Malware Analysis Report

2025-08-10 11:54

Sample ID 241230-cz3dgavmfy
Target JaffaCakes118_71f09cd837628dea19f731b255aa669853a37c378192429d86d71bbd554bd0a3
SHA256 71f09cd837628dea19f731b255aa669853a37c378192429d86d71bbd554bd0a3
Tags
rat dcrat discovery execution infostealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

71f09cd837628dea19f731b255aa669853a37c378192429d86d71bbd554bd0a3

Threat Level: Known bad

The file JaffaCakes118_71f09cd837628dea19f731b255aa669853a37c378192429d86d71bbd554bd0a3 was found to be: Known bad.

Malicious Activity Summary

rat dcrat discovery execution infostealer

Dcrat family

Process spawned unexpected child process

DCRat payload

DcRat

DCRat payload

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Legitimate hosting services abused for malware hosting/C2

Drops file in Program Files directory

Drops file in Windows directory

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Modifies registry class

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Scheduled Task/Job: Scheduled Task

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-30 02:31

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-30 02:31

Reported

2024-12-30 02:34

Platform

win7-20240903-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_71f09cd837628dea19f731b255aa669853a37c378192429d86d71bbd554bd0a3.exe"

Signatures

DcRat

rat infostealer dcrat

Dcrat family

dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\cmd.exe C:\providercommon\DllCommonsvc.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\cmd.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\ebf1f9fa8afd6d C:\providercommon\DllCommonsvc.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\RemotePackages\RemoteApps\101b941d020240 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\Vss\Writers\System\wininit.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\Vss\Writers\System\56085415360792 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\RemotePackages\RemoteApps\lsm.exe C:\providercommon\DllCommonsvc.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_71f09cd837628dea19f731b255aa669853a37c378192429d86d71bbd554bd0a3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\cmd.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\cmd.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\cmd.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\cmd.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\cmd.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\cmd.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\cmd.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\cmd.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\cmd.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\providercommon\DllCommonsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\cmd.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\cmd.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\cmd.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\cmd.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\cmd.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\cmd.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\cmd.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\cmd.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\cmd.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\cmd.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2168 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_71f09cd837628dea19f731b255aa669853a37c378192429d86d71bbd554bd0a3.exe C:\Windows\SysWOW64\WScript.exe
PID 2168 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_71f09cd837628dea19f731b255aa669853a37c378192429d86d71bbd554bd0a3.exe C:\Windows\SysWOW64\WScript.exe
PID 2168 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_71f09cd837628dea19f731b255aa669853a37c378192429d86d71bbd554bd0a3.exe C:\Windows\SysWOW64\WScript.exe
PID 2168 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_71f09cd837628dea19f731b255aa669853a37c378192429d86d71bbd554bd0a3.exe C:\Windows\SysWOW64\WScript.exe
PID 2060 wrote to memory of 1804 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2060 wrote to memory of 1804 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2060 wrote to memory of 1804 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2060 wrote to memory of 1804 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1804 wrote to memory of 2680 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 1804 wrote to memory of 2680 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 1804 wrote to memory of 2680 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 1804 wrote to memory of 2680 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 2680 wrote to memory of 2236 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2680 wrote to memory of 2236 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2680 wrote to memory of 2236 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2680 wrote to memory of 2252 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2680 wrote to memory of 2252 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2680 wrote to memory of 2252 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2680 wrote to memory of 572 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2680 wrote to memory of 572 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2680 wrote to memory of 572 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2680 wrote to memory of 1064 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2680 wrote to memory of 1064 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2680 wrote to memory of 1064 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2680 wrote to memory of 760 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2680 wrote to memory of 760 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2680 wrote to memory of 760 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2680 wrote to memory of 616 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2680 wrote to memory of 616 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2680 wrote to memory of 616 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2680 wrote to memory of 276 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2680 wrote to memory of 276 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2680 wrote to memory of 276 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2680 wrote to memory of 844 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2680 wrote to memory of 844 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2680 wrote to memory of 844 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2680 wrote to memory of 2952 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2680 wrote to memory of 2952 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2680 wrote to memory of 2952 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2680 wrote to memory of 2572 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2680 wrote to memory of 2572 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2680 wrote to memory of 2572 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2680 wrote to memory of 1212 N/A C:\providercommon\DllCommonsvc.exe C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\cmd.exe
PID 2680 wrote to memory of 1212 N/A C:\providercommon\DllCommonsvc.exe C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\cmd.exe
PID 2680 wrote to memory of 1212 N/A C:\providercommon\DllCommonsvc.exe C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\cmd.exe
PID 1212 wrote to memory of 2364 N/A C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\cmd.exe C:\Windows\System32\cmd.exe
PID 1212 wrote to memory of 2364 N/A C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\cmd.exe C:\Windows\System32\cmd.exe
PID 1212 wrote to memory of 2364 N/A C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\cmd.exe C:\Windows\System32\cmd.exe
PID 2364 wrote to memory of 1356 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2364 wrote to memory of 1356 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2364 wrote to memory of 1356 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2364 wrote to memory of 644 N/A C:\Windows\System32\cmd.exe C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\cmd.exe
PID 2364 wrote to memory of 644 N/A C:\Windows\System32\cmd.exe C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\cmd.exe
PID 2364 wrote to memory of 644 N/A C:\Windows\System32\cmd.exe C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\cmd.exe
PID 644 wrote to memory of 1844 N/A C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\cmd.exe C:\Windows\System32\cmd.exe
PID 644 wrote to memory of 1844 N/A C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\cmd.exe C:\Windows\System32\cmd.exe
PID 644 wrote to memory of 1844 N/A C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\cmd.exe C:\Windows\System32\cmd.exe
PID 1844 wrote to memory of 1048 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1844 wrote to memory of 1048 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1844 wrote to memory of 1048 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1844 wrote to memory of 2212 N/A C:\Windows\System32\cmd.exe C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\cmd.exe
PID 1844 wrote to memory of 2212 N/A C:\Windows\System32\cmd.exe C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\cmd.exe
PID 1844 wrote to memory of 2212 N/A C:\Windows\System32\cmd.exe C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\cmd.exe
PID 2212 wrote to memory of 1984 N/A C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\cmd.exe C:\Windows\System32\cmd.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_71f09cd837628dea19f731b255aa669853a37c378192429d86d71bbd554bd0a3.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_71f09cd837628dea19f731b255aa669853a37c378192429d86d71bbd554bd0a3.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\providercommon\1zu9dW.bat" "

