Malware Analysis Report

2025-08-11 05:05

Sample ID 241230-ccbl8stqgn
Target JaffaCakes118_9ce8d0981de0baec14529bed5fab731f2157e6a65a5dedbe028cc44aa202cf87
SHA256 9ce8d0981de0baec14529bed5fab731f2157e6a65a5dedbe028cc44aa202cf87
Tags
dcrat discovery execution infostealer rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9ce8d0981de0baec14529bed5fab731f2157e6a65a5dedbe028cc44aa202cf87

Threat Level: Known bad

The file JaffaCakes118_9ce8d0981de0baec14529bed5fab731f2157e6a65a5dedbe028cc44aa202cf87 was found to be: Known bad.

Malicious Activity Summary

dcrat discovery execution infostealer rat

DCRat payload

Dcrat family

DcRat

Process spawned unexpected child process

DCRat payload

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Legitimate hosting services abused for malware hosting/C2

Drops file in Program Files directory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-30 01:55

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-30 01:55

Reported

2024-12-30 01:58

Platform

win10v2004-20241007-en

Max time kernel

145s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9ce8d0981de0baec14529bed5fab731f2157e6a65a5dedbe028cc44aa202cf87.exe"

Signatures

DcRat

rat infostealer dcrat

Dcrat family

dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9ce8d0981de0baec14529bed5fab731f2157e6a65a5dedbe028cc44aa202cf87.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\providercommon\SppExtComObj.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\providercommon\SppExtComObj.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\providercommon\SppExtComObj.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\providercommon\SppExtComObj.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\providercommon\SppExtComObj.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\providercommon\SppExtComObj.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\providercommon\SppExtComObj.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\providercommon\DllCommonsvc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\providercommon\SppExtComObj.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\providercommon\SppExtComObj.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\providercommon\SppExtComObj.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\providercommon\SppExtComObj.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\providercommon\SppExtComObj.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\microsoft shared\Source Engine\RuntimeBroker.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Common Files\microsoft shared\Source Engine\9e8d7a4ca61bd9 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Windows Multimedia Platform\winlogon.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Windows Multimedia Platform\cc11b995f2a76d C:\providercommon\DllCommonsvc.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9ce8d0981de0baec14529bed5fab731f2157e6a65a5dedbe028cc44aa202cf87.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9ce8d0981de0baec14529bed5fab731f2157e6a65a5dedbe028cc44aa202cf87.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings C:\providercommon\SppExtComObj.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings C:\providercommon\SppExtComObj.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings C:\providercommon\SppExtComObj.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings C:\providercommon\SppExtComObj.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings C:\providercommon\SppExtComObj.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings C:\providercommon\SppExtComObj.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings C:\providercommon\SppExtComObj.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings C:\providercommon\SppExtComObj.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings C:\providercommon\SppExtComObj.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings C:\providercommon\SppExtComObj.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings C:\providercommon\SppExtComObj.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings C:\providercommon\SppExtComObj.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\providercommon\SppExtComObj.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\providercommon\SppExtComObj.exe N/A
N/A N/A C:\providercommon\SppExtComObj.exe N/A
N/A N/A C:\providercommon\SppExtComObj.exe N/A
N/A N/A C:\providercommon\SppExtComObj.exe N/A
N/A N/A C:\providercommon\SppExtComObj.exe N/A
N/A N/A C:\providercommon\SppExtComObj.exe N/A
N/A N/A C:\providercommon\SppExtComObj.exe N/A
N/A N/A C:\providercommon\SppExtComObj.exe N/A
N/A N/A C:\providercommon\SppExtComObj.exe N/A
N/A N/A C:\providercommon\SppExtComObj.exe N/A
N/A N/A C:\providercommon\SppExtComObj.exe N/A
N/A N/A C:\providercommon\SppExtComObj.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\providercommon\DllCommonsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\providercommon\SppExtComObj.exe N/A
Token: SeDebugPrivilege N/A C:\providercommon\SppExtComObj.exe N/A
Token: SeDebugPrivilege N/A C:\providercommon\SppExtComObj.exe N/A
Token: SeDebugPrivilege N/A C:\providercommon\SppExtComObj.exe N/A
Token: SeDebugPrivilege N/A C:\providercommon\SppExtComObj.exe N/A
Token: SeDebugPrivilege N/A C:\providercommon\SppExtComObj.exe N/A
Token: SeDebugPrivilege N/A C:\providercommon\SppExtComObj.exe N/A
Token: SeDebugPrivilege N/A C:\providercommon\SppExtComObj.exe N/A
Token: SeDebugPrivilege N/A C:\providercommon\SppExtComObj.exe N/A
Token: SeDebugPrivilege N/A C:\providercommon\SppExtComObj.exe N/A
Token: SeDebugPrivilege N/A C:\providercommon\SppExtComObj.exe N/A
Token: SeDebugPrivilege N/A C:\providercommon\SppExtComObj.exe N/A
Token: SeDebugPrivilege N/A C:\providercommon\SppExtComObj.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3900 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9ce8d0981de0baec14529bed5fab731f2157e6a65a5dedbe028cc44aa202cf87.exe C:\Windows\SysWOW64\WScript.exe
