Malware Analysis Report

2025-08-05 09:04

Sample ID 241230-v21xja1mbm
Target JaffaCakes118_44b76170b873b45f65b0ea1e435ce6f8fa3ba8bcc2a6fbcf76b919f7845014ef
SHA256 44b76170b873b45f65b0ea1e435ce6f8fa3ba8bcc2a6fbcf76b919f7845014ef
Tags
rat dcrat discovery execution infostealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

44b76170b873b45f65b0ea1e435ce6f8fa3ba8bcc2a6fbcf76b919f7845014ef

Threat Level: Known bad

The file JaffaCakes118_44b76170b873b45f65b0ea1e435ce6f8fa3ba8bcc2a6fbcf76b919f7845014ef was found to be: Known bad.

Malicious Activity Summary

rat dcrat discovery execution infostealer

Dcrat family

DCRat payload

Process spawned unexpected child process

DcRat

DCRat payload

Command and Scripting Interpreter: PowerShell

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Legitimate hosting services abused for malware hosting/C2

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies registry class

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-30 17:29

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-30 17:29

Reported

2024-12-30 17:32

Platform

win7-20241010-en

Max time kernel

146s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_44b76170b873b45f65b0ea1e435ce6f8fa3ba8bcc2a6fbcf76b919f7845014ef.exe"

Signatures

DcRat

rat infostealer dcrat

Dcrat family

dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Windows Mail\56085415360792 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Windows Portable Devices\dllhost.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Windows Portable Devices\5940a34987c991 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Windows NT\Accessories\ja-JP\WmiPrvSE.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Windows NT\Accessories\ja-JP\24dbde2999530e C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Windows Media Player\ja-JP\cmd.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Windows Media Player\ja-JP\ebf1f9fa8afd6d C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Windows Mail\wininit.exe C:\providercommon\DllCommonsvc.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_44b76170b873b45f65b0ea1e435ce6f8fa3ba8bcc2a6fbcf76b919f7845014ef.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\providercommon\DllCommonsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2884 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_44b76170b873b45f65b0ea1e435ce6f8fa3ba8bcc2a6fbcf76b919f7845014ef.exe C:\Windows\SysWOW64\WScript.exe
PID 2884 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_44b76170b873b45f65b0ea1e435ce6f8fa3ba8bcc2a6fbcf76b919f7845014ef.exe C:\Windows\SysWOW64\WScript.exe
PID 2884 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_44b76170b873b45f65b0ea1e435ce6f8fa3ba8bcc2a6fbcf76b919f7845014ef.exe C:\Windows\SysWOW64\WScript.exe
PID 2884 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_44b76170b873b45f65b0ea1e435ce6f8fa3ba8bcc2a6fbcf76b919f7845014ef.exe C:\Windows\SysWOW64\WScript.exe
PID 2684 wrote to memory of 2700 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2684 wrote to memory of 2700 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2684 wrote to memory of 2700 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2684 wrote to memory of 2700 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2700 wrote to memory of 2852 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 2700 wrote to memory of 2852 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 2700 wrote to memory of 2852 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 2700 wrote to memory of 2852 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 2852 wrote to memory of 2908 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2852 wrote to memory of 2908 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2852 wrote to memory of 2908 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2852 wrote to memory of 2164 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2852 wrote to memory of 2164 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2852 wrote to memory of 2164 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2852 wrote to memory of 1048 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2852 wrote to memory of 1048 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2852 wrote to memory of 1048 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2852 wrote to memory of 2044 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2852 wrote to memory of 2044 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2852 wrote to memory of 2044 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2852 wrote to memory of 1432 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2852 wrote to memory of 1432 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2852 wrote to memory of 1432 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2852 wrote to memory of 2356 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2852 wrote to memory of 2356 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2852 wrote to memory of 2356 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2852 wrote to memory of 2396 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2852 wrote to memory of 2396 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2852 wrote to memory of 2396 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2852 wrote to memory of 2112 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2852 wrote to memory of 2112 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2852 wrote to memory of 2112 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2852 wrote to memory of 2392 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2852 wrote to memory of 2392 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2852 wrote to memory of 2392 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2852 wrote to memory of 1520 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2852 wrote to memory of 1520 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2852 wrote to memory of 1520 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2852 wrote to memory of 872 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2852 wrote to memory of 872 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2852 wrote to memory of 872 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2852 wrote to memory of 1512 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2852 wrote to memory of 1512 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2852 wrote to memory of 1512 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2852 wrote to memory of 1816 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2852 wrote to memory of 1816 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2852 wrote to memory of 1816 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2852 wrote to memory of 1776 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2852 wrote to memory of 1776 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2852 wrote to memory of 1776 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2852 wrote to memory of 1044 N/A C:\providercommon\DllCommonsvc.exe C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe
PID 2852 wrote to memory of 1044 N/A C:\providercommon\DllCommonsvc.exe C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe
PID 2852 wrote to memory of 1044 N/A C:\providercommon\DllCommonsvc.exe C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe
PID 1044 wrote to memory of 3016 N/A C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe C:\Windows\System32\cmd.exe
PID 1044 wrote to memory of 3016 N/A C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe C:\Windows\System32\cmd.exe
PID 1044 wrote to memory of 3016 N/A C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe C:\Windows\System32\cmd.exe
PID 3016 wrote to memory of 332 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3016 wrote to memory of 332 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3016 wrote to memory of 332 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3016 wrote to memory of 2620 N/A C:\Windows\System32\cmd.exe C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_44b76170b873b45f65b0ea1e435ce6f8fa3ba8bcc2a6fbcf76b919f7845014ef.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_44b76170b873b45f65b0ea1e435ce6f8fa3ba8bcc2a6fbcf76b919f7845014ef.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\providercommon\1zu9dW.bat" "