C:\providercommon\DllCommonsvc.exe

"C:\providercommon\DllCommonsvc.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\cmd.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\AppData\Roaming\cmd.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Roaming\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\AppData\Roaming\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Windows\RemotePackages\RemoteApps\lsm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\RemotePackages\RemoteApps\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Windows\RemotePackages\RemoteApps\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\providercommon\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Windows\Vss\Writers\System\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\Vss\Writers\System\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Windows\Vss\Writers\System\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\providercommon\OSPPSVC.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\providercommon\OSPPSVC.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\providercommon\OSPPSVC.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\audiodg.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\providercommon\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\cmd.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\csrss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\cmd.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\RemotePackages\RemoteApps\lsm.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dllhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Vss\Writers\System\wininit.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\OSPPSVC.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\audiodg.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\explorer.exe'

C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\cmd.exe

"C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QO5FEA9wo1.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\cmd.exe

"C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9avng9MHpa.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\cmd.exe

"C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\x5nMQhEI33.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\cmd.exe

"C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VoHf0I0Wzs.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\cmd.exe

"C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Wm5t4PlH1R.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\cmd.exe

"C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\F82V1kRox2.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\cmd.exe

"C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\b3FUfZROOv.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\cmd.exe

"C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IMpAoVHioU.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\cmd.exe

"C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\cmd.exe

"C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\epFjAgKouK.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp

Files

C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

MD5 8088241160261560a02c84025d107592
SHA1 083121f7027557570994c9fc211df61730455bb5
SHA256 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA512 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

C:\providercommon\1zu9dW.bat

MD5 6783c3ee07c7d151ceac57f1f9c8bed7
SHA1 17468f98f95bf504cc1f83c49e49a78526b3ea03
SHA256 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512 c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

C:\providercommon\DllCommonsvc.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/2680-13-0x0000000000FA0000-0x00000000010B0000-memory.dmp

memory/2680-14-0x00000000002C0000-0x00000000002D2000-memory.dmp

memory/2680-17-0x0000000000480000-0x000000000048C000-memory.dmp

memory/2680-16-0x00000000002D0000-0x00000000002DC000-memory.dmp

memory/2680-15-0x00000000002E0000-0x00000000002EC000-memory.dmp

memory/1212-42-0x0000000000080000-0x0000000000190000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\QO5QXC5CPF025TPBDVUZ.temp

MD5 d06d1cb298244f9755c8a9f0e49488b3
SHA1 b1ba4336cdd9c19b267ea474f9f8044be4770b83
SHA256 ed9fa0eaa3490a6c79c1154b9506226537d55f3a96dd2c74d259a207a0a7e5c3
SHA512 c5ea5de462f28e1b1a012cc3e504bb555e66fbc3b1d9910e97738a62d7accafec526dc8cab0abfeece73935ba15aa4746544300cd01015f9be680491062d93c9

memory/2952-54-0x0000000001C10000-0x0000000001C18000-memory.dmp

memory/2952-53-0x000000001B630000-0x000000001B912000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabC821.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarC844.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\Local\Temp\QO5FEA9wo1.bat

MD5 170a82a5bb39adbe1ac2764c30651f63
SHA1 db01d4c649c27fe55a7eaab6af694d42a47d384b
SHA256 099af29f60b6032649cf46f58dfa57b801cfa3a3f49a3f1f7a91147ea4e06080
SHA512 56d6e931c15e00957b4105ef3363cd8b76bc688761c81178aa515b3d46f2b13e3244098c320d6bfd23079e5dfd19e897a0de8e0e057d3acfacd98b65b5207aa9

memory/644-152-0x0000000000240000-0x0000000000350000-memory.dmp

memory/644-153-0x00000000004D0000-0x00000000004E2000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e737ec274e0fc813619f9f3f19fd487f
SHA1 de9dd67e2150d231694d5cc92a3f198dc400e1e7
SHA256 88f201c5d2a02a2e9547afcbb30aaf65ed07c152adb934f200c6d2e57daf38a0
SHA512 244ed3d36f49238ff3d0a822d0368d071ec66e3b07689729bf408bb354211ecda68c1b4de37bda974a8c91a10d819a6ff213ea38fcef998c7229c5d076696f4f

