Malware Analysis Report

2025-08-11 05:06

Sample ID 241230-ce2lfatrdq
Target JaffaCakes118_032e0013e1f8d50edcff31cea6c1ba923ff69d8205d9dee5d98c213a49848ab5
SHA256 032e0013e1f8d50edcff31cea6c1ba923ff69d8205d9dee5d98c213a49848ab5
Tags
rat dcrat discovery execution infostealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

032e0013e1f8d50edcff31cea6c1ba923ff69d8205d9dee5d98c213a49848ab5

Threat Level: Known bad

The file JaffaCakes118_032e0013e1f8d50edcff31cea6c1ba923ff69d8205d9dee5d98c213a49848ab5 was found to be: Known bad.

Malicious Activity Summary

rat dcrat discovery execution infostealer

Dcrat family

Process spawned unexpected child process

DCRat payload

DcRat

DCRat payload

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Legitimate hosting services abused for malware hosting/C2

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Scheduled Task/Job: Scheduled Task

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-30 02:00

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-30 02:00

Reported

2024-12-30 02:02

Platform

win7-20240903-en

Max time kernel

145s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_032e0013e1f8d50edcff31cea6c1ba923ff69d8205d9dee5d98c213a49848ab5.exe"

Signatures

DcRat

rat infostealer dcrat

Dcrat family

dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\WCN\en-US\cmd.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\System32\WCN\en-US\ebf1f9fa8afd6d C:\providercommon\DllCommonsvc.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\VideoLAN\VLC\locale\cs\wininit.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\cs\56085415360792 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Windows Media Player\smss.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Windows Media Player\69ddcba757bf72 C:\providercommon\DllCommonsvc.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\sppsvc.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\Tasks\0a1fd5f707cd16 C:\providercommon\DllCommonsvc.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_032e0013e1f8d50edcff31cea6c1ba923ff69d8205d9dee5d98c213a49848ab5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\providercommon\DllCommonsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsm.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsm.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsm.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsm.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsm.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsm.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsm.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsm.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1884 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_032e0013e1f8d50edcff31cea6c1ba923ff69d8205d9dee5d98c213a49848ab5.exe C:\Windows\SysWOW64\WScript.exe
PID 1884 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_032e0013e1f8d50edcff31cea6c1ba923ff69d8205d9dee5d98c213a49848ab5.exe C:\Windows\SysWOW64\WScript.exe
PID 1884 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_032e0013e1f8d50edcff31cea6c1ba923ff69d8205d9dee5d98c213a49848ab5.exe C:\Windows\SysWOW64\WScript.exe
PID 1884 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_032e0013e1f8d50edcff31cea6c1ba923ff69d8205d9dee5d98c213a49848ab5.exe C:\Windows\SysWOW64\WScript.exe
PID 2388 wrote to memory of 2760 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2388 wrote to memory of 2760 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2388 wrote to memory of 2760 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2388 wrote to memory of 2760 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2760 wrote to memory of 2904 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 2760 wrote to memory of 2904 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 2760 wrote to memory of 2904 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 2760 wrote to memory of 2904 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 2904 wrote to memory of 2216 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2904 wrote to memory of 2216 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2904 wrote to memory of 2216 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2904 wrote to memory of 2184 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2904 wrote to memory of 2184 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2904 wrote to memory of 2184 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2904 wrote to memory of 2148 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2904 wrote to memory of 2148 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2904 wrote to memory of 2148 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2904 wrote to memory of 1796 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2904 wrote to memory of 1796 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2904 wrote to memory of 1796 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2904 wrote to memory of 3052 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2904 wrote to memory of 3052 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2904 wrote to memory of 3052 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2904 wrote to memory of 2920 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2904 wrote to memory of 2920 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2904 wrote to memory of 2920 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2904 wrote to memory of 2480 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2904 wrote to memory of 2480 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2904 wrote to memory of 2480 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2904 wrote to memory of 1208 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2904 wrote to memory of 1208 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2904 wrote to memory of 1208 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2904 wrote to memory of 2428 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2904 wrote to memory of 2428 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2904 wrote to memory of 2428 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2904 wrote to memory of 1948 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2904 wrote to memory of 1948 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2904 wrote to memory of 1948 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2904 wrote to memory of 2392 N/A C:\providercommon\DllCommonsvc.exe C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsm.exe
PID 2904 wrote to memory of 2392 N/A C:\providercommon\DllCommonsvc.exe C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsm.exe
PID 2904 wrote to memory of 2392 N/A C:\providercommon\DllCommonsvc.exe C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsm.exe
PID 2392 wrote to memory of 808 N/A C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsm.exe C:\Windows\System32\cmd.exe
PID 2392 wrote to memory of 808 N/A C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsm.exe C:\Windows\System32\cmd.exe
PID 2392 wrote to memory of 808 N/A C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsm.exe C:\Windows\System32\cmd.exe
PID 808 wrote to memory of 2976 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 808 wrote to memory of 2976 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 808 wrote to memory of 2976 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 808 wrote to memory of 548 N/A C:\Windows\System32\cmd.exe C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsm.exe
PID 808 wrote to memory of 548 N/A C:\Windows\System32\cmd.exe C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsm.exe
PID 808 wrote to memory of 548 N/A C:\Windows\System32\cmd.exe C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsm.exe
PID 548 wrote to memory of 2704 N/A C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsm.exe C:\Windows\System32\cmd.exe
PID 548 wrote to memory of 2704 N/A C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsm.exe C:\Windows\System32\cmd.exe
PID 548 wrote to memory of 2704 N/A C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsm.exe C:\Windows\System32\cmd.exe
PID 2704 wrote to memory of 2712 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2704 wrote to memory of 2712 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2704 wrote to memory of 2712 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2704 wrote to memory of 2652 N/A C:\Windows\System32\cmd.exe C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsm.exe
PID 2704 wrote to memory of 2652 N/A C:\Windows\System32\cmd.exe C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsm.exe
PID 2704 wrote to memory of 2652 N/A C:\Windows\System32\cmd.exe C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsm.exe
PID 2652 wrote to memory of 2144 N/A C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsm.exe C:\Windows\System32\cmd.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_032e0013e1f8d50edcff31cea6c1ba923ff69d8205d9dee5d98c213a49848ab5.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_032e0013e1f8d50edcff31cea6c1ba923ff69d8205d9dee5d98c213a49848ab5.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\providercommon\1zu9dW.bat" "