C:\providercommon\DllCommonsvc.exe

"C:\providercommon\DllCommonsvc.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Portable Devices\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Portable Devices\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows NT\Accessories\ja-JP\WmiPrvSE.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\ja-JP\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows NT\Accessories\ja-JP\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\conhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Media Player\ja-JP\cmd.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\ja-JP\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Media Player\ja-JP\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Libraries\audiodg.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Public\Libraries\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Libraries\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\WmiPrvSE.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Mail\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Mail\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\OSPPSVC.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\OSPPSVC.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\OSPPSVC.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Users\Default\OSPPSVC.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\Default\OSPPSVC.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Users\Default\OSPPSVC.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Cookies\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\Cookies\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Cookies\csrss.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\wininit.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\dllhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\Accessories\ja-JP\WmiPrvSE.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\conhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\ja-JP\cmd.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Libraries\audiodg.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\WmiPrvSE.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\wininit.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\OSPPSVC.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\OSPPSVC.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Cookies\csrss.exe'

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe

"C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fg7ffKrc0I.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe

"C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7ouYA2TrKB.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe

"C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iqKdioc4MG.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe

"C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QqrgVo7Q94.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe

"C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ezHXLeVHih.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe

"C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\R5wNYqVH5b.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe

"C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\v65NgynF79.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe

"C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\00pP7nIBMq.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe

"C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp

Files

C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

MD5 8088241160261560a02c84025d107592
SHA1 083121f7027557570994c9fc211df61730455bb5
SHA256 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA512 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

C:\providercommon\1zu9dW.bat

MD5 6783c3ee07c7d151ceac57f1f9c8bed7
SHA1 17468f98f95bf504cc1f83c49e49a78526b3ea03
SHA256 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512 c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