C:\Users\Admin\AppData\Local\Temp\9avng9MHpa.bat

MD5 49876d5728cbd550e42f3d8cd31c4cc8
SHA1 d820ee39833d865bbabbdd3c1830111b4d29b779
SHA256 f79f5315d3f394e9ec86215fa38a5879329c019d1f5b0bf78140d8fdfd52336b
SHA512 38fb133ba2e8d832296aadc3bd9fab1c6d619c50a0111dd41a9ca2aa950f9c3438c913ca4ce4d01a25da7e8cc009153eb5c52fc09d1cee4c84f845faf90e22be

memory/2212-213-0x00000000003C0000-0x00000000004D0000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 edf352b24fc01befb7cf1c1770dafcb8
SHA1 88556f5c31a90bff2f923d4ae3e43cd553d0ece6
SHA256 d1cf2c572692f84ab77511552dfc875d7fae6d16535d0d74f8dd9ff085c3f130
SHA512 583035626ee09a069d482f5b3066c714757b1ba9e6ee8c7d7c7861586b5528eee64d1642915adefe87a3d9a18406934155c1ea1131ef78d17cb24e19f2951802

C:\Users\Admin\AppData\Local\Temp\x5nMQhEI33.bat

MD5 c21eab64699bc7ec0a70f7851786034e
SHA1 c73b733794767b8086b69a648026bb54ff5782c4
SHA256 56e1f2fe3b40d018491b55236cb0a00b0d8a05af3aac1a9d3e6422cce70fb42b
SHA512 cc687fa10d8d72f921f94282e6fe5b56f7a56a102f42adfe2c70d4155acc3663925f0bb521008b325a0b302cc5e0719b4b678f519bd5fbd6543b9d565efbecd5

memory/3036-273-0x0000000001100000-0x0000000001210000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 78fa509f5b05dc4074668ac41bb44a2a
SHA1 f9aafa763f69fbf21708af5b241f6159759aad8e
SHA256 30a6d630f60957a268f6a12b5247e6e7ef0bd2b7b88d096731d710a51aa1a426
SHA512 e2d10138a7ce82c367fcebabb595743b60fee6096859f43214d466d321d10d9ca061784aa39a9222a84bedc3289798790d22a0d1e39e45e98b5d71cf07e71f20

C:\Users\Admin\AppData\Local\Temp\VoHf0I0Wzs.bat

MD5 bf3b043f63b78ea6510a4900a97cf2b7
SHA1 6fafa889f889d4e4491930419159dfd460899e2f
SHA256 cabf7da8725f484fee4adab4534d92a94c8dbe623ff0883123969ef724ebe40c
SHA512 c5422045413fede9efca4356ead5fa5014fbad0aa084fdaa89fe096d316af1967efc9dd42819fac0d1858c6ace6499901dcbee35796bb379fda60a068e4c073b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4892307fdf17080bae9b068f114aff9b
SHA1 113b4f90f10809ad2871126c0342e1b7471c8e87
SHA256 d1b744869d46c7b7ae8ddaa25e7bec42eb0b53eea00bf1fcff6f76ea78075a5a
SHA512 37c217d11fe1fc9f1b44ed6007647326b8bd79171c57a0827128250bd6a7ec0e1a571fb94d49f5713e2eab73637ccd90a38be65071277011cbf8603949e46912

C:\Users\Admin\AppData\Local\Temp\Wm5t4PlH1R.bat

MD5 71bc2ae5a5fb7319f3e35d20207d4590
SHA1 f73b5bdb1f7e6346cf1f84e443bf64ceb0c1509b
SHA256 749c471ca39ccb7c7f6ce1f05255298f66df0ed98972b711842b62d863722ae9
SHA512 331665613a671d24babe57bd61a89d985f275559ddcc86334a0d48090304b0e6d8edd89ad4d589ccac03acf6b7b54456ba4db74719b24f119fbbbd3614d19033

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 023563e23f7df9321cc96b2fc439f078
SHA1 53d247dcec079edd32151f2662c24a57a2e462bc
SHA256 6e02527f5ca99bcf5e20a7b1af2acfc32baa527911266aa3eb1b5c710f41d1fd
SHA512 9920087d26fcf3ad2c2153799cd4d6d3e9ed7f606cda82c45cd777e1e39701b5351394ba153f0f2dcbbfc37def769e5bffeb7c9053b3e83599253fbd36426912