C:\providercommon\DllCommonsvc.exe

"C:\providercommon\DllCommonsvc.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Pictures\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default\Pictures\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Pictures\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Windows\Tasks\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\Tasks\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Windows\Tasks\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Windows\System32\WCN\en-US\cmd.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\System32\WCN\en-US\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Windows\System32\WCN\en-US\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files\VideoLAN\VLC\locale\cs\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\locale\cs\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Program Files\VideoLAN\VLC\locale\cs\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Media Player\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Media Player\smss.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\sppsvc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\spoolsv.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Pictures\spoolsv.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsm.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Tasks\sppsvc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\dwm.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\WCN\en-US\cmd.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\locale\cs\wininit.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\smss.exe'

C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsm.exe

"C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsm.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tpXWVAFTZv.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsm.exe

"C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsm.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cqXkQwtlzQ.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsm.exe

"C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsm.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Jlvf1Vq2YP.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsm.exe

"C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsm.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pgCyA6Uc1O.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsm.exe

"C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsm.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DJG58brWjr.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsm.exe

"C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsm.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\H7kUlUtrsw.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsm.exe

"C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsm.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NDsGBfOUR3.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsm.exe

"C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsm.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xB9FX11cFJ.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsm.exe

"C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsm.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\n6bUdMbtqP.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp

Files

C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

MD5 8088241160261560a02c84025d107592
SHA1 083121f7027557570994c9fc211df61730455bb5
SHA256 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA512 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

C:\providercommon\1zu9dW.bat

MD5 6783c3ee07c7d151ceac57f1f9c8bed7
SHA1 17468f98f95bf504cc1f83c49e49a78526b3ea03
SHA256 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512 c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

\providercommon\DllCommonsvc.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/2904-13-0x0000000000CD0000-0x0000000000DE0000-memory.dmp

memory/2904-14-0x00000000001D0000-0x00000000001E2000-memory.dmp

memory/2904-15-0x00000000001E0000-0x00000000001EC000-memory.dmp

memory/2904-16-0x00000000001F0000-0x00000000001FC000-memory.dmp

memory/2904-17-0x0000000000200000-0x000000000020C000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\YP1CTHXWVJ3E67MD9JT3.temp

MD5 35edee54363b4a5304001359aab01ef7
SHA1 7b5e87c9f69a87d08c2f49a4a6757916b895309c
SHA256 12951bda19c90486c11b4822972526b11d19f148bb5b16739399ad2a92ed3614
SHA512 359ffc226bd97d447ca14cb31608faa4b614aa79b0b5b8462ad1472f6c9abd60f1a7c8506e0f2077372584007a89b966464654b6c88107e1487e3cf17b7cb585

memory/2428-72-0x000000001B5F0000-0x000000001B8D2000-memory.dmp

memory/2920-92-0x0000000002810000-0x0000000002818000-memory.dmp

memory/2392-93-0x0000000000AC0000-0x0000000000BD0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabA085.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarA098.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\Local\Temp\tpXWVAFTZv.bat

MD5 21269e59353586bbb43c7e987df450ce
SHA1 f9c5aad5ce118dca45b9eee7c62675ae0de1c705
SHA256 2b5cadf4475f2874246a4e0315944d26cc651237e5d9dfa18ff1581d7955fe2c
SHA512 be72283cd214f8e9a4539f7a7f1232fe931353e9c82dba5e63f295552e1a170a494e1d4a5aa061cf1aa1c5f9253e802a0fcd8a011cc28384e932bc9832dbcc63

memory/548-152-0x0000000000AE0000-0x0000000000BF0000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6d900b012142cb997cad05f813dfd191
SHA1 b680868b09b2d2b36710945e8e31b425f187d22b
SHA256 df920698c4eb2ec2ff20c1888d6e73f4aadb208ed0e82eff4f99161ddcde2a4c
SHA512 7f2aa670d967da8662547ba7589a72dc872622517544f2310634ac6da89ebdb8bf2aec16f187ad42bb908a5094edc0251c8d73fbdf3bf947c0e6e2664bc69382