PID 3900 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9ce8d0981de0baec14529bed5fab731f2157e6a65a5dedbe028cc44aa202cf87.exe C:\Windows\SysWOW64\WScript.exe
PID 3900 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9ce8d0981de0baec14529bed5fab731f2157e6a65a5dedbe028cc44aa202cf87.exe C:\Windows\SysWOW64\WScript.exe
PID 5012 wrote to memory of 32 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 5012 wrote to memory of 32 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 5012 wrote to memory of 32 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 32 wrote to memory of 1384 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 32 wrote to memory of 1384 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 1384 wrote to memory of 1308 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1384 wrote to memory of 1308 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1384 wrote to memory of 2116 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1384 wrote to memory of 2116 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1384 wrote to memory of 4812 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1384 wrote to memory of 4812 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1384 wrote to memory of 2356 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1384 wrote to memory of 2356 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1384 wrote to memory of 3152 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1384 wrote to memory of 3152 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1384 wrote to memory of 3912 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1384 wrote to memory of 3912 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1384 wrote to memory of 5024 N/A C:\providercommon\DllCommonsvc.exe C:\providercommon\SppExtComObj.exe
PID 1384 wrote to memory of 5024 N/A C:\providercommon\DllCommonsvc.exe C:\providercommon\SppExtComObj.exe
PID 5024 wrote to memory of 440 N/A C:\providercommon\SppExtComObj.exe C:\Windows\System32\cmd.exe
PID 5024 wrote to memory of 440 N/A C:\providercommon\SppExtComObj.exe C:\Windows\System32\cmd.exe
PID 440 wrote to memory of 1656 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 440 wrote to memory of 1656 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 440 wrote to memory of 5048 N/A C:\Windows\System32\cmd.exe C:\providercommon\SppExtComObj.exe
PID 440 wrote to memory of 5048 N/A C:\Windows\System32\cmd.exe C:\providercommon\SppExtComObj.exe
PID 5048 wrote to memory of 636 N/A C:\providercommon\SppExtComObj.exe C:\Windows\System32\cmd.exe
PID 5048 wrote to memory of 636 N/A C:\providercommon\SppExtComObj.exe C:\Windows\System32\cmd.exe
PID 636 wrote to memory of 2840 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 636 wrote to memory of 2840 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 636 wrote to memory of 3580 N/A C:\Windows\System32\cmd.exe C:\providercommon\SppExtComObj.exe
PID 636 wrote to memory of 3580 N/A C:\Windows\System32\cmd.exe C:\providercommon\SppExtComObj.exe
PID 3580 wrote to memory of 1720 N/A C:\providercommon\SppExtComObj.exe C:\Windows\System32\cmd.exe
PID 3580 wrote to memory of 1720 N/A C:\providercommon\SppExtComObj.exe C:\Windows\System32\cmd.exe
PID 1720 wrote to memory of 4700 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1720 wrote to memory of 4700 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1720 wrote to memory of 2964 N/A C:\Windows\System32\cmd.exe C:\providercommon\SppExtComObj.exe
PID 1720 wrote to memory of 2964 N/A C:\Windows\System32\cmd.exe C:\providercommon\SppExtComObj.exe
PID 2964 wrote to memory of 1216 N/A C:\providercommon\SppExtComObj.exe C:\Windows\System32\cmd.exe
PID 2964 wrote to memory of 1216 N/A C:\providercommon\SppExtComObj.exe C:\Windows\System32\cmd.exe
PID 1216 wrote to memory of 1172 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1216 wrote to memory of 1172 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1216 wrote to memory of 2092 N/A C:\Windows\System32\cmd.exe C:\providercommon\SppExtComObj.exe
PID 1216 wrote to memory of 2092 N/A C:\Windows\System32\cmd.exe C:\providercommon\SppExtComObj.exe
PID 2092 wrote to memory of 2688 N/A C:\providercommon\SppExtComObj.exe C:\Windows\System32\cmd.exe
PID 2092 wrote to memory of 2688 N/A C:\providercommon\SppExtComObj.exe C:\Windows\System32\cmd.exe
PID 2688 wrote to memory of 4936 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2688 wrote to memory of 4936 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2688 wrote to memory of 4464 N/A C:\Windows\System32\cmd.exe C:\providercommon\SppExtComObj.exe
PID 2688 wrote to memory of 4464 N/A C:\Windows\System32\cmd.exe C:\providercommon\SppExtComObj.exe
PID 4464 wrote to memory of 3160 N/A C:\providercommon\SppExtComObj.exe C:\Windows\System32\cmd.exe
PID 4464 wrote to memory of 3160 N/A C:\providercommon\SppExtComObj.exe C:\Windows\System32\cmd.exe
PID 3160 wrote to memory of 2612 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3160 wrote to memory of 2612 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3160 wrote to memory of 2548 N/A C:\Windows\System32\cmd.exe C:\providercommon\SppExtComObj.exe
PID 3160 wrote to memory of 2548 N/A C:\Windows\System32\cmd.exe C:\providercommon\SppExtComObj.exe
PID 2548 wrote to memory of 2380 N/A C:\providercommon\SppExtComObj.exe C:\Windows\System32\cmd.exe
PID 2548 wrote to memory of 2380 N/A C:\providercommon\SppExtComObj.exe C:\Windows\System32\cmd.exe
PID 2380 wrote to memory of 3936 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2380 wrote to memory of 3936 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2380 wrote to memory of 468 N/A C:\Windows\System32\cmd.exe C:\providercommon\SppExtComObj.exe
PID 2380 wrote to memory of 468 N/A C:\Windows\System32\cmd.exe C:\providercommon\SppExtComObj.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9ce8d0981de0baec14529bed5fab731f2157e6a65a5dedbe028cc44aa202cf87.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9ce8d0981de0baec14529bed5fab731f2157e6a65a5dedbe028cc44aa202cf87.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "

C:\providercommon\DllCommonsvc.exe

"C:\providercommon\DllCommonsvc.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 9 /tr "'C:\providercommon\SppExtComObj.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\providercommon\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 10 /tr "'C:\providercommon\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files\Common Files\microsoft shared\Source Engine\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Common Files\microsoft shared\Source Engine\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files\Common Files\microsoft shared\Source Engine\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Pictures\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Public\Pictures\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Pictures\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Multimedia Platform\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Multimedia Platform\winlogon.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\RuntimeBroker.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\SppExtComObj.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\microsoft shared\Source Engine\RuntimeBroker.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Pictures\RuntimeBroker.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Multimedia Platform\winlogon.exe'

C:\providercommon\SppExtComObj.exe

"C:\providercommon\SppExtComObj.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\i32OxRBhll.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\providercommon\SppExtComObj.exe

"C:\providercommon\SppExtComObj.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7bDnwPuEug.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\providercommon\SppExtComObj.exe

"C:\providercommon\SppExtComObj.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4oJokgKWVw.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\providercommon\SppExtComObj.exe

"C:\providercommon\SppExtComObj.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AXFqcUy7ES.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\providercommon\SppExtComObj.exe

"C:\providercommon\SppExtComObj.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\X9PDuMdk3a.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\providercommon\SppExtComObj.exe

"C:\providercommon\SppExtComObj.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hC9SSnetfo.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\providercommon\SppExtComObj.exe

"C:\providercommon\SppExtComObj.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7bDnwPuEug.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\providercommon\SppExtComObj.exe

"C:\providercommon\SppExtComObj.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EVfp7xrD4G.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\providercommon\SppExtComObj.exe

"C:\providercommon\SppExtComObj.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\x1DfgQ9qXa.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\providercommon\SppExtComObj.exe

"C:\providercommon\SppExtComObj.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YKuCD7w8Ue.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\providercommon\SppExtComObj.exe

"C:\providercommon\SppExtComObj.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NYP5fOsMgV.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\providercommon\SppExtComObj.exe

"C:\providercommon\SppExtComObj.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xgactKMGCU.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\providercommon\SppExtComObj.exe

"C:\providercommon\SppExtComObj.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 133.111.199.185.in-addr.arpa udp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 86.49.80.91.in-addr.arpa udp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp

Files

C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

MD5 8088241160261560a02c84025d107592
SHA1 083121f7027557570994c9fc211df61730455bb5
SHA256 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA512 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

C:\providercommon\1zu9dW.bat

MD5 6783c3ee07c7d151ceac57f1f9c8bed7
SHA1 17468f98f95bf504cc1f83c49e49a78526b3ea03
SHA256 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512 c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

C:\providercommon\DllCommonsvc.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/1384-12-0x00007FFCD3AB3000-0x00007FFCD3AB5000-memory.dmp

memory/1384-13-0x0000000000930000-0x0000000000A40000-memory.dmp

memory/1384-14-0x0000000002C50000-0x0000000002C62000-memory.dmp

memory/1384-15-0x000000001B550000-0x000000001B55C000-memory.dmp

memory/1384-16-0x000000001B540000-0x000000001B54C000-memory.dmp

memory/1384-17-0x000000001B560000-0x000000001B56C000-memory.dmp

memory/4812-37-0x0000025E09660000-0x0000025E09682000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_k4nsqr15.kwr.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/5024-94-0x0000000001930000-0x0000000001942000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 77d622bb1a5b250869a3238b9bc1402b
SHA1 d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256 f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512 d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d28a889fd956d5cb3accfbaf1143eb6f
SHA1 157ba54b365341f8ff06707d996b3635da8446f7
SHA256 21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA512 0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

C:\Users\Admin\AppData\Local\Temp\i32OxRBhll.bat

MD5 e1dc8c7686895802247658549fdb7dfb
SHA1 4970536d0e7be559447c66fc8d5fd6ccd67fa03c
SHA256 31db1fcf1e67f3643a09dfd0dd50ccc913fee2e3c2e9764db0adb4a5fd92a6a3
SHA512 4b42029a1d8504b2e18efa3bf41629e195957a7b41475003224eafb40eb116d3f1b6f5515389f84aab998afeb10302885efb2af5f42c4f0388377bbbf9bbffdc

