Malware Analysis Report

2025-08-10 11:52

Sample ID 241230-csmdnsvkew
Target JaffaCakes118_a31a2c723d18f5db2c5d963c5fffb6f1931384e5b24dd2da129d1a208f27322a
SHA256 a31a2c723d18f5db2c5d963c5fffb6f1931384e5b24dd2da129d1a208f27322a
Tags
rat dcrat discovery execution infostealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a31a2c723d18f5db2c5d963c5fffb6f1931384e5b24dd2da129d1a208f27322a

Threat Level: Known bad

The file JaffaCakes118_a31a2c723d18f5db2c5d963c5fffb6f1931384e5b24dd2da129d1a208f27322a was found to be: Known bad.

Malicious Activity Summary

rat dcrat discovery execution infostealer

Process spawned unexpected child process

DCRat payload

Dcrat family

DcRat

DCRat payload

Command and Scripting Interpreter: PowerShell

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Legitimate hosting services abused for malware hosting/C2

Drops file in Windows directory

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Modifies registry class

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-30 02:20

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-30 02:20

Reported

2024-12-30 02:22

Platform

win7-20241023-en

Max time kernel

147s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a31a2c723d18f5db2c5d963c5fffb6f1931384e5b24dd2da129d1a208f27322a.exe"

Signatures

DcRat

rat infostealer dcrat

Dcrat family

dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Uninstall Information\WmiPrvSE.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Uninstall Information\24dbde2999530e C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Google\taskhost.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Google\b75386f1303e64 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Windows Journal\winlogon.exe C:\providercommon\DllCommonsvc.exe N/A
File opened for modification C:\Program Files\Windows Journal\winlogon.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Windows Journal\cc11b995f2a76d C:\providercommon\DllCommonsvc.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Panther\setup.exe\OSPPSVC.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\Panther\setup.exe\1610b97d3ab4a7 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\de-DE\smss.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\de-DE\69ddcba757bf72 C:\providercommon\DllCommonsvc.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a31a2c723d18f5db2c5d963c5fffb6f1931384e5b24dd2da129d1a208f27322a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\providercommon\DllCommonsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\de-DE\smss.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\de-DE\smss.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\de-DE\smss.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\de-DE\smss.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\de-DE\smss.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\de-DE\smss.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\de-DE\smss.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\de-DE\smss.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\de-DE\smss.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\de-DE\smss.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\de-DE\smss.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1484 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a31a2c723d18f5db2c5d963c5fffb6f1931384e5b24dd2da129d1a208f27322a.exe C:\Windows\SysWOW64\WScript.exe
PID 1484 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a31a2c723d18f5db2c5d963c5fffb6f1931384e5b24dd2da129d1a208f27322a.exe C:\Windows\SysWOW64\WScript.exe
PID 1484 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a31a2c723d18f5db2c5d963c5fffb6f1931384e5b24dd2da129d1a208f27322a.exe C:\Windows\SysWOW64\WScript.exe
PID 1484 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a31a2c723d18f5db2c5d963c5fffb6f1931384e5b24dd2da129d1a208f27322a.exe C:\Windows\SysWOW64\WScript.exe
PID 320 wrote to memory of 2968 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 320 wrote to memory of 2968 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 320 wrote to memory of 2968 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 320 wrote to memory of 2968 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2968 wrote to memory of 2440 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 2968 wrote to memory of 2440 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 2968 wrote to memory of 2440 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 2968 wrote to memory of 2440 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 2440 wrote to memory of 2484 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2440 wrote to memory of 2484 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2440 wrote to memory of 2484 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2440 wrote to memory of 2128 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2440 wrote to memory of 2128 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2440 wrote to memory of 2128 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2440 wrote to memory of 2308 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2440 wrote to memory of 2308 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2440 wrote to memory of 2308 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2440 wrote to memory of 2072 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2440 wrote to memory of 2072 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2440 wrote to memory of 2072 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2440 wrote to memory of 1244 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2440 wrote to memory of 1244 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2440 wrote to memory of 1244 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2440 wrote to memory of 2448 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2440 wrote to memory of 2448 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2440 wrote to memory of 2448 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2440 wrote to memory of 2320 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2440 wrote to memory of 2320 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2440 wrote to memory of 2320 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2440 wrote to memory of 2272 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2440 wrote to memory of 2272 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2440 wrote to memory of 2272 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2440 wrote to memory of 1000 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\cmd.exe
PID 2440 wrote to memory of 1000 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\cmd.exe
PID 2440 wrote to memory of 1000 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\cmd.exe
PID 1000 wrote to memory of 1808 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1000 wrote to memory of 1808 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1000 wrote to memory of 1808 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1000 wrote to memory of 2172 N/A C:\Windows\System32\cmd.exe C:\Windows\de-DE\smss.exe
PID 1000 wrote to memory of 2172 N/A C:\Windows\System32\cmd.exe C:\Windows\de-DE\smss.exe
PID 1000 wrote to memory of 2172 N/A C:\Windows\System32\cmd.exe C:\Windows\de-DE\smss.exe
PID 2172 wrote to memory of 2948 N/A C:\Windows\de-DE\smss.exe C:\Windows\System32\cmd.exe
PID 2172 wrote to memory of 2948 N/A C:\Windows\de-DE\smss.exe C:\Windows\System32\cmd.exe
PID 2172 wrote to memory of 2948 N/A C:\Windows\de-DE\smss.exe C:\Windows\System32\cmd.exe
PID 2948 wrote to memory of 920 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2948 wrote to memory of 920 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2948 wrote to memory of 920 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2948 wrote to memory of 2384 N/A C:\Windows\System32\cmd.exe C:\Windows\de-DE\smss.exe
PID 2948 wrote to memory of 2384 N/A C:\Windows\System32\cmd.exe C:\Windows\de-DE\smss.exe
PID 2948 wrote to memory of 2384 N/A C:\Windows\System32\cmd.exe C:\Windows\de-DE\smss.exe
PID 2384 wrote to memory of 884 N/A C:\Windows\de-DE\smss.exe C:\Windows\System32\cmd.exe
PID 2384 wrote to memory of 884 N/A C:\Windows\de-DE\smss.exe C:\Windows\System32\cmd.exe
PID 2384 wrote to memory of 884 N/A C:\Windows\de-DE\smss.exe C:\Windows\System32\cmd.exe
PID 884 wrote to memory of 2188 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 884 wrote to memory of 2188 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 884 wrote to memory of 2188 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 884 wrote to memory of 1648 N/A C:\Windows\System32\cmd.exe C:\Windows\de-DE\smss.exe
PID 884 wrote to memory of 1648 N/A C:\Windows\System32\cmd.exe C:\Windows\de-DE\smss.exe
PID 884 wrote to memory of 1648 N/A C:\Windows\System32\cmd.exe C:\Windows\de-DE\smss.exe
PID 1648 wrote to memory of 2584 N/A C:\Windows\de-DE\smss.exe C:\Windows\System32\cmd.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a31a2c723d18f5db2c5d963c5fffb6f1931384e5b24dd2da129d1a208f27322a.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a31a2c723d18f5db2c5d963c5fffb6f1931384e5b24dd2da129d1a208f27322a.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\providercommon\1zu9dW.bat" "