C:\Users\Admin\AppData\Local\Temp\cqXkQwtlzQ.bat

MD5 888ed69f54545c03302a5e5fd0175a49
SHA1 5538bff378911ab5516ed04b7073ef815e96df80
SHA256 b87cae9a83a9acde20ca1c902f976e229a3490d7c3061457fbf62e0bfddfca4e
SHA512 c191b1bf2735e50c6ce72da4e5da66e489bcc87df02c57cc824f7eeee3cfe6f1a21e467ec6695ad697ed87044e69ade87818347f5ba8339d74f3df622b665a0e

memory/2652-212-0x00000000001E0000-0x00000000002F0000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b930d32b133a64f5258b33987072845b
SHA1 6db64f6075a844c7d32c855196c4a4752fc39ab1
SHA256 9b57f2a1bf8fed7da3c452f298fa16969f28645509ba15e1f2bc71697e60c0f7
SHA512 4f6eb78c97580dca735fa2f874e5550ae0eb20bdd8a545ae12dd8e945da03220715ba33d3b0abad0d6f21fbbbeb3fed8f555f59790064e6f02e202492d924e41

C:\Users\Admin\AppData\Local\Temp\Jlvf1Vq2YP.bat

MD5 9b4fdaa688f21f89468723de69d439bb
SHA1 47a035248aed81fe82b8b7bc8b5f249d8a4bf40b
SHA256 4d2a740ed1ffdf0be765287dedcfd8f41a535f07ecccd32c9ea86db37b8c43e1
SHA512 bbb06fb09cd1ce57b93c496bb1b228726de38a8a5eaa07fc09fd943f5598f328487a715ebed7bc2df3df2deed08c0040acef06e5e1889aa3d479a193efc19227

memory/860-272-0x0000000000E20000-0x0000000000F30000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 83f8fd6fe316457a9fb0188c6d56aec8
SHA1 c409909576757c4d187d22cf656240b962c8769c
SHA256 623a2d9721aa4bf96b21a3e0d4b1aa3e94b67d1b003b0664ee3d1f46f3e85139
SHA512 0495a70155652dfe7def413f6a175bd1b9e3375bbcbb3a98cf387af62ace77ea7eed99a795cd9d226f27b4ffd31c88ce3179391de669f48e7fd1205891de272f

C:\Users\Admin\AppData\Local\Temp\pgCyA6Uc1O.bat

MD5 3ca0b1add0059c3258752912ef529a8e
SHA1 f85841ee824cf697e516744c0054aedf8182597c
SHA256 256aaea51528d09f1aafd25b20518c6d3f20385a4803fa6904e0759470935c46
SHA512 a103a784f3302e93352987b408051d892ba51041f203fa7217f4965e5fd913f1bd634807e9185731f7893ca002a8c8a9de633af1c813d6ef5e8eabaff95b79f7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f27dc301ee426a39a0942d7cf0561260
SHA1 e284f060fa4ad4357a6ea46ad7652e37d2098920
SHA256 aa74b3b42f2cb4e9f6f18e4bf5d4fe3c407d0c1cb0ad129c4f23d2fb326ce6e8
SHA512 f63041cb3e04e309ff48b54b1ce3a5e7d3e0b2b49c5caafd6e1fce6a49e1d3005549f01db3821df5cc14a19f9db7e16445816c2b9b825ac3b16516b5be6d550a

C:\Users\Admin\AppData\Local\Temp\DJG58brWjr.bat

MD5 bbe15c1fbb11222b6eea91f2fd854f82
SHA1 4a6b6e159e4c87ad271ec36f1286ba134015a02d
SHA256 79b5a686f18545218d8d6c3f3f51f23126a13c49549f60067d3d0f99490be740
SHA512 ab97c9dff785077eadecf8e3e12c5f703d7d2aadf483c2753ebc6e82656f55f79de31ebd4b832563fa6da8207da076c98c0676c65dd56eae4d8310ee30a4e595

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f5022d0224f4c880a995022d28e2c44b
SHA1 f249ccc977d43356d1d2c87bdbda3dff90943299
SHA256 257b8dad98f3746b3b39804d59323e21679a3cd1b16bb31ea14aba3b48c94f2a
SHA512 9d8cbd4e9f676914fc202e9f0aa7dbad276214ed7503bb11be8add31b88e6665bee364f15198751c083a9220aed103c730fe0a0d3a71aa4b15942a0c907136c8