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SppExtComObj.exe.log

MD5 baf55b95da4a601229647f25dad12878
SHA1 abc16954ebfd213733c4493fc1910164d825cac8
SHA256 ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA512 24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

memory/5048-120-0x000000001C7A0000-0x000000001C90A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7bDnwPuEug.bat

MD5 f5b1b66ed426f09c978971b84d1f9c18
SHA1 2cf75468dc658e6fbed3bf691a9b8c1f0897f74e
SHA256 c4f80cc49e016c5d254198694f137e0dafeab69a1703b5c19426a8219f146dde
SHA512 d04d334cb97141ae71d10212cd28fd07716645e8f9e5b9c18c609598a3642d9b104e07c76d3a25ce99be78d7e30098cf32ff601e1c45d0cc59501dc0ac91b367

memory/3580-123-0x000000001B0F0000-0x000000001B102000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4oJokgKWVw.bat

MD5 4fe504dfc9695805d8df16b07d97a054
SHA1 047f6207735f3ce3e87ca5736aacdc846ef8bf68
SHA256 335c2b8d74086110e7e26f9020969601436f5df36d1638a7652dde005f2608cf
SHA512 de125db40a49a2a7a520e9e7833414761d4bbcb7fef4f42f9840a050cbe36fe91b15b51d3e726385b9b9a5a4dba4e3d1613622b9cb18bab511404f6076585c59

C:\Users\Admin\AppData\Local\Temp\AXFqcUy7ES.bat

MD5 d0288af52fd93dca7324a8b7c771f8f9
SHA1 0d2013d6874362bd7c9928b091d57e2966a417f9
SHA256 1678840a6f824c6d8cec6344a07841bad94a0ef87cbc568e1a6172acb3f31bf3
SHA512 bc783035c6969535ee00efa94cf2eed9dab992270c6fd3bca0b26f68ab7ecee2c6c46c4c2694f15905453d3e9807dbf1dbb3af2e042f5a39b7b4f4c8030cea6f

C:\Users\Admin\AppData\Local\Temp\X9PDuMdk3a.bat

MD5 7b1330328f560b8f7bd3289ea72a6fc6
SHA1 3f178ca3745ac7f92a04624031963f6bbbb256a4
SHA256 481b067f163e4390a3f533a7b73c22d1c801fe13267c8432cb699b86f445145d
SHA512 b137bd2980df58abd8d5cf91446bd1fcee1425ab373a544174a1d01cbd45c875bc500a4d2a047d0961a4d655221156b832458116aa34dbc9c39fb6896d70dadf

C:\Users\Admin\AppData\Local\Temp\hC9SSnetfo.bat

MD5 16735acbe68848c1d2a676f5b428c2f1
SHA1 353932d509bd8880a20194d0ef7e2305d6a0ef38
SHA256 b09be8d8c44fe0d633641a766501de637d5b31905205834ed064d00b0cea0778
SHA512 ff0dad1fa8c42408c3295584ba5f12fc7b989c9b8e643096984776dc614f08459b23c46d016866e108ae81a9fc6229620b30e5c9389f1ba563ce2290b49e05fa

memory/2548-148-0x00000000012F0000-0x0000000001302000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EVfp7xrD4G.bat

MD5 73d66665460e0e0dacca53ebef4fe53d
SHA1 ee39277fddeb49995696d5818a7e622dcda9fb0f
SHA256 9f56aef13f7696849ddac8d8843ab4f65419c6440d31e7af36dd4ef1cd204a67
SHA512 23b29bdcf0f3b69b912ce1326165e0afa70dc533bc1b2a1c603a98e4de471125072e2c98fff4b5eea1268b2de2a4ec6326409a7e1daec37e0d09191f31dbe632

memory/4828-161-0x0000000002250000-0x0000000002262000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\x1DfgQ9qXa.bat

MD5 94011acd6111373f1895802f11429977
SHA1 5a80bb51c500274d298b24c378c272bf40f5bee7
SHA256 b2d7ccda0ea91cc624a691a7f4c8caa4ad8283bef3007295403866034a1568a3
SHA512 e239246ac08443e2e8d8e9b26da947d7192977cfbcafca0101dfb046e80a3abe6e5f6c8ce1583057e07a2f7263c41a0fdb707486133d704b783a0493831b2578

C:\Users\Admin\AppData\Local\Temp\YKuCD7w8Ue.bat

MD5 d795e916d6abe95bbb5aeff884fb1eea
SHA1 cd1f8c78befc46ff89deb01835191fbb2a949843
SHA256 5cf644f4a233c874105deee7aae32fff4fb47dc6e40a85b46af49b97ea0900ae
SHA512 00de07924ae009fa1e2bee7a573197477745ec96b6fc9292745883a4363324249350b0fa293b45a1810bf6ffe0ac38c605b745fcb4863f86b8d2b83cb4cd31d9

memory/1972-174-0x0000000002CE0000-0x0000000002CF2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\NYP5fOsMgV.bat