\providercommon\DllCommonsvc.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/2852-13-0x0000000000C60000-0x0000000000D70000-memory.dmp

memory/2852-14-0x0000000000BC0000-0x0000000000BD2000-memory.dmp

memory/2852-15-0x0000000000C50000-0x0000000000C5C000-memory.dmp

memory/2852-16-0x000000001A5F0000-0x000000001A5FC000-memory.dmp

memory/2852-17-0x000000001A700000-0x000000001A70C000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 d9ab908dd0ea8222bf36bda08d38c06a
SHA1 69d54fb59cab5608d4f857d669cc2ddd3266519a
SHA256 9b79c6fe1f916342576574f417eec73f33888ff5db163a27ea09a069ccae4e53
SHA512 1392367321698029833256b214441aaa55b8a57b96d2bff541402f0d9a6bb25c4482897560989e6d0c494849ea4612523c069db3796d58d2992082d556a89e69

memory/1044-87-0x0000000000AC0000-0x0000000000BD0000-memory.dmp

memory/2396-71-0x00000000020F0000-0x00000000020F8000-memory.dmp

memory/2396-70-0x000000001B6F0000-0x000000001B9D2000-memory.dmp

memory/1044-97-0x00000000002C0000-0x00000000002D2000-memory.dmp

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\Cab9F8C.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar9FAE.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\Local\Temp\fg7ffKrc0I.bat

MD5 59f29fe13512cf56fe2da1dce7040594
SHA1 07c00e91c17114885e72e25afeb428c277616f30
SHA256 c08f26e65b3d08804029432c84f31c14ffec231bd526eb8a7e258e39c115b723
SHA512 bb34e5fe4643bbbcb28e46a09c25c2b869bc46ac95333d6e91bd18ab1deb1a997ce727740dfef2fe1c1d291b76df2932d411ce2a14e6954864bf662e5a89b0a6

memory/2620-183-0x0000000000340000-0x0000000000352000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b2613e69d782ddd46dfbe29064b12a57
SHA1 bfb2e4d9642252815f93b942a2e81b406ba51c23
SHA256 81f08438215c41f5a2b09da9e475fbb81fc953ce422745380518984cab7b1cc7
SHA512 93c57f5e3c1cd73d2a0924b6e2541b2492a542c6f3ce2102069a0ba49495da1fe468b3df179ffda3fc51ae05df87659a9a521c71b0a9508bfebae257f3448cb3

C:\Users\Admin\AppData\Local\Temp\7ouYA2TrKB.bat

MD5 2cfda50db47f47a0d2d56809acfa3bf6
SHA1 f2e32f5bc3cd7e9d52a9f737c87236a8a5acec82
SHA256 538ecd667fe16a070936f699c62d4e13d1b379375b946bae7f7bc5e09bb21087
SHA512 4fa18c315c065bad0db10d32ab15258e3cf5d1957067a974fa62a67e7ea36e31e30236706142ac8e66c01b48fe434d14442613bda5930230755440c0d9a5cee1

memory/828-243-0x0000000000340000-0x0000000000352000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 01b6960ddf80d59383e736cdfd4fb373
SHA1 aa589ce363c860d58e0020d18d88d1efad1d3d6b
SHA256 67a5795da382769ca9e9d733259d1a228a7bb9ddbce562f3f5e8a53fbced0a60
SHA512 4c3c642ca38076b96bc48cd580aa4654c401e0476c912b8463569ccf2c09b32384793e96afce73d4086292f2445d85a2d314addda3f80723ac1936b20c8eb5c3

C:\Users\Admin\AppData\Local\Temp\iqKdioc4MG.bat

MD5 e0463372cc1f37e08ac45555288df396
SHA1 e88d0d848bce627a946078ba28a17e5122f58521
SHA256 4eb74ef2fb43bd7ee365aa19623b69d2f83e2a77a397811b2b5a8e21c3260c94
SHA512 bd8d73999037e1af7358171c257a1a87512abb41259380a1b744d3c80a2c8b1f0cb7e43e0fc63e6ad2133c23755fce1bec1d1bd8a90ba7c104ba8b3f7e24f4ae

memory/1520-303-0x0000000000B90000-0x0000000000CA0000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6d0933ea0a71c63e9952fbfed7bd5310
SHA1 2568eac50114741a3a55d3121c2f2c938356eeeb
SHA256 ce1fe9b679e99c821ff4a302d39a734134380d305ae6025c1c511bf16bcccdf3
SHA512 4a161dc5eb5dec72a8060a40166f6c8c3a8deee64a1f0283c72de06cfd71b252057744f90cc3e7fa4f15e134ce9102bd2db341f6d7b9eebcffbc637705eeed41