C:\providercommon\DllCommonsvc.exe

"C:\providercommon\DllCommonsvc.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Journal\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Journal\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Program Files\Uninstall Information\WmiPrvSE.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Program Files\Uninstall Information\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\providercommon\taskhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Program Files\Google\taskhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Google\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Program Files\Google\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Windows\Panther\setup.exe\OSPPSVC.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Windows\Panther\setup.exe\OSPPSVC.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Windows\Panther\setup.exe\OSPPSVC.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Windows\de-DE\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\de-DE\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Windows\de-DE\smss.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Journal\winlogon.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\WmiPrvSE.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\taskhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\taskhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\dwm.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Panther\setup.exe\OSPPSVC.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\de-DE\smss.exe'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tAV1Y7tqnp.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\de-DE\smss.exe

"C:\Windows\de-DE\smss.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KOC6cu7vKW.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\de-DE\smss.exe

"C:\Windows\de-DE\smss.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TZCyxGcg3L.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\de-DE\smss.exe

"C:\Windows\de-DE\smss.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DiMaLaQqUm.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\de-DE\smss.exe

"C:\Windows\de-DE\smss.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BlQmztffGe.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\de-DE\smss.exe

"C:\Windows\de-DE\smss.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\m1RNSv4oba.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\de-DE\smss.exe

"C:\Windows\de-DE\smss.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bbMo3XBCxD.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\de-DE\smss.exe

"C:\Windows\de-DE\smss.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\p6CE4ikEee.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\de-DE\smss.exe

"C:\Windows\de-DE\smss.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\j8BV8simza.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\de-DE\smss.exe

"C:\Windows\de-DE\smss.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\410ZzJtAuR.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\de-DE\smss.exe

"C:\Windows\de-DE\smss.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZH81p4FGmr.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\de-DE\smss.exe

"C:\Windows\de-DE\smss.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp

Files

C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

MD5 8088241160261560a02c84025d107592
SHA1 083121f7027557570994c9fc211df61730455bb5
SHA256 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA512 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

C:\providercommon\1zu9dW.bat

MD5 6783c3ee07c7d151ceac57f1f9c8bed7
SHA1 17468f98f95bf504cc1f83c49e49a78526b3ea03
SHA256 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512 c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

\providercommon\DllCommonsvc.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/2440-13-0x0000000000CE0000-0x0000000000DF0000-memory.dmp

memory/2440-14-0x0000000000240000-0x0000000000252000-memory.dmp

memory/2440-15-0x0000000000250000-0x000000000025C000-memory.dmp

memory/2440-16-0x0000000000360000-0x000000000036C000-memory.dmp

memory/2440-17-0x0000000000370000-0x000000000037C000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 1d97a3f33c6fde220a6b0810129c3325
SHA1 add5663d750aa66510ce2bf746c5e87f92370c7d
SHA256 c1cd388ce87bf60e58847ab7ecb57b15a18d667daa818bb75cb524487141d9a7
SHA512 3e322c3b85e676567483127fad03ee522b5dd6e9d55d42c1c97b03a22038f12dfde4215ca600fe5f757811a8ab495e45e967df7bb848d6beb4cb8d35c5fa4199

memory/2308-46-0x000000001B6E0000-0x000000001B9C2000-memory.dmp

memory/2308-47-0x0000000002170000-0x0000000002178000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tAV1Y7tqnp.bat