MD5 79ccf13553ce65bd434345136ff5d6b0
SHA1 561a3954edbf7059b95b62bbe65d8a3b98b3ff27
SHA256 bb3db9670c9ea11e611e82457f015c858b8e583401f150bd8311d6cc09656e11
SHA512 f2675e3c9f3b79a0876b58e3aef015ddf7befe5e561cfb792c2962dd0a950332a397c954d79e0f6401842cd00a882f5d06166f18a223afe5bc6eb153211f8a64

C:\Users\Admin\AppData\Local\Temp\xgactKMGCU.bat

MD5 440f83cbff30f019975d56f4b762c9b3
SHA1 49c1d689ccbf4d3d5c68c4a499472f0b9a8a8516
SHA256 f26653e9d68a580e4f9ffda4e222fe769b73f4e84867a486817a73ea0f2210c0
SHA512 f75df46d5b3a15e62fbe890e286d3c4e5425dfe32db874d7460cd4e6ec99a1cdee7c1f8a542471756980d62d8effe6d65284d587413ef3a47c4a6ef315043de0

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-30 01:55

Reported

2024-12-30 01:57

Platform

win7-20241023-en

Max time kernel

150s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9ce8d0981de0baec14529bed5fab731f2157e6a65a5dedbe028cc44aa202cf87.exe"

Signatures

DcRat

rat infostealer dcrat

Dcrat family

dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Windows NT\Accessories\es-ES\System.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Windows NT\Accessories\es-ES\27d1bcfc3c54e0 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Windows Media Player\ja-JP\OSPPSVC.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Windows Media Player\ja-JP\1610b97d3ab4a7 C:\providercommon\DllCommonsvc.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9ce8d0981de0baec14529bed5fab731f2157e6a65a5dedbe028cc44aa202cf87.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WMIADAP.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WMIADAP.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WMIADAP.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WMIADAP.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WMIADAP.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WMIADAP.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WMIADAP.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WMIADAP.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WMIADAP.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WMIADAP.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WMIADAP.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\providercommon\DllCommonsvc.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WMIADAP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WMIADAP.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WMIADAP.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WMIADAP.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WMIADAP.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WMIADAP.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WMIADAP.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WMIADAP.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WMIADAP.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WMIADAP.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WMIADAP.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2312 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9ce8d0981de0baec14529bed5fab731f2157e6a65a5dedbe028cc44aa202cf87.exe C:\Windows\SysWOW64\WScript.exe
PID 2312 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9ce8d0981de0baec14529bed5fab731f2157e6a65a5dedbe028cc44aa202cf87.exe C:\Windows\SysWOW64\WScript.exe
PID 2312 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9ce8d0981de0baec14529bed5fab731f2157e6a65a5dedbe028cc44aa202cf87.exe C:\Windows\SysWOW64\WScript.exe
PID 2312 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9ce8d0981de0baec14529bed5fab731f2157e6a65a5dedbe028cc44aa202cf87.exe C:\Windows\SysWOW64\WScript.exe
PID 2476 wrote to memory of 2368 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2476 wrote to memory of 2368 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2476 wrote to memory of 2368 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2476 wrote to memory of 2368 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2368 wrote to memory of 1776 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 2368 wrote to memory of 1776 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 2368 wrote to memory of 1776 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 2368 wrote to memory of 1776 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 1776 wrote to memory of 2300 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1776 wrote to memory of 2300 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1776 wrote to memory of 2300 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1776 wrote to memory of 800 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1776 wrote to memory of 800 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1776 wrote to memory of 800 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1776 wrote to memory of 2040 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1776 wrote to memory of 2040 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1776 wrote to memory of 2040 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1776 wrote to memory of 688 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1776 wrote to memory of 688 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1776 wrote to memory of 688 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1776 wrote to memory of 1240 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1776 wrote to memory of 1240 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1776 wrote to memory of 1240 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1776 wrote to memory of 1004 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1776 wrote to memory of 1004 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1776 wrote to memory of 1004 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1776 wrote to memory of 1148 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1776 wrote to memory of 1148 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1776 wrote to memory of 1148 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1776 wrote to memory of 548 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1776 wrote to memory of 548 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1776 wrote to memory of 548 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1776 wrote to memory of 972 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1776 wrote to memory of 972 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1776 wrote to memory of 972 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1776 wrote to memory of 1388 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1776 wrote to memory of 1388 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1776 wrote to memory of 1388 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1776 wrote to memory of 1768 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1776 wrote to memory of 1768 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1776 wrote to memory of 1768 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1776 wrote to memory of 1696 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1776 wrote to memory of 1696 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1776 wrote to memory of 1696 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1776 wrote to memory of 2556 N/A C:\providercommon\DllCommonsvc.exe C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WMIADAP.exe
PID 1776 wrote to memory of 2556 N/A C:\providercommon\DllCommonsvc.exe C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WMIADAP.exe
PID 1776 wrote to memory of 2556 N/A C:\providercommon\DllCommonsvc.exe C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WMIADAP.exe
PID 2556 wrote to memory of 2388 N/A C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WMIADAP.exe C:\Windows\System32\cmd.exe
PID 2556 wrote to memory of 2388 N/A C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WMIADAP.exe C:\Windows\System32\cmd.exe
PID 2556 wrote to memory of 2388 N/A C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WMIADAP.exe C:\Windows\System32\cmd.exe
PID 2388 wrote to memory of 2700 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2388 wrote to memory of 2700 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2388 wrote to memory of 2700 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2388 wrote to memory of 2616 N/A C:\Windows\System32\cmd.exe C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WMIADAP.exe
PID 2388 wrote to memory of 2616 N/A C:\Windows\System32\cmd.exe C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WMIADAP.exe
PID 2388 wrote to memory of 2616 N/A C:\Windows\System32\cmd.exe C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WMIADAP.exe
PID 2616 wrote to memory of 1824 N/A C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WMIADAP.exe C:\Windows\System32\cmd.exe
PID 2616 wrote to memory of 1824 N/A C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WMIADAP.exe C:\Windows\System32\cmd.exe
PID 2616 wrote to memory of 1824 N/A C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WMIADAP.exe C:\Windows\System32\cmd.exe
PID 1824 wrote to memory of 2996 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9ce8d0981de0baec14529bed5fab731f2157e6a65a5dedbe028cc44aa202cf87.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9ce8d0981de0baec14529bed5fab731f2157e6a65a5dedbe028cc44aa202cf87.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\providercommon\1zu9dW.bat" "