C:\Users\Admin\AppData\Local\Temp\F82V1kRox2.bat

MD5 2ac3cf45b31a7e4d8001c0764a26c70f
SHA1 a3c67f6a3430a46660159edb28465a0870448263
SHA256 e381e7443a760822eb438cd56e255b33f974f5a8deecbbc1a861aaeae77abe00
SHA512 d1f71d681aa0bd175fe96d4a7e8a5311375b374dfbfbff70df593db963a5b541d3156dfbb4e65c9d0cde1f4c8a0d9476ca4939d6cc26926c41fdd383f7f57db7

memory/2404-451-0x0000000001250000-0x0000000001360000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ba581b11d8d1752c0a62efc728ffa5e6
SHA1 4475c060427cf100839579b5415260feb04e0750
SHA256 b0d80f0fa692d11c6c0b9c2cbd8c3934117e8a5712d14c078639977f03f75be0
SHA512 6ca207598329120715bc276cfe3754d043c7e8e4733ab0120d293e209632a0ea5fcaa9b410b88109cb275d29695e619a4355ef094b18c6dd3ac844890914824b

C:\Users\Admin\AppData\Local\Temp\b3FUfZROOv.bat

MD5 30798499ffa0574f56c11f3244c455d7
SHA1 1b97406987886ccd11f817b7acb2536186365136
SHA256 25027e55acde40d4d928eec9feba1c644e005208abc720703561d151f9feaf3c
SHA512 40918b925644f529a15145fa272147405112ca465343367e7db8c25dc8807addb3e631ecdfc81827c975be1e1a4a8bd0abb3d791a8a5e510d64a40b6b3a48968

memory/2864-511-0x0000000001280000-0x0000000001390000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 081990756faeee74974483c1de9d879c
SHA1 f2325164b304a8e9d29e5365e6a66dcd996d498c
SHA256 421035e96aa9d301c3481aa12d5102b7694a54af530234268e846f2f50ecc497
SHA512 b61f0607297eb9f2cbe0a1465a0effea6925d6b09e5d4bea471125dc9fb4ba4f23fedb61c22f1392e10615710054aa8eabb9aed35083ea3cf2d66a19d1742fba

C:\Users\Admin\AppData\Local\Temp\IMpAoVHioU.bat

MD5 99a5585668d66283836a468a5568cd73
SHA1 2240f79fd8e681f710cf747c181024dfef9032ac
SHA256 a892817e78d703b71a0a9fcfaaecc2c51e6ea7c8f50bbf078ae705f3a7409833
SHA512 96333d84f83f66a46304c1b8446c271328baae20b3ae11e37dca4f105d1958deb0bef994680f984a0802d24861dc91f7a55d18ec60c0d9da9cfd1a935a66beba

memory/1548-571-0x0000000001390000-0x00000000014A0000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 dcff8de5325fefd15ab1717b3d20a74a
SHA1 aa9bcc53a5fcc8c306a5cf02cbab558436c79336
SHA256 73aa90874d3984dc15e8fdb4905635f64f3d277e994be178cc5c222b3dba2397
SHA512 677e65437276b5e98d5d2c2ca190759f1d2724b02f8d2b116672c8d45b17647549bf42ac89d6f22e165190a9d2ce0cc1a35c891814c72690fa368306090d61e1

C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat

MD5 fdd7362939aa4c354630b675f573d4f3
SHA1 d772af70dbadc0487b7ab229c1350acd23372b60
SHA256 eafea70d4c95fcdbb54b737fb7d7bb71526e4b65d2e38e251108390373bac56d
SHA512 39254543b2b0eeef7ad906722b8da8dd2cf530acf5f63e964770b6275809a9d8a2a650ca2a46079730afcc21c15693ceaee38afe06433a2664f65774421c91f6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a18fcf88d1c70bb0f7d0a78f88594a7f
SHA1 0c71aed1925f269c66aeb5d52c9c75550ff01436
SHA256 5110414b5e094d512185747680f22c1378576f89a8df39dbdb602e833ddec08e
SHA512 e11341ac2a675268de3df7908676f6eb2f9d0f0fffb1830cb847a88776fa1c62776b914eb9984087225bfe71754ee2f13b659e5c79defd58aa1653544e5a6391

C:\Users\Admin\AppData\Local\Temp\epFjAgKouK.bat

MD5 47259aaf2a5ba9e6d6a05ef242f7c7d0
SHA1 67a6b1b84853538cd15a8a4105797302a6893ade
SHA256 a4cea47b640ef2a328c4457dc3a169d132ead3aa38a52fdb911017fda684b375
SHA512 e37964f0e2f2b410e1f126d00240b6b512f3262487031303089afcef7bef148e3cc6a80e32dac6a56155cf4a28364ef79dfcf7a155aa863e6a4e23119e0f0f88

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-30 02:31

Reported

2024-12-30 02:34

Platform

win10v2004-20241007-en

Max time kernel

147s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_71f09cd837628dea19f731b255aa669853a37c378192429d86d71bbd554bd0a3.exe"