C:\Users\Admin\AppData\Local\Temp\H7kUlUtrsw.bat

MD5 7a4159602f929a3048d6aa523f683b05
SHA1 9d7c825b7f8e23c9806f2bdbf5610847c3a849a7
SHA256 52f5bfb5bf0a7b7f11dd35dc0437255f1d941e40b326bbf7b8f666822142d6d6
SHA512 bdabccd8b7655771238a94db0a7e80dea9559d43ea7f29bb54f6e1db7c53247127980fb4a302ef646bf7f26b8c56c06e8393dfbd61d4a0e098b51b1ae832a0cf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5ec380469e10aed9de1e7e315ba9a665
SHA1 2f80da7e805d8852be82a75db67b40b55870e1e4
SHA256 c7d1b616816fee055ee3cbc475bfd4fa6f22761962bdc3603534dd329fc1cefc
SHA512 37bc0fad86951816f7de05a1d0b705916d611a1e38c0dc530f41d691379b78a37d37f93df97b7ea6eaf0c1669fd8fbbff2e8b5282dc0536a69a122ae7286adb5

C:\Users\Admin\AppData\Local\Temp\NDsGBfOUR3.bat

MD5 db71919c2f9bc9e9d847f9dc328e2dd3
SHA1 46a44d44fe7ca43bdbbe7451539272878b41585e
SHA256 b7da24ed1a0bac172c2764ff3e88e99737106a8f7b7df09b61ed5da589ee283e
SHA512 57ccdf1ee0a85c7393818ef8a85bf8673156e9f2629a6b0c28d079cf04d31c670f1c89b15ab7594d051d6eafc6ff4cfba04c5b1872feb0bb013d47f2ca2d11d8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0762ea0188ff0e8b8911f0c90dd374a3
SHA1 15c4749fb7278b7b809ade7b798a501b4a25e90b
SHA256 b9d070fac12cb13d2843ca30b6c268890aafa5445d50c486765c89d31a014f27
SHA512 2ee980552acbb5ceca535f6e0194fc4088b3bec0288927d62732ab85387a1f4a42c6dbd76017b5e405fecb428685f8c0401a07f7cb311c99706c2b433a8dfa3e

C:\Users\Admin\AppData\Local\Temp\xB9FX11cFJ.bat

MD5 815b7104d513570fde6344a8a9e27168
SHA1 ecb9cbcb4441f80a1fe473db6a82ebaa9a3f9b9d
SHA256 8fc962d6b2ad757575f457dab5dd676c1cf679bae4ec0f60f0623a3cda3f863c
SHA512 a29869f258c8972fa005449ba18ee9e926a6a7c2dcdfe31bb795e528d2f95838d891457a26d5ec0780565793d9b3d2ea4a1bc8701b15f0597c9eaeee645b0da2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c121ed662a519d17a340948293ded32c
SHA1 757fafff672304b3636df501e710f82562368828
SHA256 8335a45de8b18c768a662539216db60f70db61f1fc11a2c8977e3b9eacc3967e
SHA512 ba12e30d16371d93f02df7ce968d05cd1ce3664492b293af21c74b99c0f621f212b29b7f257b7883a21934fb3df92c50f56095f587dad44c4c5baba71f848e46

C:\Users\Admin\AppData\Local\Temp\n6bUdMbtqP.bat

MD5 f1289adbf642f576b7f1b53c7ef00bbd
SHA1 4f1395916f0886e14aa7405f9a8108955b9df764
SHA256 f91de56aca49a4b9cd3ac8f2b81259471bdb96923896bb0ce10bf8d1fed1f796
SHA512 2570541e485b31e1e8551c873b9244c292ca0b960f38ae1feb25c997a8e2fc74fac65536f2a2c416fe6f606ff2ae13a4f3377117f35d7ae00e9b39db3e861ecf

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-30 02:00

Reported

2024-12-30 02:02

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_032e0013e1f8d50edcff31cea6c1ba923ff69d8205d9dee5d98c213a49848ab5.exe"

