe7f4879ce274f4badc
SHA1 78e0470f665dae43baaac9a125533ca81f613bb4
SHA256 2d806c27bd3710013c337cc610962272cd4cf31954f8114d40c262b6559be490
SHA512 43f4440fbb08438a85856b77fbcac045682f27690b099427076d26515531e768b301b588a96e9c822414160d293b2712d0d3b80f7900cc067b86657ea4a11cf4

memory/3516-281-0x00000000029E0000-0x00000000029F2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kvUluF99a5.bat

MD5 047927a3c0fd847168a1f526576dfaa5
SHA1 5e7f9560d169e10f775fe37badd158d605ef3f0b
SHA256 45256ad397b156322dbf09e9402a0083e78fa7ec73b44377bff4fcef2a8bc1a0
SHA512 3c37ca71b4fe24e18a1eeac8fee8313b8476c016e374a60a5478dbbe4f19d494d9efdd005cc0b74d7c5430ab3466f41cb8b360543933cc2d88247ad6af831cdf

C:\Users\Admin\AppData\Local\Temp\AKY6NrPTox.bat

MD5 b71dc8a864d28397e13f5c332e123c22
SHA1 67dc377db8c4c65bf0b89ed883d1865f53fafc39
SHA256 7ca3fb79e72a67490f0fc467f939ef0b72aed2e026b003759cc7f65683bfb983
SHA512 a9ef39cb5a4322a04751c35f41af7846cfaf51e52ff19ddc55ea0dfd0b29eb67c162b0ada8b48f7b51b0dcbd40f7951b043a61b31e081fea205bc84d1838cb02

memory/4368-300-0x00000000007D0000-0x00000000007E2000-memory.dmp