Signatures

DcRat

rat infostealer dcrat

Dcrat family

dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\providercommon\DllCommonsvc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\providercommon\spoolsv.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\providercommon\spoolsv.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\providercommon\spoolsv.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\providercommon\spoolsv.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\providercommon\spoolsv.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\providercommon\spoolsv.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\providercommon\spoolsv.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\providercommon\spoolsv.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_71f09cd837628dea19f731b255aa669853a37c378192429d86d71bbd554bd0a3.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\providercommon\spoolsv.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\providercommon\spoolsv.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\providercommon\spoolsv.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\providercommon\spoolsv.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\providercommon\spoolsv.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Windows Sidebar\StartMenuExperienceHost.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\sppsvc.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\0a1fd5f707cd16 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\StartMenuExperienceHost.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\DllCommonsvc.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\a76d7bf15d8370 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Microsoft.NET\RedistList\886983d96e3d3e C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\55b276f4edf653 C:\providercommon\DllCommonsvc.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\TAPI\spoolsv.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\TAPI\f3b6ecef712a24 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\Containers\serviced\smss.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\Containers\serviced\69ddcba757bf72 C:\providercommon\DllCommonsvc.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_71f09cd837628dea19f731b255aa669853a37c378192429d86d71bbd554bd0a3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings C:\providercommon\spoolsv.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings C:\providercommon\spoolsv.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings C:\providercommon\spoolsv.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings C:\providercommon\spoolsv.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings C:\providercommon\spoolsv.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_71f09cd837628dea19f731b255aa669853a37c378192429d86d71bbd554bd0a3.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings C:\providercommon\spoolsv.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings C:\providercommon\spoolsv.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings C:\providercommon\spoolsv.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings C:\providercommon\spoolsv.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings C:\providercommon\spoolsv.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings C:\providercommon\spoolsv.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings C:\providercommon\spoolsv.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings C:\providercommon\spoolsv.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\providercommon\spoolsv.exe N/A
N/A N/A C:\providercommon\spoolsv.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\providercommon\spoolsv.exe N/A
N/A N/A C:\providercommon\spoolsv.exe N/A
N/A N/A C:\providercommon\spoolsv.exe N/A
N/A N/A C:\providercommon\spoolsv.exe N/A
N/A N/A C:\providercommon\spoolsv.exe N/A
N/A N/A C:\providercommon\spoolsv.exe N/A
N/A N/A C:\providercommon\spoolsv.exe N/A
N/A N/A C:\providercommon\spoolsv.exe N/A
N/A N/A C:\providercommon\spoolsv.exe N/A
N/A N/A C:\providercommon\spoolsv.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\providercommon\DllCommonsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\providercommon\spoolsv.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\providercommon\spoolsv.exe N/A
Token: SeDebugPrivilege N/A C:\providercommon\spoolsv.exe N/A
Token: SeDebugPrivilege N/A C:\providercommon\spoolsv.exe N/A
Token: SeDebugPrivilege N/A C:\providercommon\spoolsv.exe N/A
Token: SeDebugPrivilege N/A C:\providercommon\spoolsv.exe N/A
Token: SeDebugPrivilege N/A C:\providercommon\spoolsv.exe N/A
Token: SeDebugPrivilege N/A C:\providercommon\spoolsv.exe N/A
Token: SeDebugPrivilege N/A C:\providercommon\spoolsv.exe N/A
Token: SeDebugPrivilege N/A C:\providercommon\spoolsv.exe N/A
Token: SeDebugPrivilege N/A C:\providercommon\spoolsv.exe N/A
Token: SeDebugPrivilege N/A C:\providercommon\spoolsv.exe N/A
Token: SeDebugPrivilege N/A C:\providercommon\spoolsv.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4324 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_71f09cd837628dea19f731b255aa669853a37c378192429d86d71bbd554bd0a3.exe C:\Windows\SysWOW64\WScript.exe
PID 4324 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_71f09cd837628dea19f731b255aa669853a37c378192429d86d71bbd554bd0a3.exe C:\Windows\SysWOW64\WScript.exe
PID 4324 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_71f09cd837628dea19f731b255aa669853a37c378192429d86d71bbd554bd0a3.exe C:\Windows\SysWOW64\WScript.exe
PID 1992 wrote to memory of 3608 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1992 wrote to memory of 3608 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1992 wrote to memory of 3608 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3608 wrote to memory of 432 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 3608 wrote to memory of 432 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 432 wrote to memory of 4484 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 432 wrote to memory of 4484 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 432 wrote to memory of 2136 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 432 wrote to memory of 2136 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 432 wrote to memory of 2728 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 432 wrote to memory of 2728 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 432 wrote to memory of 3600 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 432 wrote to memory of 3600 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 432 wrote to memory of 4824 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 432 wrote to memory of 4824 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 432 wrote to memory of 1916 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 432 wrote to memory of 1916 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 432 wrote to memory of 3380 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 432 wrote to memory of 3380 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 432 wrote to memory of 1740 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 432 wrote to memory of 1740 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 432 wrote to memory of 5036 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 432 wrote to memory of 5036 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 432 wrote to memory of 4044 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 432 wrote to memory of 4044 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 432 wrote to memory of 3408 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 432 wrote to memory of 3408 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 432 wrote to memory of 2760 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 432 wrote to memory of 2760 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 432 wrote to memory of 536 N/A C:\providercommon\DllCommonsvc.exe C:\providercommon\spoolsv.exe
PID 432 wrote to memory of 536 N/A C:\providercommon\DllCommonsvc.exe C:\providercommon\spoolsv.exe
PID 536 wrote to memory of 4688 N/A C:\providercommon\spoolsv.exe C:\Windows\System32\cmd.exe
PID 536 wrote to memory of 4688 N/A C:\providercommon\spoolsv.exe C:\Windows\System32\cmd.exe
PID 4688 wrote to memory of 3248 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4688 wrote to memory of 3248 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4688 wrote to memory of 1080 N/A C:\Windows\System32\cmd.exe C:\providercommon\spoolsv.exe
PID 4688 wrote to memory of 1080 N/A C:\Windows\System32\cmd.exe C:\providercommon\spoolsv.exe
PID 1080 wrote to memory of 2272 N/A C:\providercommon\spoolsv.exe C:\Windows\System32\cmd.exe
PID 1080 wrote to memory of 2272 N/A C:\providercommon\spoolsv.exe C:\Windows\System32\cmd.exe
PID 2272 wrote to memory of 2140 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2272 wrote to memory of 2140 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2272 wrote to memory of 5036 N/A C:\Windows\System32\cmd.exe C:\providercommon\spoolsv.exe
PID 2272 wrote to memory of 5036 N/A C:\Windows\System32\cmd.exe C:\providercommon\spoolsv.exe
PID 5036 wrote to memory of 3808 N/A C:\providercommon\spoolsv.exe C:\Windows\System32\cmd.exe
PID 5036 wrote to memory of 3808 N/A C:\providercommon\spoolsv.exe C:\Windows\System32\cmd.exe
PID 3808 wrote to memory of 1832 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3808 wrote to memory of 1832 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3808 wrote to memory of 3588 N/A C:\Windows\System32\cmd.exe C:\providercommon\spoolsv.exe
PID 3808 wrote to memory of 3588 N/A C:\Windows\System32\cmd.exe C:\providercommon\spoolsv.exe
PID 3588 wrote to memory of 2464 N/A C:\providercommon\spoolsv.exe C:\Windows\System32\cmd.exe
PID 3588 wrote to memory of 2464 N/A C:\providercommon\spoolsv.exe C:\Windows\System32\cmd.exe
PID 2464 wrote to memory of 1780 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2464 wrote to memory of 1780 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2464 wrote to memory of 2548 N/A C:\Windows\System32\cmd.exe C:\providercommon\spoolsv.exe
PID 2464 wrote to memory of 2548 N/A C:\Windows\System32\cmd.exe C:\providercommon\spoolsv.exe
PID 2548 wrote to memory of 4832 N/A C:\providercommon\spoolsv.exe C:\Windows\System32\cmd.exe
PID 2548 wrote to memory of 4832 N/A C:\providercommon\spoolsv.exe C:\Windows\System32\cmd.exe
PID 4832 wrote to memory of 3552 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4832 wrote to memory of 3552 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4832 wrote to memory of 4648 N/A C:\Windows\System32\cmd.exe C:\providercommon\spoolsv.exe
PID 4832 wrote to memory of 4648 N/A C:\Windows\System32\cmd.exe C:\providercommon\spoolsv.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_71f09cd837628dea19f731b255aa669853a37c378192429d86d71bbd554bd0a3.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_71f09cd837628dea19f731b255aa669853a37c378192429d86d71bbd554bd0a3.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "

C:\providercommon\DllCommonsvc.exe

"C:\providercommon\DllCommonsvc.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Sidebar\StartMenuExperienceHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Sidebar\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\DllCommonsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\DllCommonsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\DllCommonsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\providercommon\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Windows\TAPI\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\TAPI\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Windows\TAPI\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Application Data\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Default\Application Data\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Application Data\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Admin\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Windows\Containers\serviced\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\Containers\serviced\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Windows\Containers\serviced\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\StartMenuExperienceHost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\DllCommonsvc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\spoolsv.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\TAPI\spoolsv.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Application Data\services.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\lsass.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Containers\serviced\smss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\RuntimeBroker.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\RuntimeBroker.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft\Edge\Application\sppsvc.exe'

C:\providercommon\spoolsv.exe

"C:\providercommon\spoolsv.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ys2Wc5gw2w.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\providercommon\spoolsv.exe

"C:\providercommon\spoolsv.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2Odt5WJZ2f.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\providercommon\spoolsv.exe

"C:\providercommon\spoolsv.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rmFq19iy8Y.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\providercommon\spoolsv.exe

"C:\providercommon\spoolsv.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\U1yQEvZAPO.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\providercommon\spoolsv.exe

"C:\providercommon\spoolsv.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5eI0Zh92hY.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\providercommon\spoolsv.exe

"C:\providercommon\spoolsv.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2XkxZsmkwh.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\providercommon\spoolsv.exe

"C:\providercommon\spoolsv.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8RCzlRjk6I.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\providercommon\spoolsv.exe

"C:\providercommon\spoolsv.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OI2OM6vZgr.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\providercommon\spoolsv.exe