C:\providercommon\DllCommonsvc.exe

"C:\providercommon\DllCommonsvc.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WMIADAP.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WMIADAP.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WMIADAP.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\providercommon\WmiPrvSE.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Documents\My Music\lsm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Music\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Documents\My Music\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\OSPPSVC.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\OSPPSVC.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\OSPPSVC.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows NT\Accessories\es-ES\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\es-ES\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows NT\Accessories\es-ES\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Music\conhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Admin\Music\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Music\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Media Player\ja-JP\OSPPSVC.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\ja-JP\OSPPSVC.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Media Player\ja-JP\OSPPSVC.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WMIADAP.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\services.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\WmiPrvSE.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\My Music\lsm.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\OSPPSVC.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\services.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\dllhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\spoolsv.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\Accessories\es-ES\System.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Music\conhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\ja-JP\OSPPSVC.exe'

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WMIADAP.exe

"C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WMIADAP.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\V68XQM6FdC.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WMIADAP.exe

"C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WMIADAP.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9dbjknkRRi.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WMIADAP.exe

"C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WMIADAP.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yXZnhMCmO6.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WMIADAP.exe

"C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WMIADAP.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yNYzWO1Iaj.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WMIADAP.exe

"C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WMIADAP.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0xFiNVDkrN.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WMIADAP.exe

"C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WMIADAP.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\V68XQM6FdC.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WMIADAP.exe

"C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WMIADAP.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2mwtwHUJyt.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WMIADAP.exe

"C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WMIADAP.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lAZRwHYzWc.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WMIADAP.exe

"C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WMIADAP.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uVa8TbDE3p.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WMIADAP.exe

"C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WMIADAP.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ww4YVzclJm.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WMIADAP.exe

"C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WMIADAP.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp

Files

C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

MD5 8088241160261560a02c84025d107592
SHA1 083121f7027557570994c9fc211df61730455bb5
SHA256 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA512 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

C:\providercommon\1zu9dW.bat

MD5 6783c3ee07c7d151ceac57f1f9c8bed7
SHA1 17468f98f95bf504cc1f83c49e49a78526b3ea03
SHA256 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512 c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

\providercommon\DllCommonsvc.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/1776-13-0x0000000000830000-0x0000000000940000-memory.dmp

memory/1776-14-0x0000000000240000-0x0000000000252000-memory.dmp

memory/1776-15-0x00000000002E0000-0x00000000002EC000-memory.dmp

memory/1776-16-0x0000000000250000-0x000000000025C000-memory.dmp

memory/1776-17-0x00000000002F0000-0x00000000002FC000-memory.dmp

memory/2556-46-0x0000000000E80000-0x0000000000F90000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\BONJU275VGHHJID1ZABB.temp

MD5 366cf488ad2d1c279619167919d506d7
SHA1 285a6726c1bf1232a85c700e9b34743eac093a36
SHA256 9fd2cf02179cdfc137c62442f4439dfa9f630b8c612b4035c51be9a23219ab98
SHA512 b687ec13dc6964d7f1ea2cede8d1d58d971ddd048e0d2a02b934a7d5935afc66c2f0c820d94c9fd90dc46b5035e50a3fd9884a44bb84b5489a413851d0df8b22

memory/2300-106-0x000000001B710000-0x000000001B9F2000-memory.dmp

memory/2300-107-0x0000000001E60000-0x0000000001E68000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab2F0.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar302.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\Local\Temp\V68XQM6FdC.bat