C:\Users\Admin\AppData\Local\Temp\QqrgVo7Q94.bat

MD5 d0a78f548cea8818012c58b3ad71bf0d
SHA1 2a5d39c055d58f025f597d9865fb290d2b0a75f5
SHA256 f7a76b1fa16bc2ce8ea49e41c908281c4ed9616811b4772fc272a73b2ddbc605
SHA512 8bad7f5dee398de3df8fc6e4203ca162a6820ee1d90ddafe088f5d64be0e272df410ab136a0a11ba4fcfdb6ef49c620ac0b8df4f31dd3c90292d24799d1500fe

memory/3056-363-0x0000000000DF0000-0x0000000000F00000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1d24aecc4f81fa54e413b99d75756319
SHA1 b70864a2cca33d7d45e02c026ebeb69f8bf9be25
SHA256 4db7d1bb6b120d7d040028712ae6662cd5504c1c22ad15b6f95ba2e87cbe6921
SHA512 c38219d1ef78be21927deaca1a6e96b2043d01bb19bdc06f76cb007adcc7146e1cb63a2d9723bfb6550c7bf8f4c9272bf52a2222a7a075f154fb722f5a17bbc7

C:\Users\Admin\AppData\Local\Temp\ezHXLeVHih.bat

MD5 91afc21aba9ffe93c4b0bb704a75ddce
SHA1 e58029158b39777d8e2e1d64dbfa414661335629
SHA256 0822b93070ac2603b07d9d113809969b019f3a2b0c53c1eb43df97a87f28b5c8
SHA512 04623831a8fa42a097aac4e74519865053a5a858624089daf0d4b7aacd7b4aa2a6a11e087c11a2d0c8724d95bf2eaa9fc0995c930d6c0a9b45d6f110a06d3cb7

memory/1944-423-0x0000000000110000-0x0000000000220000-memory.dmp

memory/1944-424-0x00000000004D0000-0x00000000004E2000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f7b873202ee07de638d874e85de330f4
SHA1 a659b8f57c228ca307b07f55686935a749c2353f
SHA256 70babfa5e9a5186b49738d56bb7ef0c0e6dcbac3cb98a80b5358b03d6e0a7929
SHA512 b9092b5298783b4ac486c4feed7dd23de2b7abf05c8e2e52c3db907bb0f1576db5aa149852af4cd025f0a31484f4873fdbc29457ba8b15dfa18321d2f518b772

C:\Users\Admin\AppData\Local\Temp\R5wNYqVH5b.bat

MD5 149d885fb8b40642002e0a1a2a9ae978
SHA1 add8edb798cb6b21ade6390f9a117036eb8594ae
SHA256 850f1b0b007a69b4fa94423b619ceef67f14fd8eac0a6dff03e4c4a00a7463a3
SHA512 a2efd72cbb11ca3cd84099244cf0dc9873240b1f8e1aea495e878939047006bb9fffb5a71c7d9c31eb4ea3092d20c2957fc19351acded48ed79632031ffa5448

memory/1676-484-0x0000000000870000-0x0000000000980000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 251417e90e5cc9b6d691a607152b974c
SHA1 1a499878c9c3fae0369ce66c7459eee67c8ebd4e
SHA256 4a52466385ff7dc02bb0c8adeb47508251918e78bffaed98fcbf3f386c64b201
SHA512 3db706ae554b551b6aa409b42da6643a4d50c62190ce7c6bc09271320638993ba3cfbaabeb6872e30e307c0d8963da8ef68c09150111310ebb13e382b6a93a20