"C:\providercommon\spoolsv.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ys2Wc5gw2w.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\providercommon\spoolsv.exe

"C:\providercommon\spoolsv.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FFH8oguQ3d.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\providercommon\spoolsv.exe

"C:\providercommon\spoolsv.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JFTIgCVObE.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\providercommon\spoolsv.exe

"C:\providercommon\spoolsv.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7aJ3FmDw0K.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\providercommon\spoolsv.exe

"C:\providercommon\spoolsv.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oqEnL4f5pl.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 133.111.199.185.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp

Files

C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

MD5 8088241160261560a02c84025d107592
SHA1 083121f7027557570994c9fc211df61730455bb5
SHA256 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA512 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

C:\providercommon\1zu9dW.bat

MD5 6783c3ee07c7d151ceac57f1f9c8bed7
SHA1 17468f98f95bf504cc1f83c49e49a78526b3ea03
SHA256 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512 c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

C:\providercommon\DllCommonsvc.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/432-12-0x00007FF94B2D3000-0x00007FF94B2D5000-memory.dmp

memory/432-13-0x0000000000DD0000-0x0000000000EE0000-memory.dmp

memory/432-14-0x0000000001720000-0x0000000001732000-memory.dmp

memory/432-15-0x0000000001730000-0x000000000173C000-memory.dmp

memory/432-16-0x000000001BB10000-0x000000001BB1C000-memory.dmp

memory/432-17-0x000000001BB20000-0x000000001BB2C000-memory.dmp

memory/1916-68-0x00000220A41D0000-0x00000220A41F2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_egwb3t3n.qcg.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/536-142-0x0000000002940000-0x0000000002952000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 bd5940f08d0be56e65e5f2aaf47c538e
SHA1 d7e31b87866e5e383ab5499da64aba50f03e8443
SHA256 2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6
SHA512 c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a8e8360d573a4ff072dcc6f09d992c88
SHA1 3446774433ceaf0b400073914facab11b98b6807
SHA256 bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b
SHA512 4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 ecceac16628651c18879d836acfcb062
SHA1 420502b3e5220a01586c59504e94aa1ee11982c9
SHA256 58238de09a8817ed9f894ed8e5bf06a897fd08e0b0bd77e508d37b2598edd2a9
SHA512 be3c7cb529cafb00f58790a6f8b35c4ff6db9f7f43a507d2218fd80cebc88413e46f71b1bc35b8afcc36b68f9409c946470d1e74a4fe225400eeb6f3f898f5b3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 28d4235aa2e6d782751f980ceb6e5021
SHA1 f5d82d56acd642b9fc4b963f684fd6b78f25a140
SHA256 8c66720f953e82cfbd8f00543c42c0cf77c3d97787ec09cb3e1e2ba5819bd638
SHA512 dba1bd6600f5affcfdc33a59e7ac853ee5fdfafb8d1407a1768728bd4f66ef6b49437214716b7e33e3de91d7ce95709050a3dab4354dd62acaf1de28107017a2

C:\Users\Admin\AppData\Local\Temp\Ys2Wc5gw2w.bat

MD5 4fc313004c17174f010723f2cff9c8ca
SHA1 fd22af0a37e9a885bb8fd254e75aa570767643bb
SHA256 6778e34f666b151861b7ed4a381d04a6f737efcf4689074279b6763548731f47
SHA512 3bec0f7689ed4b68957f11e0cb83fcb55a9c0609520b534755958d17b42c08d6018e0a6aff5abaa4435c79dfad13a454cfb7623e059ca7e89e021b8bda012149

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\spoolsv.exe.log

MD5 baf55b95da4a601229647f25dad12878
SHA1 abc16954ebfd213733c4493fc1910164d825cac8
SHA256 ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA512 24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

C:\Users\Admin\AppData\Local\Temp\2Odt5WJZ2f.bat

MD5 742af4a3f8089b6d95a760cdb57bcc2b
SHA1 0e0e6d0ea6d8a5048b5aed7e63bce731ff460f9d
SHA256 761c42a2cca6f56dd31c85c1df88ca4e7883ace819588eca36465c3c06d72c04
SHA512 68b5d025d08178d127fd520750ddadc02a49f7c66c9e9a25865161ce84b723f8ce8beac055cdede073865ca39d82e53f71fdc6e0f626297ba6f394b875da96e6

memory/5036-198-0x00000000025B0000-0x00000000025C2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\rmFq19iy8Y.bat

MD5 8060da6d2d56701b9a73313c9abf62b0
SHA1 1a0400b307717a04d0062ea795aa9bef19c41b1d
SHA256 eacd84331823c751cce56f971eb643e7de4d7b8a8e7d6f878245092b79d043ca
SHA512 72ee78cfe35a9e1fa6ab826ef62f138dedb23e84661b3553e3e82521aabec61d8330f820c94b4df8b9c1c7620b1db25b58ce6d789d2b980b6a05db5fe894bb2a

memory/3588-205-0x00000000015F0000-0x0000000001602000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\U1yQEvZAPO.bat