MD5 a362a3904881f6272d6c2556c8c8599c
SHA1 8273878b382d1ad0208d66d9b3da663348bb053b
SHA256 c91dd14c71164388489668ccf3bd5e7346c32db62df9126e356a340738c44414
SHA512 5b1c48fb3d9d15919a8acdaafb55ae137c959ca8bc9301411f947547eb27b3501a4eece63f4da9d27d363665c06072b1c4300d7c6a7de8d78083ea611c07dbe6

memory/2616-166-0x00000000010B0000-0x00000000011C0000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 783069a00b32c9e17172790ce898ee29
SHA1 dd57fa3c62b022d04d9fc3c8e76e95945e0850a1
SHA256 72c99096ec569f4c741d1a81e24e23eb709414fc0279f84689db5be0c29b0a2d
SHA512 64f17af10d6af2829fbfc870f8d68577e07c518c09651a9c52512979e446194ae4b1b3da570855a5010ad3346ba25ba201557943f4fa81b88d4ff39a8e352c21

C:\Users\Admin\AppData\Local\Temp\9dbjknkRRi.bat

MD5 dbf3432ac6bfb2c340b6c1f162486703
SHA1 131f30ba232e57183106affe6f71660fb72ee88b
SHA256 4159bbf99935430aae8f8b98f1fec1ee35a2e1e0d884a2b912214978b9f8f65b
SHA512 4b9667d112560bce165a5ae3cb61b22fe40fb8605a5bc2d75c85e675473f29602713763623c11d75c6ef63f1c5123ccb613e242517581d98ce746be3e4544ecc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8443d092e2281c8c36954be8f8457b4a
SHA1 9a15a8ff36227e84d38918fddde3ff0def54e2b3
SHA256 f221e1068b9501d83ef65449ed119226d7cc246b13fd8e225fbe770585b51d9b
SHA512 18ab433c239dd42fca7de57b523ae2e91cb5fabc1a50d5a5cdfe52bd00a2bae7a6c64d79aace54d10829c70cb9e635d40cf2c0afa699c1ea9b3d6b5f78844ef9

C:\Users\Admin\AppData\Local\Temp\yXZnhMCmO6.bat

MD5 6a75abe437d6375c85c46291b569d1c6
SHA1 2781f7e6d4b1490ce2c92c6e34b7b4bf509cede4
SHA256 f53255c6182924afa41715e8510d5ecfec98bcf1388388c20f22913457d15442
SHA512 d6d20915c05dce52ed9a295b509752d13bb3cd7bfc37d87d2715a64286d8f16129262c8ca2d61cac4e43ed9aa35a63b5e1b090b213cac0bcbd61ca8ca86a370f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bbaf7002d5d3b44c6fbc2cfdde1a8180
SHA1 3e59067565a024a8d82223d600f6b80c984d5f2d
SHA256 685b5fb21073ef27e638c59dfe6894ad01439a3ea9abff89fe127e8510b56b20
SHA512 10a26c36b6544b9a3c0a7352fb7cc681276e73beb6c9480ba119234e43d1536d0991a27c3339e7f168d0851afa97d0ca89728163f63c268ac724c87da4e01f87

C:\Users\Admin\AppData\Local\Temp\yNYzWO1Iaj.bat

MD5 e13be3f522d5833ffbcc3724ab8676de
SHA1 cdc5c4f0f628e3fc2a5b9d9a198027b56cf10e62
SHA256 e5676ba915fc13b569225f53969fb2390c5d53c9ed0d2b5830929f7adef9d732
SHA512 4c470b9fd13ee94fa75171dd1fa9735ff4b43f3a39b8e813a54a494ead946bdfb6ebfaebd90ae72069621e3809f7ac3c7402d3f51d7b2a829fe42f3075260b66

memory/2724-344-0x00000000001D0000-0x00000000002E0000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 98ea63db929993ed8e2aa9c01182649a
SHA1 30d5a4f1b5e8200416471f07d4a48e6e523226e6
SHA256 e177eee0ab37337d068e04e757194498488960a8989c8b2a0b71e88e7165e0d3
SHA512 433630d2246255e0c433392144ca0b5498b008b5b4a35fa4d9b19bfee00832d18f6bd0a421b2a1d033bc97cde69cf377a1e2842072baf608edd47a84d6b6cf68