MD5 d5e8b33070c23cedd0596f61a579304c
SHA1 19c33b34618b85a6523d72e5c02a65f232ad1011
SHA256 c82c9a9f3758cc3137f4bd2cbc772de032883aaaf5f92c568df4eb6eaaeb5033
SHA512 0f3a135314c174c7fd56a2fad9615dd2f9aa918c3c0e9ef6c82321c511ae5bd48e98a4f576e53cec7d0f67a661c91791cbafaaf04d978a6e59d90e82f3bc1b13

memory/2172-80-0x00000000001C0000-0x00000000002D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab13F0.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar1412.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\Local\Temp\KOC6cu7vKW.bat

MD5 72f54743b6d8c4eefd7bc93ba058e399
SHA1 a98e72fcdf4782a4d0ae7dac6926dad47476b95f
SHA256 c91c8adb190d416e266fb9c346c5c488e162ed23e4a8d13de52a7e3f3a26c795
SHA512 f7e2b7981b9889f235d11c50ecc9c4925aa2ac9d4e96fd80ad12c13b8c98efe778564bc91a00c6caf3ef2960d62bc4ba1df7eece2084548c39109ce572023936

memory/2384-139-0x00000000003D0000-0x00000000004E0000-memory.dmp

memory/2384-140-0x00000000003C0000-0x00000000003D2000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 30e0a72f963f5a4db44beb47abb36207
SHA1 496e523d24c8e6d52baae0ee4cf3610b9f2b9f2f
SHA256 29ccd554c5b11b41367d20a2bf603f75e7d53bf7ca1475ffa081844d2ffa81ff
SHA512 5dd36a32b8de1ff43f4964adf5ca666dd43209d4f3e2c26dbdcdf7d226728ec6483f5621a19b09b78a09e9d3c1fbb080fe4d75be26a76825388a82ae7369dba4

C:\Users\Admin\AppData\Local\Temp\TZCyxGcg3L.bat

MD5 41be8c7cb40542624221b291b64a714c
SHA1 c9bcacc38a70049df0642bfa6ca1e942508c3057
SHA256 b8fb7ed0f3836771252848d209c2ccfd5ee5c68b8ed313f19a1bf329c2824f98
SHA512 ce2c8962f47fd3fb28d9ee419a71e5598be5c9024b8a5256d2a261ad5114a9c85fe81d8317c33dde6bf8937b8e9056a6b954785a98db5b0e96326e254897c652

memory/1648-200-0x0000000000D30000-0x0000000000E40000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 59d18e49f207baf3741e0582b7fb1ee7
SHA1 4fe09cb284e0181e8b974137e59acd531ff948ff
SHA256 a491639c031d601e0186bf0fb7aa65857c44dccb549521512b14293e8196686b
SHA512 95060131e10212b1598489c7c54ce621a43c89db08f23e8daba8a80bfa45a0949eecf1bbd9013775c32cf0f9b9db879adfd2f7228563238eb492ffd40edfb34c

C:\Users\Admin\AppData\Local\Temp\DiMaLaQqUm.bat

MD5 4b86d741824b6c58d964f6db6fa1f1bb
SHA1 fde25e39da15583d84798eb1fa8b6e9de09e4612
SHA256 22cc4a83ff06aa6c217b02f1ca46459184467d618a86e13d1c66a78981190515
SHA512 5734c58834f5faf0fa7e3ff2acf2b856ad992e3a4900567ca33e107fb9b4888ad5f2293f488de2b1b047df3b7b36dc403a157dde37351b98eb362970d3cceae9

memory/2356-260-0x0000000000050000-0x0000000000160000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d5d61542cf4d3e9b9e3f16dcc36e8e3c
SHA1 092c8656f836642893b325bfd011144306c78c43
SHA256 9e1ea79c780382836a3d7bb4a8200c49a3487f0e03f07ca82424d549ba51ab02
SHA512 8ec5ba3441386972da49e5eb3328339616822fb97a1af86bb36dfd8d3e2e6be40ec9f7131b82530b62239f86ba7e6d7956ece27b6ec7b238ff9dd778d75909ff

C:\Users\Admin\AppData\Local\Temp\BlQmztffGe.bat

MD5 ead72e070ebfcff49815f6be9c551aa3
SHA1 16ff6b011b4bbde986c8be205840a81151e0b431
SHA256 6eb7111a3a7df9cf75e01cdeaeb4cd838021f5645d60797f6a7596e24a25d919
SHA512 955ec192d79a8dee3d7ff93c01c6c7595fc740329910cc536561b92d35fc8d006501c0b2f76d66471f02d7e487bab7fa495b4edb2fa7def2259af6f73aed1e7b

memory/2600-320-0x0000000001050000-0x0000000001160000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d5e0b30b898042f0f242df540b1789ad
SHA1 e6993aa43ea970720961c8cc01d6357bcd394c57
SHA256 9ce1606f9153eb8dabeaf47a0a699bc8d7cc65bdab9f311f6085d6716a0e5b86
SHA512 1763ae93738cdf84d0ff414e16ae77466b3e0f617a30df264ca1c9f7a325a70eefb17f24f2578e6c0844e1e51a4959dc622f037f5815d87f942bbe979197eff6