Signatures

DcRat

rat infostealer dcrat

Dcrat family

dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Program Files\Microsoft Office 15\ClientX64\wininit.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Program Files\Microsoft Office 15\ClientX64\wininit.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Program Files\Microsoft Office 15\ClientX64\wininit.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\providercommon\DllCommonsvc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Program Files\Microsoft Office 15\ClientX64\wininit.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Program Files\Microsoft Office 15\ClientX64\wininit.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Program Files\Microsoft Office 15\ClientX64\wininit.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Program Files\Microsoft Office 15\ClientX64\wininit.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Program Files\Microsoft Office 15\ClientX64\wininit.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_032e0013e1f8d50edcff31cea6c1ba923ff69d8205d9dee5d98c213a49848ab5.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Program Files\Microsoft Office 15\ClientX64\wininit.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Program Files\Microsoft Office 15\ClientX64\wininit.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Program Files\Microsoft Office 15\ClientX64\wininit.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Program Files\Microsoft Office 15\ClientX64\wininit.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Common Files\5940a34987c991 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Google\smss.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Google\69ddcba757bf72 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Windows Media Player\conhost.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Windows Media Player\088424020bedd6 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\sysmon.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Microsoft Office 15\ClientX64\wininit.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Common Files\dllhost.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\121e5b5079f7c0 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Microsoft Office 15\ClientX64\56085415360792 C:\providercommon\DllCommonsvc.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_032e0013e1f8d50edcff31cea6c1ba923ff69d8205d9dee5d98c213a49848ab5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings C:\Program Files\Microsoft Office 15\ClientX64\wininit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings C:\Program Files\Microsoft Office 15\ClientX64\wininit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings C:\Program Files\Microsoft Office 15\ClientX64\wininit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings C:\Program Files\Microsoft Office 15\ClientX64\wininit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_032e0013e1f8d50edcff31cea6c1ba923ff69d8205d9dee5d98c213a49848ab5.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings C:\Program Files\Microsoft Office 15\ClientX64\wininit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings C:\Program Files\Microsoft Office 15\ClientX64\wininit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings C:\Program Files\Microsoft Office 15\ClientX64\wininit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings C:\Program Files\Microsoft Office 15\ClientX64\wininit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings C:\Program Files\Microsoft Office 15\ClientX64\wininit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings C:\Program Files\Microsoft Office 15\ClientX64\wininit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings C:\Program Files\Microsoft Office 15\ClientX64\wininit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings C:\Program Files\Microsoft Office 15\ClientX64\wininit.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files\Microsoft Office 15\ClientX64\wininit.exe N/A
N/A N/A C:\Program Files\Microsoft Office 15\ClientX64\wininit.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files\Microsoft Office 15\ClientX64\wininit.exe N/A
N/A N/A C:\Program Files\Microsoft Office 15\ClientX64\wininit.exe N/A
N/A N/A C:\Program Files\Microsoft Office 15\ClientX64\wininit.exe N/A
N/A N/A C:\Program Files\Microsoft Office 15\ClientX64\wininit.exe N/A
N/A N/A C:\Program Files\Microsoft Office 15\ClientX64\wininit.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\providercommon\DllCommonsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Microsoft Office 15\ClientX64\wininit.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Microsoft Office 15\ClientX64\wininit.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Microsoft Office 15\ClientX64\wininit.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Microsoft Office 15\ClientX64\wininit.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Microsoft Office 15\ClientX64\wininit.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Microsoft Office 15\ClientX64\wininit.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Microsoft Office 15\ClientX64\wininit.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Microsoft Office 15\ClientX64\wininit.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Microsoft Office 15\ClientX64\wininit.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Microsoft Office 15\ClientX64\wininit.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Microsoft Office 15\ClientX64\wininit.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Microsoft Office 15\ClientX64\wininit.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2472 wrote to memory of 3984 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_032e0013e1f8d50edcff31cea6c1ba923ff69d8205d9dee5d98c213a49848ab5.exe C:\Windows\SysWOW64\WScript.exe
PID 2472 wrote to memory of 3984 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_032e0013e1f8d50edcff31cea6c1ba923ff69d8205d9dee5d98c213a49848ab5.exe C:\Windows\SysWOW64\WScript.exe
PID 2472 wrote to memory of 3984 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_032e0013e1f8d50edcff31cea6c1ba923ff69d8205d9dee5d98c213a49848ab5.exe C:\Windows\SysWOW64\WScript.exe
PID 3984 wrote to memory of 3056 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3984 wrote to memory of 3056 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3984 wrote to memory of 3056 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3056 wrote to memory of 3508 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 3056 wrote to memory of 3508 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 3508 wrote to memory of 2488 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3508 wrote to memory of 2488 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3508 wrote to memory of 1980 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3508 wrote to memory of 1980 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3508 wrote to memory of 4924 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3508 wrote to memory of 4924 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3508 wrote to memory of 3164 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3508 wrote to memory of 3164 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3508 wrote to memory of 4072 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3508 wrote to memory of 4072 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3508 wrote to memory of 4348 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3508 wrote to memory of 4348 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3508 wrote to memory of 928 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3508 wrote to memory of 928 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3508 wrote to memory of 808 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3508 wrote to memory of 808 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3508 wrote to memory of 1292 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3508 wrote to memory of 1292 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3508 wrote to memory of 4116 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3508 wrote to memory of 4116 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3508 wrote to memory of 1944 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3508 wrote to memory of 1944 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3508 wrote to memory of 2736 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3508 wrote to memory of 2736 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3508 wrote to memory of 1432 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3508 wrote to memory of 1432 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3508 wrote to memory of 3440 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3508 wrote to memory of 3440 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3508 wrote to memory of 3224 N/A C:\providercommon\DllCommonsvc.exe C:\Program Files\Microsoft Office 15\ClientX64\wininit.exe
PID 3508 wrote to memory of 3224 N/A C:\providercommon\DllCommonsvc.exe C:\Program Files\Microsoft Office 15\ClientX64\wininit.exe
PID 3224 wrote to memory of 2764 N/A C:\Program Files\Microsoft Office 15\ClientX64\wininit.exe C:\Windows\System32\cmd.exe
PID 3224 wrote to memory of 2764 N/A C:\Program Files\Microsoft Office 15\ClientX64\wininit.exe C:\Windows\System32\cmd.exe
PID 2764 wrote to memory of 4160 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2764 wrote to memory of 4160 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2764 wrote to memory of 1940 N/A C:\Windows\System32\cmd.exe C:\Program Files\Microsoft Office 15\ClientX64\wininit.exe
PID 2764 wrote to memory of 1940 N/A C:\Windows\System32\cmd.exe C:\Program Files\Microsoft Office 15\ClientX64\wininit.exe
PID 1940 wrote to memory of 1832 N/A C:\Program Files\Microsoft Office 15\ClientX64\wininit.exe C:\Windows\System32\cmd.exe
PID 1940 wrote to memory of 1832 N/A C:\Program Files\Microsoft Office 15\ClientX64\wininit.exe C:\Windows\System32\cmd.exe
PID 1832 wrote to memory of 936 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1832 wrote to memory of 936 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1832 wrote to memory of 3880 N/A C:\Windows\System32\cmd.exe C:\Program Files\Microsoft Office 15\ClientX64\wininit.exe
PID 1832 wrote to memory of 3880 N/A C:\Windows\System32\cmd.exe C:\Program Files\Microsoft Office 15\ClientX64\wininit.exe
PID 3880 wrote to memory of 4880 N/A C:\Program Files\Microsoft Office 15\ClientX64\wininit.exe C:\Windows\System32\cmd.exe
PID 3880 wrote to memory of 4880 N/A C:\Program Files\Microsoft Office 15\ClientX64\wininit.exe C:\Windows\System32\cmd.exe
PID 4880 wrote to memory of 4876 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4880 wrote to memory of 4876 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4880 wrote to memory of 2440 N/A C:\Windows\System32\cmd.exe C:\Program Files\Microsoft Office 15\ClientX64\wininit.exe
PID 4880 wrote to memory of 2440 N/A C:\Windows\System32\cmd.exe C:\Program Files\Microsoft Office 15\ClientX64\wininit.exe
PID 2440 wrote to memory of 4768 N/A C:\Program Files\Microsoft Office 15\ClientX64\wininit.exe C:\Windows\System32\cmd.exe
PID 2440 wrote to memory of 4768 N/A C:\Program Files\Microsoft Office 15\ClientX64\wininit.exe C:\Windows\System32\cmd.exe
PID 4768 wrote to memory of 4952 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4768 wrote to memory of 4952 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4768 wrote to memory of 704 N/A C:\Windows\System32\cmd.exe C:\Program Files\Microsoft Office 15\ClientX64\wininit.exe
PID 4768 wrote to memory of 704 N/A C:\Windows\System32\cmd.exe C:\Program Files\Microsoft Office 15\ClientX64\wininit.exe
PID 704 wrote to memory of 3304 N/A C:\Program Files\Microsoft Office 15\ClientX64\wininit.exe C:\Windows\System32\cmd.exe
PID 704 wrote to memory of 3304 N/A C:\Program Files\Microsoft Office 15\ClientX64\wininit.exe C:\Windows\System32\cmd.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_032e0013e1f8d50edcff31cea6c1ba923ff69d8205d9dee5d98c213a49848ab5.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_032e0013e1f8d50edcff31cea6c1ba923ff69d8205d9dee5d98c213a49848ab5.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "

C:\providercommon\DllCommonsvc.exe

"C:\providercommon\DllCommonsvc.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 14 /tr "'C:\providercommon\sysmon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\providercommon\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 10 /tr "'C:\providercommon\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\sysmon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\StartMenuExperienceHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Users\Default User\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 11 /tr "'C:\providercommon\StartMenuExperienceHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\providercommon\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\providercommon\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\providercommon\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\providercommon\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\providercommon\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Videos\DllCommonsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Users\Admin\Videos\DllCommonsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Videos\DllCommonsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\unsecapp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Users\Admin\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Common Files\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Common Files\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Google\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Google\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Media Player\conhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Media Player\conhost.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sysmon.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\sysmon.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\sysmon.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\StartMenuExperienceHost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\StartMenuExperienceHost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\RuntimeBroker.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Videos\DllCommonsvc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office 15\ClientX64\wininit.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\csrss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\unsecapp.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\dllhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\smss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\conhost.exe'

C:\Program Files\Microsoft Office 15\ClientX64\wininit.exe

"C:\Program Files\Microsoft Office 15\ClientX64\wininit.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hD3D8PLBZ9.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Microsoft Office 15\ClientX64\wininit.exe

"C:\Program Files\Microsoft Office 15\ClientX64\wininit.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FjqlTNZm6T.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Microsoft Office 15\ClientX64\wininit.exe

"C:\Program Files\Microsoft Office 15\ClientX64\wininit.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UMOyPGkKXB.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Microsoft Office 15\ClientX64\wininit.exe

"C:\Program Files\Microsoft Office 15\ClientX64\wininit.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8pOjIocmws.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Microsoft Office 15\ClientX64\wininit.exe