C:\Users\Admin\AppData\Local\Temp\0xFiNVDkrN.bat

MD5 b99769a7f0b1a29ffb3fee2dd1457f9e
SHA1 b617731aa591aa9cdc0e338f79a024044645931f
SHA256 976a592530566fe822f4ffc5ff13ac7d4959ccc4635ad644e6c728347f3953ac
SHA512 1e1f2b8bd8399a486660ca689ea0875aa8742008268c3e11e728390e33c3df82d6bac2efd9b6265a2f70a8fd1d1426b4a143849034e45510fcfb6dc965c4e8d4

memory/2796-404-0x0000000001350000-0x0000000001460000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5a6dbbd14af7f75ac146fb27a8199e77
SHA1 318371b11a337a8176b33f3224e94e828f6bf1e6
SHA256 7b6992dd8f6f88dd0e0caafe56056f6ca9929023510d5b4aa91efac44587d3ee
SHA512 33dc63d882d344ec18a44d246ae51ebef7d5042987cd748548ae007a56417924aaf1fac820f20d841f87624e0199c4630b202b460f32590acf060aea24d79e55

memory/1740-464-0x00000000003B0000-0x00000000004C0000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d991a67d826b6e066aa0e65165787a3e
SHA1 09a26319f06e06596d50e52e90cf17f0b8140e97
SHA256 fbaf0cc460a12aec2beaf8e7d4536d7cb552815998ad764602784d66213cb05a
SHA512 400a4ebe3609205b9df40d0b5857fe3176e1f46666cb13f8d0415727031f38be34f6a3044b5a52585e7bfa5cd762388d3e694e7be86dc27ae7798ca51972080f

C:\Users\Admin\AppData\Local\Temp\2mwtwHUJyt.bat

MD5 920575c85742419be142913a8e9b8661
SHA1 d799f68c8d66c2bbd0ec723c1b8d33f9e0dfe5c7
SHA256 941a3c2d13d5566f18ef597a556e023dd1e5235ace94a4f43edc156d72e25ccb
SHA512 17eec57dd00207ce8f86acd64356be81b744773782e15cb937b4ada551bfdd9d156026e0d024f05abd4c0e9e80293cab7f7af5b35ce180d2ea32126adcbcb695

memory/2912-524-0x0000000000C60000-0x0000000000D70000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c9d4b6b35642f567a8e2d76d5532ad1d
SHA1 515fece0d7ba608235439571145bccc174dbc1ec
SHA256 3753422c7e55194e434897d1158ebb51bbb94b6d82d75b9257f5855e4e092313
SHA512 e89409162047f52509e3b0e8329734297e531516ac6f2092e07ca6a4b5545df320c0ade4777799b12245ebf63d70246f8a6c2f7cd05679e704c8a56a61a6e656

C:\Users\Admin\AppData\Local\Temp\lAZRwHYzWc.bat

MD5 e9da1f848f5a2b805010d5f190d992aa
SHA1 085ec80f2123eb0658b8a773c4c4288bdbdaa937
SHA256 07a3c51b269e1593e8b0299ce2999cf1952a24a655d54b10c7a1e2841f853f51
SHA512 749c2888bc026d1d50a76abb49f26c721bf0faaabdc7d57ded0d388ad33d00703748a633dbd517efe10723fa37ff0283340864e73a6e9c35cb5ac5d9590fc4f7

memory/2196-584-0x0000000000ED0000-0x0000000000FE0000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 15659e58bab4488dbfec3cc5b1db48c7
SHA1 680637be9590a7b7e54baa570aee4977b2d3f7d9
SHA256 52e338db0d0304c8f2dc5d3f037735950deda44e189c63c54ee084139c6d9934
SHA512 16a4cd8898c7386a69242c7ab33df6e9aefdc2a95d48eb6d5fd7f60d649094e5c1f87c8f445ff87055225f7b11a2cd11ba90ab56146d223dd195652320e34823

C:\Users\Admin\AppData\Local\Temp\uVa8TbDE3p.bat

MD5 5d077a555cc8be5c1a7ee6d619752253
SHA1 452cf4bc978a53c1d7f3d44c15594ad78dab491c
SHA256 8c1c90267bf73b58c2ed66e0270f837070e7fc12b3cb5dada21d9373916d1482
SHA512 71308aeb9c73ba05c85a59753de060af4832b5ce53efc3c1999a1584ce2daa65c88cb4fa871eeb382f83955a0b9740c30fa6fad4fa819b6b6ef2c37b069318a5

memory/1012-644-0x0000000000F30000-0x0000000001040000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d0a254331c8a66a77ed64cb1bab2764e
SHA1 8111ee46dd12133dea9ba16bb132c4c1b4511589
SHA256 45d365d406a27de61101ffd8302bcf7927c7f65b6385a2a69340e518a8c81f48
SHA512 e861aadfaf4039d7520de8a46c9ae786b6fe84503476f75097e657290647180625fb205ea20221b51ec3fcc6f5e86350151a8bf901f91d522729ebe18f8026e3

C:\Users\Admin\AppData\Local\Temp\ww4YVzclJm.bat

MD5 5ed599b41a262d012037c545ea82de98
SHA1 d1e6e6a7e3417cf09619a4331810f89a30a81dd9
SHA256 b49ed7b712324175557756014c40cbe65e96122d5cc0167995cb570af374e65f
SHA512 67bd77f6a22712fe35019ba87e3f1c261cbc43ef98da4c106b775f2594ffb648cef0ef4da6248b5b2920e601a47be0d511acfab945f00d5627dbbe7f28b3aaa0

memory/584-704-0x0000000000230000-0x0000000000340000-memory.dmp