C:\Users\Admin\AppData\Local\Temp\v65NgynF79.bat

MD5 3453177817f5e48018e8c64235867bbb
SHA1 5b214bf61a0b8f7ffa5677a03b486a5671b60139
SHA256 6c80f65959edbbedb0ab006e09527fc00bc8aa3c4fc6348b8cf1f81ffdc8017d
SHA512 9ee8018b90bf622443ab99d12d61d072265d8fb97951545f9cd6f268610da33e8404fdb72d3b88a054d62b972650b96e50a9f2502cbf717dcdde3eb2018ed9f2

memory/2468-544-0x0000000000980000-0x0000000000A90000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b514929dcea8020e4e8a5acc83db88af
SHA1 80851821dd128b24a722de1a739c523be5ff4fc7
SHA256 211e84f70c988e922e863b3d81917bf873c056932cf6177751664635b62d0a24
SHA512 83a8a46a23a0a344deccf002c29158185c8c8e6aacde627f00e8031d2a20485c44c24529d924356a0f70f9c3c17832bacc4f4454de321af50fcfb145cd63dc7d

C:\Users\Admin\AppData\Local\Temp\00pP7nIBMq.bat

MD5 8f262c3afd07b732356a44508cc60ff7
SHA1 7542704dbbaccd3909a3627d9c4b808169b2be55
SHA256 cb37de1ea77e4e2ab1db26021d145df27c8168ecdd5127e3702eaefe2780710f
SHA512 70caf8c64bc9c680731f1c23b900f77e43b98c946dbd8baffd37247a6ade2dccd63c04f717da217c1e5b2a3faab3518571e21e3b3f738a98fe82ec97ee9995bd

memory/1820-604-0x0000000000060000-0x0000000000170000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-30 17:29

Reported

2024-12-30 17:32

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_44b76170b873b45f65b0ea1e435ce6f8fa3ba8bcc2a6fbcf76b919f7845014ef.exe"