C:\Users\Admin\AppData\Local\Temp\m1RNSv4oba.bat

MD5 841ae14d89e3ed2641ee1b5791dabf76
SHA1 ffc9ecc87b3e871ab5036106042d4595d65cff1a
SHA256 576e254a479ac4be3e57591a386782837d30c262187fda3fb563d4b532604916
SHA512 f9ab3ae874a6e8c1753328d69f97111255d40fa16df2d572e7f68fbaeec9d1e3c44518efd99d0e8a0fef4ce5f5c67189985ead6738b30a123514eb1fb4c797b1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4d39a92e2825d2f45c462e23f03ba193
SHA1 441c8e1b8c54a7bc190b7fa75d18012caaf34288
SHA256 245da4b94ce373c6a67b92e0939fc38399c026da83b7484bb48ca8b37fd4dc78
SHA512 0f9a22d9bf51bdef2908e62cc0a7b059782f9a7791a3eab5b8525a628ed6e3c99443b21816bc83a7e2e12f8d1bae16b7758ed02f66251d72fff41e21f175d744

C:\Users\Admin\AppData\Local\Temp\bbMo3XBCxD.bat

MD5 054cf9d68e4e297c6fd9ed83d36dd2cc
SHA1 81e1f8a1f82dba3d84d4677f4a7df9ec1b0e7fea
SHA256 17318dc2d4cff73478ff00e59da719223411cb8487a1dfbbb28911fa5490df26
SHA512 18aab295acd92c912f7c6038d16d5191f72b1cb4e92ddd3de5d74161d5bec95761473667e742753c58f24cfe0b0c7c668718dd3c66af3bdcc74554c70d53c5f9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 461ba7caa2769b854fab1ef3e4d0ecec
SHA1 76d6c3294cc32700918afe2eb3d714aeabd0e57d
SHA256 273cc5a259d8fdb9f867e74d04976d27c53b854d9155ad16d23ebd83f7e94cbf
SHA512 b19f0a16e3140ddcd440d14ac3fc6f6170f12dc33415b8a85ded8517021ee76ec62f022b23789630b87419942d531b8a6c12378a561fcccf7e116ce0f35684f0

C:\Users\Admin\AppData\Local\Temp\p6CE4ikEee.bat

MD5 327223ff0a699811119665ebd191dd5a
SHA1 ab1f87ae3fcfe40ef66235acb4457fa8eac688e0
SHA256 8c769ca16012b40d489ccfd125d6833b9a7fc4252a350e38743a34bdcb126de8
SHA512 183a4fe21c1f550233d6b17938471f72e2ccdf0af0953b029e33daf9cc0b73ae7f71e48b72890e6c8a89a9d8fd377e795f998e02bd8f1f6f642d8ac8854bc34b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1136214d365bc2143abb3e0a103a7136
SHA1 04096a3b47d5dc4d85957de6ae88703e99dfb746
SHA256 043fd93f91e90f4fd8cf26cd3339d652641f1c8ae2e812ffc13453bd56398134
SHA512 4d37d384c2ee860706e4fe6cddd911aa86d5edef77ca8d232003fcef3e904dbd44b7135ae9f310d3897ef20aa7a7d2e9512ee41e033f89366f246e8a52c168f5

C:\Users\Admin\AppData\Local\Temp\j8BV8simza.bat

MD5 8705334ae6478da8e18e66e24f79f0bf
SHA1 70adb978844dc0fe6caba9237d30851831170e01
SHA256 92b3a2220b477801dac0f653d1417d40a5dbe7b3141382e313e3aaf3e1b9476a
SHA512 88d38c239316d1bf77c62280a9901d4207ec6b5637415b1c434adb7cdd085854481652d073bfb0b577dc8c6723d991442790e3ef1d795e4c4c8ab6d4ef392957

memory/2264-557-0x00000000003F0000-0x0000000000500000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f54bbe74e7438713a56637d3a0344f44
SHA1 14f0e6022e9b6c98210907b15b2fe9e399afdb25
SHA256 3fab341da6aa8d9e4739622aa437edbc085a1587de25b14ed4c2fd1726da78c9
SHA512 f3e994d77f253870dbe62718735a6a79215f31f8312937abd2ee564c226d8817c0a9aa19901520aa628ff4cd6f17cd3f9ee5c409a910bd5fd5f2c0acaddb3432

C:\Users\Admin\AppData\Local\Temp\410ZzJtAuR.bat

MD5 85ab83617f4809cc385cb47c0751210d
SHA1 da04f4d51998cd8650d61e2767eff8639f6f1ede
SHA256 5fc826a6733c9900ed2394e60714d328b6c645001825501d519ac1ab343ae92e
SHA512 9e1d2609035561e1a707f16425f1fa998987a463254fd9a2aa25d7fb9baa116752ca5bd8b2ebdf6c6f5997d357d522d249052604232586f6287e2b516800868c

memory/2880-617-0x0000000000F50000-0x0000000001060000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 583e83a87cb43f3cd71cce532a2b7135
SHA1 64729ae98b02d4e506f87221a0b277106ea91607
SHA256 fb87d18faf976b16227b7feb8ccc46e3a6ef65c492418b62239394c60abbbf4b
SHA512 6168bb0d79fbd74ff689e146f33765427dfe6907eb10d9727078e1a4c9d972344776f2adbe6167ecfcba2fc6914a08a05715764b9bc54cbabf3003e621946b23