"C:\Program Files\Microsoft Office 15\ClientX64\wininit.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\p5ITN63wlJ.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Microsoft Office 15\ClientX64\wininit.exe

"C:\Program Files\Microsoft Office 15\ClientX64\wininit.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3npectBbsF.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Microsoft Office 15\ClientX64\wininit.exe

"C:\Program Files\Microsoft Office 15\ClientX64\wininit.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hD3D8PLBZ9.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Microsoft Office 15\ClientX64\wininit.exe

"C:\Program Files\Microsoft Office 15\ClientX64\wininit.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VG36Hwy0Lv.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Microsoft Office 15\ClientX64\wininit.exe

"C:\Program Files\Microsoft Office 15\ClientX64\wininit.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WRY5ahHPmz.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Microsoft Office 15\ClientX64\wininit.exe

"C:\Program Files\Microsoft Office 15\ClientX64\wininit.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6uMgbjYtd5.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Microsoft Office 15\ClientX64\wininit.exe

"C:\Program Files\Microsoft Office 15\ClientX64\wininit.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lEFN0vw97k.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Microsoft Office 15\ClientX64\wininit.exe

"C:\Program Files\Microsoft Office 15\ClientX64\wininit.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cU7BGbiaqd.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 133.109.199.185.in-addr.arpa udp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 21.49.80.91.in-addr.arpa udp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 211.143.182.52.in-addr.arpa udp

Files

C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

MD5 8088241160261560a02c84025d107592
SHA1 083121f7027557570994c9fc211df61730455bb5
SHA256 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA512 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

C:\providercommon\1zu9dW.bat

MD5 6783c3ee07c7d151ceac57f1f9c8bed7
SHA1 17468f98f95bf504cc1f83c49e49a78526b3ea03
SHA256 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512 c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

C:\providercommon\DllCommonsvc.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/3508-12-0x00007FFDEEA73000-0x00007FFDEEA75000-memory.dmp

memory/3508-13-0x0000000000D50000-0x0000000000E60000-memory.dmp

memory/3508-14-0x0000000002FD0000-0x0000000002FE2000-memory.dmp

memory/3508-15-0x0000000003020000-0x000000000302C000-memory.dmp

memory/3508-16-0x0000000002FE0000-0x0000000002FEC000-memory.dmp

memory/3508-17-0x0000000003000000-0x000000000300C000-memory.dmp

memory/4072-60-0x000001E0BBF40000-0x000001E0BBF62000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3qrmavqd.xds.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3224-164-0x00000000023A0000-0x00000000023B2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6d3e9c29fe44e90aae6ed30ccf799ca8
SHA1 c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA256 2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA512 60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 59d97011e091004eaffb9816aa0b9abd
SHA1 1602a56b01dd4b7c577ca27d3117e4bcc1aa657b
SHA256 18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d
SHA512 d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3a6bad9528f8e23fb5c77fbd81fa28e8
SHA1 f127317c3bc6407f536c0f0600dcbcf1aabfba36
SHA256 986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05
SHA512 846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e243a38635ff9a06c87c2a61a2200656
SHA1 ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc
SHA256 af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f
SHA512 4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d28a889fd956d5cb3accfbaf1143eb6f
SHA1 157ba54b365341f8ff06707d996b3635da8446f7
SHA256 21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA512 0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

C:\Users\Admin\AppData\Local\Temp\hD3D8PLBZ9.bat

MD5 6cd43d7b64103aa9a6d63452b2ccb77d
SHA1 2ef10ce734218f38d59d768bcf24ee1ec5aa65da
SHA256 6baa495dabff257dfb021241551ef0aa092804f03be8eeb27619fed5f8ffecd4
SHA512 3067619812b6b2d4028009709dd2f5936e8a5a032bbf37058d6e882ef2030f9ee3d772bf723ca8def0fb4f967e4a8dc7534e367d72e3e52c3fe111bc17586c92

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\wininit.exe.log

MD5 baf55b95da4a601229647f25dad12878
SHA1 abc16954ebfd213733c4493fc1910164d825cac8
SHA256 ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA512 24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

C:\Users\Admin\AppData\Local\Temp\FjqlTNZm6T.bat

MD5 4989b59ccd90019298f8f3e5f41ae1b1
SHA1 1fbc90dd0f689f065d472c4e0b4180129c0cbebf
SHA256 0d70265a28f89a7be8f04b755a9bfad5a404e04a98b2bc180875ccdd846ce165
SHA512 2d1c23a4cc4cf43f74138a29b0ce44d5466692b0fef3d28a7daed305c8e67922fe463c20bc09052613a8cbf7000d0461dd70497b7e9bc324ed5768d8343dd73e

C:\Users\Admin\AppData\Local\Temp\UMOyPGkKXB.bat

MD5 954a4894f33b0e63b9a5b86375525e87
SHA1 0be2dd5cc227ca164063e23337e1b3cff54c0c91
SHA256 1bda0b6403c98760ede65e7a662c2d9ec7af21e0207d5ec25675e42d1732c937
SHA512 1582efa1b7a7a61e274e2c782cb0521b7ac7a040c8720d5218b12581b1f4900b3620511b067633bc3bfb5f90c357589ae45520c0b50a75ee992d8d86265454d5