MD5 9fbbed690fb00c589c2041ebec0e4111
SHA1 5320bf6b44daa9f7fc647ad2393ad65abbcd48e9
SHA256 7261885a81acf1264101319934362dad1c4e40d9fb40834cfdab0f72afc0f5f2
SHA512 28523fbe56493484a9fafacb174e6fb6cef6c1787e460974bdeaac71b7d6a7b7fef5d70dcfb858c0c93844f1516c6c92f34babffd8547f263d25b280231fff8f

memory/2548-212-0x0000000001770000-0x0000000001782000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5eI0Zh92hY.bat

MD5 0c11da476e2a13eaaedcb0de59f6afea
SHA1 0d0a129a5523d6143bb763b613efccd28748f12c
SHA256 21559c3be7d3191c57a44ff5baaae7fbc40a6e0ee261a12c47771bafb947d18d
SHA512 15a4b5e96125cac7e6353ab41e7be39989f3374fe3db16e9dd21cb3401090525be244191e2138ae768adfa248c9ee8d5921c2096802ea1e6f7ff7ea025ebd47f

C:\Users\Admin\AppData\Local\Temp\2XkxZsmkwh.bat

MD5 982ef46df5f773ad796c7a4fa5ef9c62
SHA1 2b01194a27f1752d7845bd6e576cd41cd704c409
SHA256 fd3a85bc0810d72a42d1b5a2325552234885509f2dff207d8b07eadb388a6af0
SHA512 c0c3ac320d97890cbaa37cac199ffc79ee86f9dd84f6b0d067ead3540d92c9d25309348f3a5ccdb40646a5fc42b984aaa3b8c937a7e42331cfaa95c18af51c95

C:\Users\Admin\AppData\Local\Temp\8RCzlRjk6I.bat

MD5 1922ffd5f95f3ab38a5f07222617b2f9
SHA1 19845b0a22d47030404f300913b9a6cbc260a1f7
SHA256 cc418e1ccaefc01a2ba5210b8fa9d6040ce1766763391738b0ecd00fded17881
SHA512 c4fe9c38ce9bf5d488aeb587092c4c8a83e984ea4d5e7fc081eb7d1d45d69489e381d6903d4215ec6f11547405e960ff69e653af4841879f3e73e33120ee5b24

C:\Users\Admin\AppData\Local\Temp\OI2OM6vZgr.bat

MD5 57a884d8985c3d28bca36ee6dec8d2c0
SHA1 717ce06b76c97c390c77e72f3ed788361348c0dc
SHA256 d003e9c57f3557d97ba2a51dcecc1bcc2d6429e632e43241bf1ed60fd93dd051
SHA512 c96938d5a97b53d01d1bc0fe7a976c860d58eab735da3863dbb3768698f2e739c3166d4e42b76c28566e56bfd0b282d45d0cbd077481c06cd429754c1cb70bf8

C:\Users\Admin\AppData\Local\Temp\FFH8oguQ3d.bat

MD5 f9c9ab5617280c80243b3c223ae505c7
SHA1 766dc634656b196bfa73b8970f420446a1b9d2ad
SHA256 8768afd38a2acfd0b335b17918e8c8fe9313feb23ed967f21123e58484d45d16
SHA512 6a355f8ea8bd8c0c8a5194b967cf519603c3e8527dab0ac6db3b9355235ec9fe6e934dc973b3e9a4fd3b7d917874d372cba6794022c335da54e84004a505fdb6

memory/3552-249-0x00000000016E0000-0x00000000016F2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\JFTIgCVObE.bat

MD5 300e434b28d5ed67c3418b30f5641afc
SHA1 6fa1e4964c5ea5d9c33c43eebccedee48def6e94
SHA256 a79023484c0c0c6c5f1c627be7a8042384977e3844ec58fd9fecc5ea45fbe95c
SHA512 37713f50a02765ce4ea51d74edf27d4a1c30f8670dd6ea99a0193e8e7915dd917c265393fc6bf469891ba95e89c915900d2c0e63f4345198bcdec4ae96d34c51

C:\Users\Admin\AppData\Local\Temp\7aJ3FmDw0K.bat

MD5 8443ac11273ed11b29509539d0928cc1
SHA1 494012bc0a727d4ca1bec1bd9532784ab3e13481
SHA256 e84450072712ceb1517881bb03d05346f16eb6b9559e3fa104584b82e4111338
SHA512 1830e310d6160516eed58abeb8a716768e1877a3c0216f55010b032331ea45486a4000d816f9184139ffd40ad3a3b47793f5949cddd693677065c07131edccd6

C:\Users\Admin\AppData\Local\Temp\oqEnL4f5pl.bat

MD5 2c6dd729642027ae6b9a7b8eaa978b64
SHA1 38181cda539a36f6aa936a5545c9a80b20206fcd
SHA256 8730a6486bf1d5b23216da307fab7693d767f904c82fac270238a1689753099d
SHA512 a799ba321201db2ec0ebdfca66e49b8a971c8e836564d52036f0718f9e6f1c1ef0e40f4a74cbd5e07fe7e47861747b38bd944bec6d048c4eb7426e12caf4f312