Signatures

DcRat

rat infostealer dcrat

Dcrat family

dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\providercommon\DllCommonsvc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_44b76170b873b45f65b0ea1e435ce6f8fa3ba8bcc2a6fbcf76b919f7845014ef.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\unsecapp.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\29c1c3cc0f7685 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\SppExtComObj.exe C:\providercommon\DllCommonsvc.exe N/A
File opened for modification C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\SppExtComObj.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\e1ef82546f0b02 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Windows Portable Devices\e6c9b481da804f C:\providercommon\DllCommonsvc.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_44b76170b873b45f65b0ea1e435ce6f8fa3ba8bcc2a6fbcf76b919f7845014ef.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_44b76170b873b45f65b0ea1e435ce6f8fa3ba8bcc2a6fbcf76b919f7845014ef.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings C:\providercommon\DllCommonsvc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe N/A
N/A N/A C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe N/A
N/A N/A C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe N/A
N/A N/A C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe N/A
N/A N/A C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe N/A
N/A N/A C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe N/A
N/A N/A C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe N/A
N/A N/A C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe N/A
N/A N/A C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe N/A
N/A N/A C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe N/A
N/A N/A C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\providercommon\DllCommonsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1056 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_44b76170b873b45f65b0ea1e435ce6f8fa3ba8bcc2a6fbcf76b919f7845014ef.exe C:\Windows\SysWOW64\WScript.exe
PID 1056 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_44b76170b873b45f65b0ea1e435ce6f8fa3ba8bcc2a6fbcf76b919f7845014ef.exe C:\Windows\SysWOW64\WScript.exe
PID 1056 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_44b76170b873b45f65b0ea1e435ce6f8fa3ba8bcc2a6fbcf76b919f7845014ef.exe C:\Windows\SysWOW64\WScript.exe
PID 2900 wrote to memory of 4728 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2900 wrote to memory of 4728 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2900 wrote to memory of 4728 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4728 wrote to memory of 4536 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 4728 wrote to memory of 4536 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 4536 wrote to memory of 1592 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4536 wrote to memory of 1592 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4536 wrote to memory of 3808 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4536 wrote to memory of 3808 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4536 wrote to memory of 4880 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4536 wrote to memory of 4880 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4536 wrote to memory of 3676 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4536 wrote to memory of 3676 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4536 wrote to memory of 2868 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4536 wrote to memory of 2868 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4536 wrote to memory of 4108 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\cmd.exe
PID 4536 wrote to memory of 4108 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\cmd.exe
PID 4108 wrote to memory of 2040 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4108 wrote to memory of 2040 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4108 wrote to memory of 3052 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe
PID 4108 wrote to memory of 3052 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe
PID 3052 wrote to memory of 2860 N/A C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe C:\Windows\System32\cmd.exe
PID 3052 wrote to memory of 2860 N/A C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe C:\Windows\System32\cmd.exe
PID 2860 wrote to memory of 856 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2860 wrote to memory of 856 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2860 wrote to memory of 1612 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe
PID 2860 wrote to memory of 1612 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe
PID 1612 wrote to memory of 4428 N/A C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe C:\Windows\System32\cmd.exe
PID 1612 wrote to memory of 4428 N/A C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe C:\Windows\System32\cmd.exe
PID 4428 wrote to memory of 264 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4428 wrote to memory of 264 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4428 wrote to memory of 4712 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe
PID 4428 wrote to memory of 4712 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe
PID 4712 wrote to memory of 3684 N/A C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe C:\Windows\System32\cmd.exe
PID 4712 wrote to memory of 3684 N/A C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe C:\Windows\System32\cmd.exe
PID 3684 wrote to memory of 3516 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3684 wrote to memory of 3516 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3684 wrote to memory of 3500 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe
PID 3684 wrote to memory of 3500 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe
PID 3500 wrote to memory of 2668 N/A C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe C:\Windows\System32\cmd.exe
PID 3500 wrote to memory of 2668 N/A C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe C:\Windows\System32\cmd.exe
PID 2668 wrote to memory of 744 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2668 wrote to memory of 744 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2668 wrote to memory of 2660 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe
PID 2668 wrote to memory of 2660 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe
PID 2660 wrote to memory of 2880 N/A C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe C:\Windows\System32\cmd.exe
PID 2660 wrote to memory of 2880 N/A C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe C:\Windows\System32\cmd.exe
PID 2880 wrote to memory of 3832 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2880 wrote to memory of 3832 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2880 wrote to memory of 3276 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe
PID 2880 wrote to memory of 3276 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe
PID 3276 wrote to memory of 3920 N/A C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe C:\Windows\System32\cmd.exe
PID 3276 wrote to memory of 3920 N/A C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe C:\Windows\System32\cmd.exe
PID 3920 wrote to memory of 3268 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3920 wrote to memory of 3268 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3920 wrote to memory of 4232 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe
PID 3920 wrote to memory of 4232 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe
PID 4232 wrote to memory of 4676 N/A C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe C:\Windows\System32\cmd.exe
PID 4232 wrote to memory of 4676 N/A C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe C:\Windows\System32\cmd.exe
PID 4676 wrote to memory of 408 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4676 wrote to memory of 408 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_44b76170b873b45f65b0ea1e435ce6f8fa3ba8bcc2a6fbcf76b919f7845014ef.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_44b76170b873b45f65b0ea1e435ce6f8fa3ba8bcc2a6fbcf76b919f7845014ef.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "

C:\providercommon\DllCommonsvc.exe

"C:\providercommon\DllCommonsvc.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 6 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\SppExtComObj.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 9 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\providercommon\StartMenuExperienceHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\providercommon\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 11 /tr "'C:\providercommon\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\unsecapp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\SppExtComObj.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\StartMenuExperienceHost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\Gadgets\unsecapp.exe'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SsaJZj7IEG.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe

"C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iVopF68B7o.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe

"C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Rn5V8mQYRH.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe

"C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\B4BP5ZSgoJ.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe

"C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\biigBqxW9T.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe

"C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\19YD2Vui68.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe

"C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\biigBqxW9T.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe

"C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XkJigN4PJf.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe

"C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fjtq3MYUh4.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe

"C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZgKlNS7JdR.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe

"C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cnsnMHUbNI.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe

"C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Yvohz7Nokj.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 22.49.80.91.in-addr.arpa udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp

Files

C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

MD5 8088241160261560a02c84025d107592
SHA1 083121f7027557570994c9fc211df61730455bb5
SHA256 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA512 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