C:\Users\Admin\AppData\Local\Temp\ZH81p4FGmr.bat

MD5 182326d93f6160edc3bd98bf5cb468b5
SHA1 26d1d507b257d1d6689c87f85e2884015bec6f01
SHA256 f2aac45564291e54d834e9ebc1dc040c1f951bb5f19cf45f58695d7982bcd197
SHA512 24c484192cfff1c3b1f30787ab87a72a10fdf21f70f0ce9b500d895ff9d3e852ef29ba878891ba4a77ad5cfe24aeb73d405b65c5a705faf246b5107d73a1e4ee

memory/1928-677-0x0000000000390000-0x00000000004A0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-30 02:20

Reported

2024-12-30 02:23

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a31a2c723d18f5db2c5d963c5fffb6f1931384e5b24dd2da129d1a208f27322a.exe"

Signatures

DcRat

rat infostealer dcrat

Dcrat family

dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Users\Public\DllCommonsvc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a31a2c723d18f5db2c5d963c5fffb6f1931384e5b24dd2da129d1a208f27322a.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Users\Public\DllCommonsvc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Users\Public\DllCommonsvc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Users\Public\DllCommonsvc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Users\Public\DllCommonsvc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Users\Public\DllCommonsvc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Users\Public\DllCommonsvc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Users\Public\DllCommonsvc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Users\Public\DllCommonsvc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Users\Public\DllCommonsvc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Users\Public\DllCommonsvc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Users\Public\DllCommonsvc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Users\Public\DllCommonsvc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\providercommon\DllCommonsvc.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Mozilla Firefox\browser\features\e6c9b481da804f C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Microsoft Office\root\Integration\Addons\6ccacd8608530f C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\ModifiableWindowsApps\sysmon.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Crashpad\reports\dwm.exe C:\providercommon\DllCommonsvc.exe N/A
File opened for modification C:\Program Files\Crashpad\reports\dwm.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\ModifiableWindowsApps\StartMenuExperienceHost.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\plugin2\wininit.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Mozilla Firefox\browser\features\OfficeClickToRun.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Crashpad\reports\6cb0b6c459d5d3 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Windows Mail\services.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Windows Mail\c5b4cb5e9653cc C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\plugin2\56085415360792 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Microsoft Office\root\Integration\Addons\Idle.exe C:\providercommon\DllCommonsvc.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Panther\setup.exe\System.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\Panther\setup.exe\27d1bcfc3c54e0 C:\providercommon\DllCommonsvc.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a31a2c723d18f5db2c5d963c5fffb6f1931384e5b24dd2da129d1a208f27322a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings C:\Users\Public\DllCommonsvc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings C:\Users\Public\DllCommonsvc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings C:\Users\Public\DllCommonsvc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings C:\Users\Public\DllCommonsvc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings C:\Users\Public\DllCommonsvc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings C:\Users\Public\DllCommonsvc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings C:\Users\Public\DllCommonsvc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings C:\Users\Public\DllCommonsvc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings C:\Users\Public\DllCommonsvc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings C:\Users\Public\DllCommonsvc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings C:\Users\Public\DllCommonsvc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings C:\Users\Public\DllCommonsvc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings C:\Users\Public\DllCommonsvc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a31a2c723d18f5db2c5d963c5fffb6f1931384e5b24dd2da129d1a208f27322a.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Public\DllCommonsvc.exe N/A
N/A N/A C:\Users\Public\DllCommonsvc.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Public\DllCommonsvc.exe N/A
N/A N/A C:\Users\Public\DllCommonsvc.exe N/A
N/A N/A C:\Users\Public\DllCommonsvc.exe N/A
N/A N/A C:\Users\Public\DllCommonsvc.exe N/A
N/A N/A C:\Users\Public\DllCommonsvc.exe N/A
N/A N/A C:\Users\Public\DllCommonsvc.exe N/A
N/A N/A C:\Users\Public\DllCommonsvc.exe N/A
N/A N/A C:\Users\Public\DllCommonsvc.exe N/A
N/A N/A C:\Users\Public\DllCommonsvc.exe N/A
N/A N/A C:\Users\Public\DllCommonsvc.exe N/A
N/A N/A C:\Users\Public\DllCommonsvc.exe N/A
N/A N/A C:\Users\Public\DllCommonsvc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\providercommon\DllCommonsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\DllCommonsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\DllCommonsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\DllCommonsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\DllCommonsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\DllCommonsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\DllCommonsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\DllCommonsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\DllCommonsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\DllCommonsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\DllCommonsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\DllCommonsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\DllCommonsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\DllCommonsvc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2008 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a31a2c723d18f5db2c5d963c5fffb6f1931384e5b24dd2da129d1a208f27322a.exe C:\Windows\SysWOW64\WScript.exe
PID 2008 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a31a2c723d18f5db2c5d963c5fffb6f1931384e5b24dd2da129d1a208f27322a.exe C:\Windows\SysWOW64\WScript.exe
PID 2008 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a31a2c723d18f5db2c5d963c5fffb6f1931384e5b24dd2da129d1a208f27322a.exe C:\Windows\SysWOW64\WScript.exe
PID 2300 wrote to memory of 1884 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2300 wrote to memory of 1884 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2300 wrote to memory of 1884 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1884 wrote to memory of 4544 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 1884 wrote to memory of 4544 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 4544 wrote to memory of 208 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4544 wrote to memory of 208 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4544 wrote to memory of 3116 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4544 wrote to memory of 3116 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4544 wrote to memory of 2504 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4544 wrote to memory of 2504 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4544 wrote to memory of 3244 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4544 wrote to memory of 3244 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4544 wrote to memory of 5040 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4544 wrote to memory of 5040 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4544 wrote to memory of 1084 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4544 wrote to memory of 1084 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4544 wrote to memory of 3592 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4544 wrote to memory of 3592 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4544 wrote to memory of 632 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4544 wrote to memory of 632 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4544 wrote to memory of 4308 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4544 wrote to memory of 4308 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4544 wrote to memory of 3472 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4544 wrote to memory of 3472 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4544 wrote to memory of 668 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4544 wrote to memory of 668 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4544 wrote to memory of 3264 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4544 wrote to memory of 3264 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4544 wrote to memory of 3036 N/A C:\providercommon\DllCommonsvc.exe C:\Users\Public\DllCommonsvc.exe
PID 4544 wrote to memory of 3036 N/A C:\providercommon\DllCommonsvc.exe C:\Users\Public\DllCommonsvc.exe
PID 3036 wrote to memory of 1748 N/A C:\Users\Public\DllCommonsvc.exe C:\Windows\System32\cmd.exe
PID 3036 wrote to memory of 1748 N/A C:\Users\Public\DllCommonsvc.exe C:\Windows\System32\cmd.exe
PID 1748 wrote to memory of 4312 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1748 wrote to memory of 4312 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1748 wrote to memory of 4936 N/A C:\Windows\System32\cmd.exe C:\Users\Public\DllCommonsvc.exe
PID 1748 wrote to memory of 4936 N/A C:\Windows\System32\cmd.exe C:\Users\Public\DllCommonsvc.exe
PID 4936 wrote to memory of 4144 N/A C:\Users\Public\DllCommonsvc.exe C:\Windows\System32\cmd.exe
PID 4936 wrote to memory of 4144 N/A C:\Users\Public\DllCommonsvc.exe C:\Windows\System32\cmd.exe
PID 4144 wrote to memory of 3608 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4144 wrote to memory of 3608 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4144 wrote to memory of 2928 N/A C:\Windows\System32\cmd.exe C:\Users\Public\DllCommonsvc.exe
PID 4144 wrote to memory of 2928 N/A C:\Windows\System32\cmd.exe C:\Users\Public\DllCommonsvc.exe
PID 2928 wrote to memory of 3456 N/A C:\Users\Public\DllCommonsvc.exe C:\Windows\System32\cmd.exe
PID 2928 wrote to memory of 3456 N/A C:\Users\Public\DllCommonsvc.exe C:\Windows\System32\cmd.exe
PID 3456 wrote to memory of 1324 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3456 wrote to memory of 1324 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3456 wrote to memory of 1672 N/A C:\Windows\System32\cmd.exe C:\Users\Public\DllCommonsvc.exe
PID 3456 wrote to memory of 1672 N/A C:\Windows\System32\cmd.exe C:\Users\Public\DllCommonsvc.exe
PID 1672 wrote to memory of 4556 N/A C:\Users\Public\DllCommonsvc.exe C:\Windows\System32\cmd.exe
PID 1672 wrote to memory of 4556 N/A C:\Users\Public\DllCommonsvc.exe C:\Windows\System32\cmd.exe
PID 4556 wrote to memory of 1840 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4556 wrote to memory of 1840 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4556 wrote to memory of 3084 N/A C:\Windows\System32\cmd.exe C:\Users\Public\DllCommonsvc.exe
PID 4556 wrote to memory of 3084 N/A C:\Windows\System32\cmd.exe C:\Users\Public\DllCommonsvc.exe
PID 3084 wrote to memory of 4896 N/A C:\Users\Public\DllCommonsvc.exe C:\Windows\System32\cmd.exe
PID 3084 wrote to memory of 4896 N/A C:\Users\Public\DllCommonsvc.exe C:\Windows\System32\cmd.exe
PID 4896 wrote to memory of 1756 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4896 wrote to memory of 1756 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4896 wrote to memory of 4292 N/A C:\Windows\System32\cmd.exe C:\Users\Public\DllCommonsvc.exe
PID 4896 wrote to memory of 4292 N/A C:\Windows\System32\cmd.exe C:\Users\Public\DllCommonsvc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a31a2c723d18f5db2c5d963c5fffb6f1931384e5b24dd2da129d1a208f27322a.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a31a2c723d18f5db2c5d963c5fffb6f1931384e5b24dd2da129d1a208f27322a.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "

C:\providercommon\DllCommonsvc.exe

"C:\providercommon\DllCommonsvc.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Program Files\Crashpad\reports\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Crashpad\reports\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Program Files\Crashpad\reports\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Windows\Panther\setup.exe\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\Panther\setup.exe\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Windows\Panther\setup.exe\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Mail\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Mail\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Java\jre-1.8\bin\plugin2\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Java\jre-1.8\bin\plugin2\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Program Files\Java\jre-1.8\bin\plugin2\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:\Program Files\Mozilla Firefox\browser\features\OfficeClickToRun.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\browser\features\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 13 /tr "'C:\Program Files\Mozilla Firefox\browser\features\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office\root\Integration\Addons\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\root\Integration\Addons\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Office\root\Integration\Addons\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\providercommon\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\providercommon\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\providercommon\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 10 /tr "'C:\providercommon\upfc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\providercommon\upfc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 7 /tr "'C:\providercommon\upfc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 6 /tr "'C:\Users\Public\DllCommonsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Users\Public\DllCommonsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 13 /tr "'C:\Users\Public\DllCommonsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Searches\WmiPrvSE.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Admin\Searches\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Searches\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Crashpad\reports\dwm.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Panther\setup.exe\System.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\services.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\winlogon.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\jre-1.8\bin\plugin2\wininit.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\browser\features\OfficeClickToRun.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\root\Integration\Addons\Idle.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\RuntimeBroker.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\upfc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\DllCommonsvc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Searches\WmiPrvSE.exe'