C:\Users\Admin\AppData\Local\Temp\8pOjIocmws.bat

MD5 6f589c78240e97a3669eb01e8b6bd7c3
SHA1 73fd89d133c1bfa62f811746b8eb61bc10b9484d
SHA256 9db13789e8194e5cbf94eae5ee418baf407d07b7e07ed9bf43c7517f61c4a96f
SHA512 156eb36607ae94b2a9e58a719746874299b894267d178cb40d825408e3bd5e8da0cb7e10ef16c302a6496cfdb6bb40bdb8fb96243b9a2448f927fb0947a2e73e

memory/704-238-0x0000000000C00000-0x0000000000C12000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\p5ITN63wlJ.bat

MD5 b84ea417adc0f73211ddd2b8a4f787fb
SHA1 6a444d50c3399533a21f305846a4431ba4b757e5
SHA256 c2df76cdae210e53d6732e1e633c236faac7c83900ff1070389b6c58f9179cfa
SHA512 9f0cc9f8dc711713f26f4e62c23cc604ccf5d6f61c30bd2d7cf902b3267dd302520a3b2353e7d0b90e9f081ae93df176403fb6c3bb9e84a5f35d7949873439b9

memory/1028-245-0x0000000002FE0000-0x0000000002FF2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3npectBbsF.bat

MD5 1e1869fd0f3d3caa5e52ead3f30169b3
SHA1 53b8eb2e72ebca11a1b250f8cf52fc13e54fecc7
SHA256 4eec15fdf7b1411de9093f5808149fe24e34b5e00e6cdadb4a942a11c8ab2188
SHA512 ff0333a77ae6715775f87b614169fb239b9e87cf6db345b26ebc07bf92793565a99f7e2c341efcf1552b2a77853d2349dc26f7e334ad41d902c9ad23311403af

memory/3020-252-0x00000000023D0000-0x00000000023E2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\VG36Hwy0Lv.bat

MD5 0173b5f7a2510534ae79697609ebbfbd
SHA1 ed883261bdb33cf18e18fa32813c6745c07c7939
SHA256 7126ae8fffae9603a91968958e260363855cf049628f4502d0124cb7758b2e21
SHA512 e6ba6187673584ef5012e76b1d085d31adf72fbbdf9d606bb635b462f7ed36aba05f2e4408d379242ce77bddcd1d30c692df718c0bd05e437d5836819395b851

memory/2476-265-0x0000000002680000-0x0000000002692000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\WRY5ahHPmz.bat

MD5 66573f29f7376a5ca8281033e96df30c
SHA1 101dda21ce662eb8dc67d14106939bdc7df29ec2
SHA256 1c6184a7af57b3e8733d0ae972d96a4e2d9924bdb724ead242a51d413db4b112
SHA512 995b2739bf625ea60aad77564c90256da0f5b6652a3b08d0ca52de194d9f347b787b83bf10685bfe3f5d6efea5b3a61a5d7a12d408b77f1097d87831808baced

memory/2964-276-0x000000001BC40000-0x000000001BDAA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6uMgbjYtd5.bat

MD5 7f245bc9a7a84aaf4bcb0681eb0e79c5
SHA1 2162f4ac6e25bd02e624caffb12d81cf94ec6455
SHA256 e39a0d33b5cb143448d966cf6d6e0ea0c6605eaabd9c17caa1cd32a9d34eed71
SHA512 83c043caded8a4e0f07df820e366bf9aff5e7527926b9af2ab3b17ad7eff8bf71972a0d6963e5c21b3a99e37e2c2c762320c3e39b369c2ac7747b093483d2d9e

C:\Users\Admin\AppData\Local\Temp\lEFN0vw97k.bat

MD5 d558d6d350fb019832bc3802248f55af
SHA1 797cb11e19c3d60aed322c198ea9b47912ccc1a2
SHA256 9f659fcef1df394a6a9ccafbbb17d06f410f555b862a5803ab23bd1a2d992d8f
SHA512 e934787e959084c7fb74c7a38022905737b3ffb195aa308edd96e2623ccefcef7ac7c30a76efff747546022d3a0845fc8713decc001831f91b0006cd5fa2432f

memory/2300-289-0x000000001BF70000-0x000000001C0DA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cU7BGbiaqd.bat

MD5 230115b42464c2b8c4ed4c5adee3e62e
SHA1 61f8fbac220dc515a4df1d8af6f67b35a3876731
SHA256 b37c0cd459cc9f1e15a745cff2fa947982ec0ae3b07b3352047e93a848ea5d6e
SHA512 7d2089d66d1916bc60773ccc114161a17440d03529f39e325f68335a62bebf1fb8e80b25f3e707995ea302863057049a371d5df85af0737eb72cdd4dbfd44eb7