C:\providercommon\1zu9dW.bat

MD5 6783c3ee07c7d151ceac57f1f9c8bed7
SHA1 17468f98f95bf504cc1f83c49e49a78526b3ea03
SHA256 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512 c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

C:\providercommon\DllCommonsvc.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/4536-12-0x00007FFC76913000-0x00007FFC76915000-memory.dmp

memory/4536-13-0x0000000000DD0000-0x0000000000EE0000-memory.dmp

memory/4536-14-0x00000000014A0000-0x00000000014B2000-memory.dmp

memory/4536-15-0x0000000001750000-0x000000000175C000-memory.dmp

memory/4536-16-0x0000000001740000-0x000000000174C000-memory.dmp

memory/4536-17-0x0000000001770000-0x000000000177C000-memory.dmp

memory/3676-40-0x000001C4087C0000-0x000001C4087E2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xjnmympm.3yb.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Temp\SsaJZj7IEG.bat

MD5 8baf283453a5b11d0f1230fcc13e0dc0
SHA1 e33133500760e6da281107673acabd157beb8ae3
SHA256 b8477593fbfa861153437ee2316b6c78772c3c1641909579751399f1e5a4b10a
SHA512 43617af56ffefb2c4d6f399b5536c90c5e4dac248cb5deb0f810e572762e0ef2be350ea05d63a159a1e733147c018017e99ed54890a9f4e59741d73f7e342748

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 62623d22bd9e037191765d5083ce16a3
SHA1 4a07da6872672f715a4780513d95ed8ddeefd259
SHA256 95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010
SHA512 9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 2e907f77659a6601fcc408274894da2e
SHA1 9f5b72abef1cd7145bf37547cdb1b9254b4efe9d
SHA256 385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233
SHA512 34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

memory/3052-92-0x00000000023D0000-0x00000000023E2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\iVopF68B7o.bat

MD5 dbdc017aa85470794d577c1bc8b174dd
SHA1 dbc9e9357fc53e0acdc8f660779ed5063215ea49
SHA256 d76450d9ffddc0211d4347101c007aa8b2a83e9e1dc3dc9ccc5a414143b09ae1
SHA512 afb098827bebaa761cc33353b50a3732741ee8975ab287f6178b8ecf36cf32007f0ec0ce598190f4f5c803e92b43a3d19e0d8c376e386f912fbfd8e3acb04eba

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\OfficeClickToRun.exe.log

MD5 baf55b95da4a601229647f25dad12878
SHA1 abc16954ebfd213733c4493fc1910164d825cac8
SHA256 ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA512 24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

C:\Users\Admin\AppData\Local\Temp\Rn5V8mQYRH.bat

MD5 0eaba81a9c0e99d5166ca78067b3aec9
SHA1 e945af8d6d135d13b7df074b63e41124cce8ab7d
SHA256 c8e698886fe0a6a695af7b0da56a1e71e4c01c7e85b507cb8be07df1518bc6a1
SHA512 ebbc22bdea2b8eaf7396a839aa5f8ecc621655b94455fe965275b4dfc6d5d249e6d31a8602ce2a4b53ab2c03e79e50b45d1edf4888e76a2f8d8ab509f3931625

C:\Users\Admin\AppData\Local\Temp\B4BP5ZSgoJ.bat

MD5 12cf7b9b91a52b8744dc5fc9c892c6ad
SHA1 43a00ae5d2fa9391e0f46e5e2e32cef7318f8b61
SHA256 0e90640fc158d8da1008a7c70b10baa1032cd6db48a48cf31df9485c847764ae
SHA512 254cb6ef8ba4ba91784dafc47ba64bd5f761470487363d9a5a9b5fc16d0a65e1a53b481d1aa9ef245d2bcff661295ab84982655239362d9afd371f3ca9c07d09