C:\Users\Public\DllCommonsvc.exe

"C:\Users\Public\DllCommonsvc.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GzuRWOxc20.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Public\DllCommonsvc.exe

"C:\Users\Public\DllCommonsvc.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\paq62miIo8.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Public\DllCommonsvc.exe

"C:\Users\Public\DllCommonsvc.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Zj0hR7WTEZ.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Public\DllCommonsvc.exe

"C:\Users\Public\DllCommonsvc.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\B7rL9EqqPR.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Public\DllCommonsvc.exe

"C:\Users\Public\DllCommonsvc.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VlbjwdcMOl.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Public\DllCommonsvc.exe

"C:\Users\Public\DllCommonsvc.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\paq62miIo8.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Public\DllCommonsvc.exe

"C:\Users\Public\DllCommonsvc.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Zj0hR7WTEZ.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Public\DllCommonsvc.exe

"C:\Users\Public\DllCommonsvc.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iS8tBRk2Vg.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Public\DllCommonsvc.exe

"C:\Users\Public\DllCommonsvc.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\M1TWCJOn7d.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Public\DllCommonsvc.exe

"C:\Users\Public\DllCommonsvc.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wUI7DLfHyj.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Public\DllCommonsvc.exe

"C:\Users\Public\DllCommonsvc.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1CE969IshF.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Public\DllCommonsvc.exe

"C:\Users\Public\DllCommonsvc.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8KwMxVG80h.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Public\DllCommonsvc.exe

"C:\Users\Public\DllCommonsvc.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uP802u8Cku.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 85.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp

Files

C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

MD5 8088241160261560a02c84025d107592
SHA1 083121f7027557570994c9fc211df61730455bb5
SHA256 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA512 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

C:\providercommon\1zu9dW.bat

MD5 6783c3ee07c7d151ceac57f1f9c8bed7
SHA1 17468f98f95bf504cc1f83c49e49a78526b3ea03
SHA256 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512 c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

C:\providercommon\DllCommonsvc.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/4544-12-0x00007FFB395A3000-0x00007FFB395A5000-memory.dmp

memory/4544-13-0x0000000000700000-0x0000000000810000-memory.dmp

memory/4544-14-0x00000000010E0000-0x00000000010F2000-memory.dmp

memory/4544-15-0x0000000001110000-0x000000000111C000-memory.dmp

memory/4544-16-0x00000000010F0000-0x00000000010FC000-memory.dmp

memory/4544-17-0x0000000001120000-0x000000000112C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\DllCommonsvc.exe.log

MD5 7f3c0ae41f0d9ae10a8985a2c327b8fb
SHA1 d58622bf6b5071beacf3b35bb505bde2000983e3
SHA256 519fceae4d0dd4d09edd1b81bcdfa8aeab4b59eee77a4cd4b6295ce8e591a900
SHA512 8a8fd17eef071f86e672cba0d8fc2cfed6118aff816100b9d7c06eb96443c04c04bc5692259c8d7ecb1563e877921939c61726605af4f969e3f586f0913ed125

memory/3472-57-0x000001C8B5270000-0x000001C8B5292000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_x42halfc.ggl.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6d3e9c29fe44e90aae6ed30ccf799ca8
SHA1 c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA256 2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA512 60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6d42b6da621e8df5674e26b799c8e2aa
SHA1 ab3ce1327ea1eeedb987ec823d5e0cb146bafa48
SHA256 5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c
SHA512 53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d28a889fd956d5cb3accfbaf1143eb6f
SHA1 157ba54b365341f8ff06707d996b3635da8446f7
SHA256 21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA512 0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 cadef9abd087803c630df65264a6c81c
SHA1 babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256 cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA512 7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 bd5940f08d0be56e65e5f2aaf47c538e
SHA1 d7e31b87866e5e383ab5499da64aba50f03e8443
SHA256 2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6
SHA512 c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3a6bad9528f8e23fb5c77fbd81fa28e8
SHA1 f127317c3bc6407f536c0f0600dcbcf1aabfba36
SHA256 986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05
SHA512 846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

C:\Users\Admin\AppData\Local\Temp\GzuRWOxc20.bat

MD5 a9548c41e6caa6c1643e068f51d344fe
SHA1 2438db2e072590fcaa244d1c8459d9e51f51ede9
SHA256 117589b95de4f1b97e80cedf04b1f19bfe0b5b0070fced42e0c9716976980b34
SHA512 f1002cb8ca14e1b584a2c3346618bd7e7982c2f29a604438c17ba2f940f7b850787b79ac7a47be554366634c764eddacdc11b54ce2b1ad1f88b7dbefde66f98c

C:\Users\Admin\AppData\Local\Temp\paq62miIo8.bat

MD5 f60534ae680673fb784339f1020aa2db
SHA1 ac8163f91b43c0fcf77a229211caacc4a4703c7e
SHA256 b2e1ebda22fa6a8d7a2c3539cee3f694b9f76a429fd77927f278569938ff7f07
SHA512 29352cb0fc1f8f8fc2464ffcadc46ed06b0ccfd2811f5b713ea304211d87e52232fe2abd59dca0f275a4995c076a5927d84cfa3dec1d4757aaf7f224313a5f26

C:\Users\Admin\AppData\Local\Temp\Zj0hR7WTEZ.bat

MD5 bc2bc74c576dc35408643c7b9db3719f
SHA1 f2f7e2a5307a3e8ed17199af029a6b960c58f4c9
SHA256 082d1760becb4878eac59ce7614564547960d447cda85b41b3f7895475ff1831
SHA512 84a010747eea23ecadfb64eb43b569d67769bb2a6231e12d82f26ab1885eb2d960cb9d908db84ece4b0353f635d14a57a7f8f06d74da2e7aabfabf0e08bac471

C:\Users\Admin\AppData\Local\Temp\B7rL9EqqPR.bat

MD5 cc468492fae4cb494aaf44152e33b6a2
SHA1 245ec7cf535e137ad7ef4f10de18be38d8e8f916
SHA256 4fc568c19d1d5ebf84cd46ddaa97d9f1df447e81ab23d423b1606130e46a3149
SHA512 51728659faa19b6d6cc56cc49d50c78f494bd51d5f952b43fa7215d442df64762e9152bb83192b68a20fdf8409ed21ab1bb8e639a037e7b28090b05420361395

memory/3084-210-0x0000000000C90000-0x0000000000CA2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\VlbjwdcMOl.bat

MD5 11c1a08700f2c2acccb4ee59573f081d
SHA1 370415ea20b10af6da0a59e96b7addef345cb291
SHA256 4d63c5364cceffbbcdadef9739914e62839c907db2863af377d6a47b7313ec82
SHA512 b9829313ff9a1481b8bfbcfe42454cd47629292a50328ab5976b541ed0348026fc095dcf1604cba18f447d51bb22d130acb11f7e817e26c16b26de13766a5a0f

memory/1820-229-0x00000000028D0000-0x00000000028E2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\iS8tBRk2Vg.bat

MD5 974602ebe4582ceb75e189363aae73b8
SHA1 0c2b3e78803b64923a49642d590eeb1abdebc80a
SHA256 19c087556a2ae365e3c0c581b07cf64d7f157011b40064534e38bdd31574b860
SHA512 6f38201053257126ba36fbc9719c06e73a44944dd0e493ce6a168e1301e4b47aae70570bdb600cd8e8dab6192be4e3f7ce3806cc73501513e5edf05fa8ee0922

memory/32-236-0x0000000000DE0000-0x0000000000DF2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\M1TWCJOn7d.bat

MD5 a2b38dd6c03f7bd543c29c0c89ccb120
SHA1 01ab4a27736d40938000cba173df363a8921e811
SHA256 45c5fad80ec9ebcd8cc14f9146b09155289909c4a4a17d3df9f0f7f5324db218
SHA512 387cd3bb7bd606eec02b4cf6e0a83d9deb56e970703db95754375cac4f2c730278d0e6a368f02b240aa32d2d4f20daef514afb90d2953cbd29e1c6312c3c188b

C:\Users\Admin\AppData\Local\Temp\wUI7DLfHyj.bat

MD5 58c37a60454a398eecba79f6de0c0a71
SHA1 c414d72035f0d7897bb008b60b9055a4ef2d5fad
SHA256 2e0700a4c88f5d9b125bc69433e2bb27c0f35bfda9000f3390ea6565ba87b5d6
SHA512 e9acac8802efd722e8977be4f2617e2db1b705a4617edb244bfed554d577c7d8fdcb8485a9bc7c43e3592450ec2c0fb8eeaa2844ae78b346a4e1485b1fb87799

C:\Users\Admin\AppData\Local\Temp\1CE969IshF.bat

MD5 eed998e9c534d5750ded966948084ca7
SHA1 469d1dbd62c39adc375c5360c798631ed651dec8
SHA256 7f528140023526c032a3d74cb35d0865a0cf5ba6e67dcff7e2e9d6986d5c9935
SHA512 100605cdff6ad593d1b85cd80e11fbf79ba9c70631cfe4b56f6ccd76ca6be0ad3fef17d471b8d729ad84521a1e1716f73784fb5b80b733500d292201c4f81516

memory/4336-255-0x0000000002420000-0x0000000002432000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8KwMxVG80h.bat

MD5 de8e5b82ea98ad7ef79fe35c9d5270f6
SHA1 487e51e7ef9a72b947b1fcbae85aadb99becd543
SHA256 0f2907df48df11ee163a940da99b5385fbe0b4985f801e5fa916d81386013a01
SHA512 0b4b3992cfe1c61457607dca68e95f28ffb1e3ff8f4e093d9ac6240531450d4346330896dfa2a2c29ebc28b0e234fdbd274bc3de2f62706f166173373ba192f4

memory/2972-262-0x0000000002F30000-0x0000000002F42000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\uP802u8Cku.bat

MD5 8b90fe24e9da76c25b52194f816ab774
SHA1 5cbd3b7415afd459f1ebd2f3dd8e02437fec4809
SHA256 365ea0c13a129076ff309f4a9436d95f62ed0e93c5d61fe744a2eeb592de84d1
SHA512 c97ea00da1f4134c9c592d3c734d5e5cb2b91e141b6686c3836cc1a2c99240514030de0a219d1f713a47df564c3dfd555536f894a963e7971cf6e472519410c4