C:\Users\Admin\AppData\Local\Temp\biigBqxW9T.bat

MD5 8c1095b0ad5eb3dbb01347be5957b8c1
SHA1 ce9e451c18ed9215c4ceee01a77155c8baa02b0d
SHA256 a5adc59727ec30c99a4ddb69e2468120f745e34f8961d5c364f94dd29929ac90
SHA512 4cb0534a77279379c7d598ed8ad8e74438d82c8e2593779a9950fa30c94d3bf3d0ce5dd246e63f5da66e75ef1268399a11594ef76b8d8727decbdbbf3ea3255a

memory/2660-119-0x0000000001540000-0x0000000001552000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\19YD2Vui68.bat

MD5 896c05a7644f5bd576ac18075206349d
SHA1 1067a50708ddabe8b6550ec11b4b8cdeb1195c61
SHA256 354e13ce8b276481f5e514bad74b817422c6822f7bb290ccf768e5171a30cb0a
SHA512 ee8c652345e03a840dc966189cc414ea8eab3f1bb0b0f3beb0ca73ff37d38a5ec15767053a516243c16ce05a3e3559fe66b8a5df9134584fbbfde4fb63077df0

memory/3276-126-0x0000000002940000-0x0000000002952000-memory.dmp

memory/4232-133-0x0000000001620000-0x0000000001632000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XkJigN4PJf.bat

MD5 a582e622f98afc38e4a61f75e0afa5eb
SHA1 4b0a44f122e11c91d12f82f195ec75fedb473bba
SHA256 0552a3924fa3d42a14d0255fed5d695a2ab0816f05029723a7f3a5f8d93b59f9
SHA512 a9a2557d4459010038135de2fba755d91602d6abe3b51adb253ba37526d1c43b95e78fbdd660720ed2eac360b4c54605accd923e82271595596f7d0b9559eb02

memory/3916-140-0x0000000002980000-0x0000000002992000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fjtq3MYUh4.bat

MD5 bc07d8cf8cd6955ca6ddc29071d66bd7
SHA1 6b4e360bf0e549df7d48c69ca500a95887df6989
SHA256 ff4f83dce7895ca7f02467d6f805aea91faf6e063c4d0bf9baed9db1ea5e95c2
SHA512 409c90f03ffd4ed2197b374e13ab891eedec4abfd84647d7337261477e986e37de76941c913d81570e3973354a64cf7641e2efb6709c7604b990b3fef68574f8

memory/2308-147-0x0000000002EC0000-0x0000000002ED2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ZgKlNS7JdR.bat

MD5 9a4252935cda676dae7d8bf7763fdc6b
SHA1 2794e0ad8d678e427b95f0107053d54fbfba4a8c
SHA256 0f973a29b95ce05a6b6b80e4ff6ced23c27797f6b755950b00b86b3df7a3df9d
SHA512 b4f3beb6cc24ca9c2efc407edfcb6fa1000f1155accdb55e5f14c5b8486cb27300df459c6117a2125bb5d024d21b36bdf2371183855db869d78bbfbc2050ae46

C:\Users\Admin\AppData\Local\Temp\cnsnMHUbNI.bat

MD5 9ed72d03e3c5f44af2be40831c71b945
SHA1 0f0eb7958fb3ce6fc5de09db8b1220679e351430
SHA256 cac8c48268f2b3d37e15a42dbf45e708547f794a6f37bd167ef88449b1d6e679
SHA512 bee8d56f7fcda4e57715c7fd27d58097a886adb6b492f3072c0c64c7f5b706221c8c7a3766811873414ae1710841e12fca9b4ff2b3b3d2f9f0ac5a8581ab6e07

memory/1820-160-0x0000000002C10000-0x0000000002C22000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Yvohz7Nokj.bat

MD5 9e1975190d1c4c8058f3e9fcf8984f09
SHA1 fbdc89c9e4c324de13f82063ea8127e7fb8f02ee
SHA256 f99247ab55c3bc7fb6ae6c89b9148b693b84edbd2394353cf29a35e737595a47
SHA512 a04bf7bb47b7f0216060d8c18c7cfe18dd8092802c5fdbe111e7cd7d8b5436e4dc0402625e2ea4edf2b32c565db1575540013af31bcc9149fda286b07a3d05d5